Author Topic: Is there ever an excuse for using this URL-encoding script?  (Read 2351 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33980
  • malware fighter
Is there ever an excuse for using this URL-encoding script?
« on: December 31, 2011, 07:42:07 PM »
Hi forum friends,

For the example see my jsunpack link given further down. We see such an attack reported here at Wordpress dot org forums: http://wordpress.org/support/topic/website-is-being-redirected
Here the decoding of similar injected javascript is being discussed at stackoverflow dot com: http://stackoverflow.com/questions/3391623/decode-some-injected-javascript
user409021 on that link in his posting comes up with the proper decoding of the malcode.

See for the injected script input here: -http://jsunpack.jeek.org/?report=fffdca68ca4bbe507421f9f3519ef75551a7f23a
Go there only if security savvy, with script blocking active and inside a virtual environment.

What we have seen is an Adsense hijacking script that is redirecting visitors after 5-15 secs or right away to earn on fraudulent clicks. Good to know that avast webshield detects this as JS:Downloader-IR[Trj] and blocks the website or the file right away!

polonus
« Last Edit: December 31, 2011, 07:47:44 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Is there ever an excuse for using this URL-encoding script?
« Reply #1 on: December 31, 2011, 08:00:01 PM »
Hi Polonus,

The Stackoverflow link you mention, I stumbled upon it as well.

The script you give at jsunpack, it appears to be only partial.
The script starts to define "a" as a variable, but there is no " at the end.
Variable "a" doesn't look like your normal JavaScript, if it even is JavaScript.
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Is there ever an excuse for using this URL-encoding script?
« Reply #2 on: December 31, 2011, 08:02:45 PM »
What we have seen is an Adsense hijacking script that is redirecting visitors after 5-15 secs or right away to earn on fraudulent clicks. Good to know that avast webshield detects this as JS:Downloader-IR[Trj] and blocks the website or the file right away!
Like when someone clicks on a link that leads to this site that the provider 'gets money for each click', runs their coding, then redirects the user to the other site? ???
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33980
  • malware fighter
Re: Is there ever an excuse for using this URL-encoding script?
« Reply #3 on: January 01, 2012, 02:45:24 AM »
The culprit is in line 3 SyntaxError: unterminated string literal (attached 2): HTML decodes to JS as shown attached (attached 1) viewer code?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!