Re: udp and dst port 1026

From: Thomas Preissler (tomjohn_at_gmx.de)
Date: 12/03/03

  • Next message: Jeff Kell: "Re: Strange SNMP probes suddenly appearing" 
    Date: Wed, 3 Dec 2003 13:19:38 +0100
To: incidents@securityfocus.com

    Hello Bill,

    * Bill schrieb am 02.12.2003:

    > Hi all,
    >
    > Using a sacrificial PC, I surfed over to the web site mentioned in Cedric's
    > packet dump, www.popadstop.com. The web page uses Javascript to obfuscate
    > its contents, but invites users to download and install a free tool that
    > allegedly blocks pop-up spam <g>. I suspect that the user who downloads the
    > tool thereby obtains a Trojan that causes their system to begin sending
    > such invitations to others. I spent a few minutes trying to unobfuscate the
    > web page, but didn't yet entirely succeed in doing so.

    I decrypted it a little bit, these are the unscape-chars:

    s='';
    for (i=0;i<dddss.length;i++){
    a=l.indexOf(dddss.charAt(i));
    if (a==1) a=9;
    if (a==2) a=10;
    if (a==3) a=13;
    if (a==4) a=34;
    if (a<=31 & a>=14){
    off=s.length-(l.indexOf(dddss.charAt(++i))-36+90*(l.indexOf(dddss.charAt(++i))-35))-1;
    lp=off+a-14+4;
    s=s+s.substring(off,lp);}
    else { if (a>=41) a=a-1; s=s+l.charAt(a);}};document.write(s);

    I downloaded the index.html and replaced the "eval()" with
    "prompt()". Then I copied the shown Java-Script code.

    Hm, then I inserted that code instead of the "eval()". I got the
    really decrypted code, but how can I show it properly? Using
    "prompt()" is not a solution, that's too much code...

    By the way: The real code works with "write()" to write the
    HTML-code on the page...

    Greets,
    Tom

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Jeff Kell: "Re: Strange SNMP probes suddenly appearing"

    Relevant Pages