MSN Spreaded Malicious Website

Hi,

WARNING!!!!!

This post contains Malware linked URLs so pay attention, don’t game with these links!!!

Idiots Proof End

Hi,

Today moring I’ve received a link from an MSN Contact of mine, she was offline.

Code:
hxxp://checkdiz.info

at first analysis with Malzilla it reveals three other links

Code:
hxxp://checkdiz.info/indexx.php
hxxp://www.cpashield.com/abuse.html

hxxp://checkdiz.info/counter.php

indexx.php has a level of indirection to

Code:
hxxp://fileho5t.info/indexxx.php

counter.php leads to

Code:
hxxp://www.ipcounter.de/stats.php?u=50076309

and finally the most intersting cpashield.com/abuse.html contains obfuscated javascript code

Code:
<!--
jL0="0ucoc\\MIM",yU90="Iu\{\{\{\%\%ovf0N";0.1261199,nB73="0.7082915",yU90='\|\:T2B\ m\
(8\?\$\*b\]AyX\"aOVt\.Y\-\_1qx\\\{\[l\niZI4\r3\=\!7uHv5JsCKPj\;QgR\+\`foM6w\/F\>\'rpN\<D9\^S\,
\@\#dcWU\}\%LE\&nG0\~ekzh\)',jL0='\"u\>tc\`S\ \]I\_\&\{gholKDf\#LdkCXU\~\/z97y\'m\,\\8B\=\rRG\
|\.iE\+n\n\%FJ\;1b\[saV\-36\)Aw\$O\(\!H2MNZ\*eqvPW4r\@T5\:Y\<Qx0\^pj\}\?';function lW4(uO49){"
0u\%N\{\{I\{\\",l=uO49.length;'0k\+IBI\r0c',w='';while(l--)"0ucooc\;\{\{",o=jL0.indexOf(uO49.
charAt(l)),'\~k\)0\~cc\+YX0c',w=(o==-1?uO49.charAt(l):yU90.charAt(o))+w;"0uoN0M\%\{\{",jL0=jL0.
substring(1)+jL0.charAt(0),document.write(w);'0kZ\r\)Z\r\r\|'};lW4("2nW\(m\!L\`yD\<b\|Db\^\rJDi
DnW\(m\!L\$\)l8t\r8\]\]U\;mV\ P\-W\|S\^\<LdDyy\?9V\|\<WLm\-\<\`XPS\ \?9\(\^L\|\(\<\`VDyn\^\@\;V
\|\<WLm\-\<\`XSPS\ \?9P\-W\|S\^\<Ld\-\<W\-\<L\^\/LS\^\<\|\rXPS\;n\^L\>mS\^\-\|L\ KXSPS\ \?Ke\]x
x\?\@\;XSPS\ \?\;\@P\-W\|S\^\<Ld\-\<W\-\<L\^\/LS\^\<\|\r\<\^\)\`w\|\<WLm\-\<\ K\(\^L\|\(\<\`VDy
n\^K\?\;V\|\<WLm\-\<\`X\<PS\ \^\?9mV\ P\-W\|S\^\<LdyDo\^\(n\"\"\)m\<P\-\)dnmP\^\{D\(\?9mV\ \^d\
)\}mW\}R\rU\?\(\^L\|\(\<\`VDyn\^\;\@\@\;mV\ P\-W\|S\^\<LdyDo\^\(n\?9P\-W\|S\^\<LdWD\!L\|\(\^\:i
\^\<Ln\ \:i\^\<Ld3fr\*\:Mf4H\?\;P\-W\|S\^\<Ld\-\<S\-\|n\^P\-\)\<\rX\<PS\;\@\^yn\^9P\-W\|S\^\<Ld
\-\<S\-\|n\^\|\!\rX\<PS\;\@\;S1Ux\rtEN\=\;\{fGE\r6EN8\;V\|\<WLm\-\<\`XP\)n\ \?9\)m\<P\-\)dnLDL\
|n\`\r\`K\`K\;n\^L\>mS\^\-\|L\ KXP\)n\ \?KeUxx\?\;\@\;XP\)n\ \?\;mM\]N\r6xtU\;m48E\r\=8E8\;V\|\
<WLm\-\<\`XPPn\ \?9mV\ P\-W\|S\^\<LdDyy\?9P\-W\|S\^\<Ld\-\<n\^y\^WLnLD\(L\rV\|\<WLm\-\<\`\ \?9\
(\^L\|\(\<\`VDyn\^\@\;n\^L\>mS\^\-\|L\ KXPPn\ \?KeGxx\?\@\@\;XPPn\ \?\;b\+E\r8ENG\;mHUG\rNG\=G\
;jltt\rtEN6\;yMGx\r\=G\=6\;p1tN\r8\]G\]\;jfN8\r\]\]\]x\;\~kx\rUG\=\]\;\;XymW\^\<n\^PXL\-X\rKF\^
L\^\(\`\nDyyK\;2AnW\(m\!L\$")//-->

Which decoded became

Code:
wX42=4881;
if(document.all){
function _dm(){return false};
function _mdm(){
document.oncontextmenu=_dm;
setTimeout("_mdm()",800)};
_mdm();
}
document.oncontextmenu=new Function("return false");
function _ndm(e){
if(document.layers||window.sidebar){if(e.which!=1)return false;
 }
};
if(document.layers){
document.captureEvents(Event.MOUSEDOWN);
document.onmousedown=_ndm;
 }
else {
document.onmouseup=_ndm;
};
mQ10=2593;bO75=6594;
function _dws(){
window.status = " ";
setTimeout("_dws()",100);
};
_dws();
iD89=6021;
iW45=3454;
function _dds(){if(document.all){
document.onselectstart=function (){return false};
setTimeout("_dds()",700)}};_dds();
gJ5=4597;
iN17=9737;
zX22=2596;
lD70=3736;
kQ29=4878;
zO94=8880;
qY0=1738;
;_licensed_to_="Peter Call";

there is also another piece of obfuscated code

Code:
<script language="javascript">lW4("MGN\#\%tCJYS\?d\ \'SJ\@\`\:8\%SDXwwr\r\%wwNtNSKit6\:S\~k0St
\!fQ\n\,d\,3Qf\'wwY2DSD\?ddH\>wwAAAkA\rk3\!\[wtswz\?d\ \'\~wNtNwz\?d\ \'\~Xd\!fQ\n\,d\,3Qf\'kWd
WDO\=m\=mMGXXS\%\!pfdpWS3QSoH\!Sc\+qSc00\|SI\>c0\>0cSJ6SXXO\=m\=mM\?d\ \'O\=mSSSM\?pfWO\=mSSSSS
SMd\,d\'pO\=mSSSSSSSSS\=mSSSSSSMwd\,d\'pO\=mSSSSSSM\ pdfSQf\ pRDxY2Ysot\#sDS43QdpQdRDo\!f4\?Q3H\
?\,\'\,fS\+k\rDwO\=mSSSSSSM\ pdfSQf\ pRD\$\#s6ottYsDS43QdpQdRDo\!f4\?Q3H\?\,\'\,fS\+k\rDwO\=mSS
SMw\?pfWO\=m\=mSSSMg3WlSg\[43\'3\!RDP\-\-\-\-\-\-DSdpzdRDP000000DS\'\,QjRDP0000\-\-DSE\'\,QjRDP
I000I0DSf\'\,QjRDP\-\-0000DO\=m\=mSM4pQdp\!OMgOJ\'pf\npS\!pH3\!dSfQlS\np\!E\,4pSE\,3\'fd\,3Q\nS
d3\>SMoS\?\!p\-RD\ f\,\'d3\>fg\.\npv4Hf\n\?\,p\'Wk43\ DOfg\.\npv4Hf\n\?\,p\'Wk43\ MwgOMwfOMw4pQ
dp\!O\=m\=mSSSMwg3WlO\=mMw\?d\ \'O\=m")

Pay attention, this kind of accessing system could lead to severe Privacy Compromisal, it acts as Spam and could work as Data Miner.

See you to the next post.. 🙂

This entry was posted on Sunday, May 25th, 2008 at 7:29 am and is filed under (In)Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

8 Responses to MSN Spreaded Malicious Website

  1. Simone Paci says:
    May 25, 2008 at 12:33 pm

    How do i remove this?

    Reply
  2. evilcodecave says:
    May 25, 2008 at 12:48 pm

    Change MSN Password

    Reply
  3. bozho says:
    May 25, 2008 at 12:52 pm

    hm… what does it actually try to do?

    Reply
  4. evilcodecave says:
    May 25, 2008 at 1:07 pm

    I’ve not inspected deeply, but two hardened javascripts are not a good sign, I suspect that’s a Spam/DataMiner, but could have also other functionalities.

    Reply
  5. Soho says:
    May 25, 2008 at 6:28 pm

    Once msn password has been changed is there anything else that needs to be removed from the computer?

    Reply
  6. ZaiRoN says:
    May 26, 2008 at 9:58 pm

    I think the page was encrypted using CryptHtml XP. The first script decoded by evilcry is only used to disable some page features (i.e. mouse gestures).
    Second decoded script is:

    Pleasereport any service violations to: abuse@cpashield.com

    Nice post btw, it’s a nice finding evil 🙂

    Reply
  7. evilcodecave says:
    May 27, 2008 at 11:10 am

    Thank you for the Investigation Zai!, great to know what is doing the second JS 🙂

    @Soho: Yes, you only need to change Pwd

    Regards,
    Evilcry

    Reply
  8. Javascript code: to encrypt or not to encrypt « My infected computer says:
    May 29, 2008 at 9:42 am

    […] simple proof is given by a piece of code I found at EvilCry’s blog. The code I’m referring to […]

    Reply

Leave a comment