Author Topic: What is suspicious about this script?  (Read 4260 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33517
  • malware fighter
What is suspicious about this script?
« on: April 01, 2010, 09:41:57 PM »
Hi malware fighters,

Found this link on a site: http://s.telemagazyn.pl/o/js/osnowa.js?811716  flagged by finjan,

polonus
« Last Edit: April 04, 2010, 11:46:35 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33517
  • malware fighter
Re: What is suspicious about this script?
« Reply #1 on: April 02, 2010, 08:11:16 PM »
Hi malware fighters,

What is suspicious here? Suspicious lookin' GET request containing %3C, %3E and %22, suspiciously HTML-like...?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

bong2x

  • Guest
Re: What is suspicious about this script?
« Reply #2 on: April 02, 2010, 08:30:07 PM »
 ;D

suspicious, because it is file protection script ::)

its not yet finish ::)

where is the continuation ??? ::)

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33517
  • malware fighter
Re: What is suspicious about this script?
« Reply #3 on: April 02, 2010, 10:20:12 PM »
Hi bong2x,

I have added what the script decodes to as a txt file, and fed it to jsunpack and here are the results:

input upload suspicious

polonus
« Last Edit: April 04, 2010, 11:47:42 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

bong2x

  • Guest
Re: What is suspicious about this script?
« Reply #4 on: April 03, 2010, 04:41:03 PM »
Hi polonus!

thanks for the text file.

it is some kind of shell

redirect function to download adobe flash player 10

maybe its a script for loading net games.

and also gathering text format data

Regards!!!



Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33517
  • malware fighter
Re: What is suspicious about this script?
« Reply #5 on: April 04, 2010, 12:38:17 AM »
Hi bong2x,

Sometimes obfuscation is used for protection and is not malicious by nature perse. But as one finds big chunks of obfuscation in a particular manner it is good to suspect it of something else. Both ad launchers and malcreants try to hide their code from the observant, the browser knows exactly what to run. Blocking is the safest way to go, ABP, NoScript, RequestPolicy extensions in the Firefox or flock browser and it does not trouble you anymore,

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Sartigan

  • Guest
Re: What is suspicious about this script?
« Reply #6 on: April 10, 2010, 09:01:10 PM »
Hi malware fighters,

Found this link on a site: http://s.telemagazyn.pl/o/js/osnowa.js?811716  flagged by finjan,

polonus

What is suspicious, It's "Web Of Trust Rating" is a bit "untrusty"
http://www.mywot.com/en/scorecard/s.telemagazyn.pl
:P