תמוה URL ניתוב מחדש

I received a spam email that asked me to open an attached file, preferably "open with Internet Explorer," it said. Of course I can not resist, but I opened the file with a text editor. (You should never open suspicious email attachments. I do it because I am a daredevil.)

The attachment had JavaScript code that generated a redirection URL. If the URL to this Russian website were written in the clear, virus scanners could easily detect and block the email. במקום זאת, this URL was encoded into an array, כמו:

f=new Array(118,96,112,49,60,(snip), 125)

A modulus function operated on each element of this array and then formed the character:

s=s+r["fromCharCode"]((1*w[j]+j%3))

The modulus function allows the spammer to change the body of the email attachment without changing the URL, because the modulus operator will produce the same result for different inputs.

The simplest way to identify the URL is to execute the script in an online interpreter, which generated:

document.location="http://(snip).ru:8080/forum/links/column.php";}

As with many spam-loaded website, this domain was registered one day before I received the spam.

אזהרה: Do not open suspicious attachments or attempt to run a similar script in an actual web browser. You will only infect your computer.
October 26th, 2012 פורסם על ידי ג'ון Jaroker הגיש ב: מעלליו

היה הראשון להגיב. השאירו תגובה

כתובת הדוא"ל שלך לא תפורסם. שדות חובה מסומנים *