Discussion
I received am email from Linkedin yesterday and clicked....
Then realised the actual email came from eftdrcbz@mail2java.com and the link took me to this site bancoindia.in/wp-content/zoologically.php
Before I looked at the content I shut down my browser. Should I be worried I've got something nasty on my Mac now?
Then realised the actual email came from eftdrcbz@mail2java.com and the link took me to this site bancoindia.in/wp-content/zoologically.php
Before I looked at the content I shut down my browser. Should I be worried I've got something nasty on my Mac now?
Tonsko said:
I just tried to download bancoindia.in/wp-content/zoologically.php and I got a 404. Did you type the URL correctly?
Yes. I actually copied your URL to the address field in Chrome and tried it!!! Goes to a Canadian pharmacy for Viagra so assume I'm not infested!!!It actually redirects to http://genericherbpurchase.ru/ which is Russian hosted.
It looks liked a hacked wordpress site, where the 404 page has been tweaked with a bit of javascript at the bottom to redirect to the advertising site. Moderately clever way of doing it as none of the real users are likely to notice it since most people just test their own pages and not the error conditions.
The front page of the .ru site doesn't look like it contains any malware payloads.
The front page of the .ru site doesn't look like it contains any malware payloads.
^^ Yeh, I pushed it through a proxy, and there was a snippet of obfuscated javascript which does the redirection to the .ru site. There was an array of numbers, which the function then took 55 from before using the javascript to string converter and then parsing the string (which was the .ru hyperlink).
Tonsko said:
^^ Yeh, I pushed it through a proxy, and there was a snippet of obfuscated javascript which does the redirection to the .ru site. There was an array of numbers, which the function then took 55 from before using the javascript to string converter and then parsing the string (which was the .ru hyperlink).
Interesting - it's using php to generate variations of the obfuscated function. Grabbing it manually, the variable names change and the character offset also varies. Must be trying to avoid obvious detection methods.Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff