Detective story in the style of Java / JS

    image
    Warning: while writing a post, the site remains infected. Yes, it can infect your Windows through a hole in Java (Maybe) .

    Last night, looking at the website of the Svyaznoy company , I found a Google warning there about the danger of infection, of course I rejected it and got to look at the source (Do not do this!)
    At first glance, there was nothing dangerous there. I had to dig deeper and I found something interesting!


    The threat was hidden in jQuery (jquery.min.js), the following code was neatly inserted at the very end of the file (I really do not recommend executing it, iframe is there !!):

    image
    (Code: pastebin.com/DSPzeDqd )

    Having cut (Having deleted a few characters from the beginning of the “txt” variable) the encrypted text, we will not get the working code, from which we find out what was hidden there.

    He is the “trojan” that Google saw. IFrame leads us to a site with definitely Russian roots - " bul0va. *** " (So you don’t swear at me, you better not go there! There are trojans!)

    After a little analysis of the source of this site, we managed to find out that there is also a java file . Without starting to parse the JavaScript code, I went in search of the Java decompiler.
    The first thing I found was this application - http://java.decompiler.free.fr/ .
    Everything worked. I got the source code for this jar file with some interesting “against too smart” chips.

    image
    (Main class code: http://pastebin.ru/317047 )

    Unfortunately, I could not understand what and how it does.
    I suggest you finish a small quest and understand how it infects an end-user machine.

    Also popular now: