Yep. More discoveries on why this site should be taken down immediately:
Indisputable evidence that proves malware content.
It indeed will attempt to configure and install Hotbar as coded in the gpl_lp.js
obfuscated file on their home site.
DO NOT ATTEMPT TO DOWNLOAD ANYTHING POSTED AS A LINK HERE!!!
If the download button is clicked it will attempt to contact and write a log
to
http://install.securewebsiteaccess.com/l...8e1cfab80a
MALWARE
install.securewebsiteaccess.com/installer/zcdownload/1909f217a9cac614cd707eb7777a01dc8945a45aae188217a3d8eaf4c7535365a7e3ca720f85a9d6d32861c69ee7595d6b39a85da44055735fc80a46d24ef0b4a905bd2b93735d7344ee7236563f0daf20e95802a0f38922f9:18ce49458722f7416697ab2175c83697
securewebsiteaccess.com does host malware. It will download AssaultCube.exe from http://origin-ics.hotbar.com (200 kb)
I will compile a report on that file very shortly
Here is the code: (thanks javascript beautifier)
Thankfully the jscript doesnt work if u click the download button. But this does look like they are planning something...
Indisputable evidence that proves malware content.
It indeed will attempt to configure and install Hotbar as coded in the gpl_lp.js
obfuscated file on their home site.
DO NOT ATTEMPT TO DOWNLOAD ANYTHING POSTED AS A LINK HERE!!!
If the download button is clicked it will attempt to contact and write a log
to
http://install.securewebsiteaccess.com/l...8e1cfab80a
MALWARE
install.securewebsiteaccess.com/installer/zcdownload/1909f217a9cac614cd707eb7777a01dc8945a45aae188217a3d8eaf4c7535365a7e3ca720f85a9d6d32861c69ee7595d6b39a85da44055735fc80a46d24ef0b4a905bd2b93735d7344ee7236563f0daf20e95802a0f38922f9:18ce49458722f7416697ab2175c83697
securewebsiteaccess.com does host malware. It will download AssaultCube.exe from http://origin-ics.hotbar.com (200 kb)
I will compile a report on that file very shortly
Here is the code: (thanks javascript beautifier)
[SELECT ALL] Code:
var Err = (function () {
return {
log: function (e) {
if (ENV.DEV_MODE && "console" in window) {
console.log(e.toString)
}
}
}
})();
var ENV = (function () {
var _2 = false,
_3 = "securewebsiteaccess.com";
if (document.domain.indexOf("dev.mtl.dev") != -1) {
_3 = document.domain.substring(document.domain.indexOf(".") + 1);
_2 = true
}
function isIE(_4) {
if (_4) {
return userAgentContains("MSIE " + _4)
} else {
return userAgentContains("MSIE 6") || userAgentContains("MSIE 7") ||
userAgentContains("MSIE 8")
}
}
function isFF() {
return userAgentContains("Firefox/1.5") || userAgentContains("Firefox/2.") ||
userAgentContains("Firefox/3.")
}
function isWinXP() {
return userAgentContains("windows nt 5.1") || userAgentContains("windows xp")
}
function isWinVista() {
return userAgentContains("windows nt 6.0")
}
function isWin7() {
return userAgentContains("windows nt 6.1")
}
function isWin2K3() {
return userAgentContains("windows nt 5.2")
}
function userAgentContains(t) {
return navigator.userAgent.toLowerCase().indexOf(t.toLowerCase()) != -1
}
return {
DEV_MODE: _2,
DOMAIN_NAME: _3,
isIE: isIE,
isFF: isFF,
isWindows: function () {
return (isWinXP() || isWinVista() || isWin2K3() || isWin7())
},
isTargetEnv: function () {
return (isWinXP() || isWinVista() || isWin2K3() || isWin7()) && (isIE() || isFF())
},
error: "We're sorry, our content is not compatible with your computer configuration. To
access content, your computer must use Microsoft Windows XP or higher, with Microsoft Internet
Explorer 6 or higher, or Mozilla Firefox 3 or higher."
}
})();
var ZCUtils = (function () {
var _6 = false;
if (document.addEventListener) {
document.addEventListener("DOMContentLoaded", function () {
document.removeEventListener("DOMContentLoaded", arguments.callee, false);
_6 = true
}, false)
} else {
if (document.attachEvent) {
document.attachEvent("onreadystatechange", function () {
if (document.readyState === "complete") {
document.detachEvent("onreadystatechange", arguments.callee);
_6 = true
}
});
if (document.documentElement.doScroll && window == window.top) {
(function () {
if (_6) {
return
}
try {
document.documentElement.doScroll("left")
} catch (error) {
setTimeout(arguments.callee, 0);
return
}
_6 = true
})()
}
}
}
return {
domReady: function () {
return _6
},
merge: function () {
if (!arguments.length) {
return false
}
var _7 = (arguments[0].length == undefined ? {} : []);
var _8 = (_7.length != undefined);
for (var i = 0; i < arguments.length; i++) {
var _a = arguments[i];
if (_8) {
if (_a.length == undefined) {
continue
}
for (var j = 0; j < _a.length; j++) {
_7.push(_a[j])
}
} else {
for (var e in _a) {
_7[e] = _a[e]
}
}
}
return _7
},
each: function (_d, _e, _f) {
var _10, i = 0,
_12 = _d.length;
if (_f) {
if (_12 === undefined) {
for (_10 in _d) {
if (_e.apply(_d[_10], _f) === false) {
break
}
}
} else {
for (; i < _12;) {
if (_e.apply(_d[i++], _f) === false) {
break
}
}
}
} else {
if (_12 === undefined) {
for (_10 in _d) {
if (_e.call(_d[_10], _10, _d[_10]) === false) {
break
}
}
} else {
for (var _13 = _d[0]; i < _12 && _e.call(_13, i, _13) !== false; _13 = _d[+
+i]) {}
}
}
return _d
},
attachEvent: function (_14, _15, cb) {
if (_14.addEventListener) {
_14.addEventListener(_15, cb, false)
} else {
if (_14.attachEvent) {
_14.attachEvent("on" + _15, cb)
} else {
return false
}
}
return true
},
insertHTML: function (_17, doc, _19) {
if (!doc) {
doc = document
}
if (!_6) {
if (_19) {
doc.write(_17);
return
} else {
setTimeout(function () {
ZCUtils.insertHTML(_17, doc)
}, 0);
return
}
}
var _1a = doc.getElementsByTagName("BODY")[0];
var _1b = doc.createElement("SPAN");
_1b.innerHTML = _17;
for (var i = 0; i < _1b.childNodes.length; i++) {
_1a.appendChild(_1b.childNodes[i])
}
},
loadScript: function (_1d) {
var _1e = {
url: false,
loadValidator: function () {
return true
},
loadValidationInterval: 0,
successCB: function () {
return true
},
errorCB: function () {
return false
},
timeout: 10000,
document: document
};
_1d = this.merge(_1e, _1d);
if (!_1d.url) {
return false
}
if (!_6) {
setTimeout(function () {
ZCUtils.loadScript(_1d)
}, 0);
return false
}
var _1f = _1d.document.createElement("script");
_1f.src = _1d.url;
_1d.document.getElementsByTagName("HEAD")[0].appendChild(_1f);
var _20 = 0;
setTimeout(function () {
if (_20 > _1d.timeout) {
return _1d.errorCB()
}
if (_1d.loadValidator()) {
return _1d.successCB()
}
_20 += _1d.loadValidationInterval;
setTimeout(arguments.callee, _1d.loadValidationInterval)
}, _1d.loadValidationInterval)
},
postCall: function (to, _22) {
var _23 = document.createElement("form");
_23.method = "post";
_23.action = to;
for (var k in _22) {
var _25 = document.createElement("input");
_25.setAttribute("name", k);
_25.setAttribute("value", _22[k]);
_23.appendChild(_25)
}
document.body.appendChild(_23);
_23.submit();
document.body.removeChild(_23)
}
}
})();
if (!document.getElementsByClassName) {
document.getElementsByClassName = function (cl) {
var _27 = [];
var _28 = new RegExp("\\b" + cl + "\\b");
var _29 = this.getElementsByTagName("*");
for (var i = 0; i < _29.length; i++) {
var _2b = _29[i].className;
if (_28.test(_2b)) {
_27.push(_29[i])
}
}
return _27
}
}
if (!Array.prototype.indexOf) {
Array.prototype.indexOf = function (elt) {
var len = this.length;
var _2e = Number(arguments[1]) || 0;
_2e = (_2e < 0) ? Math.ceil(_2e) : Math.floor(_2e);
if (_2e < 0) {
_2e += len
}
for (; _2e < len; _2e++) {
if (_2e in this && this[_2e] === elt) {
return _2e
}
}
return -1
}
}
var Logger = (function () {
function log(_1, _2, _3) {
var i = new Image();
_1 = _getLoggingUrl(_1, _2);
if (_3 || typeof _3 == "undefined") {
i.onerror = function () {
this.onerror = null;
this.src = _1
}
}
i.src = _1;
return true
}
function _getLoggingUrl(_5, _6) {
var _7 = "?";
if (_5.indexOf(_7) != -1) {
_7 = "&"
}
for (var _8 in _6) {
if (typeof _6[_8] != "function" && _6[_8]) {
_5 += _7 + _8 + "=" + escape(_6[_8]);
_7 = "&"
}
}
return _5
}
return {
log: log
}
})();
var ZCCookie = (function () {
function read(_1) {
var _2 = new RegExp(_1 + "s*=s*(.*?)(;|$)");
var _3 = document.cookie.toString();
var _4 = _3.match(_2);
if (_4) {
return unescape(_4[1])
}
return ""
}
function write(_5, _6, _7) {
if (!_7) {
_7 = 365 * 24 * 60 * 60
}
_7 = _7 * 1000;
var _8 = new Date();
_8.setTime(_8.getTime() + _7);
document.cookie = _5 + "=" + escape(_6) + "; expires=" + _8.toGMTString() + "; path=/";
return true
}
function remove(_9) {
if (read(_9)) {
document.cookie = _9 + "=" + ";expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"
}
}
return {
read: read,
write: write,
remove: remove
}
})();
var QueryString = (function () {
function QueryString(qs) {
this.params = {};
if (qs == null) {
qs = location.search.substring(1, location.search.length)
}
if (qs.length == 0) {
return
}
qs = qs.replace(/\+/g, " ");
var _2 = qs.split("&");
for (var i = 0; i < _2.length; i++) {
var _4 = _2[i].split("=");
var _5 = decodeURIComponent(_4[0]);
var _6 = (_4.length == 2) ? decodeURIComponent(_4[1]) : _5;
this.params[_5] = _6
}
}
QueryString.prototype.get = function (_7, _8) {
var _9 = this.params[_7];
return (_9 != null) ? _9 : _8
};
return {
get: function (_a, _b, qs) {
return (new QueryString(qs)).get(_a, _b)
}
}
})();
var ZCGPL = (function () {
function onDownloadClick() {
if (ENV.isWindows()) {
var _1 = "http://install." + ENV.DOMAIN_NAME + "/installer/zcdownload/" +
zcFeedConfig["paramContent"];
var _2 = (typeof opcrid != "undefined" ? opcrid : ZCCookie.read("opcrid"));
var _3 = (typeof opwaveid != "undefined" ? opwaveid : ZCCookie.read("opwaveid"));
_1 += "?ld=1";
if (_2 && _3) {
_1 += "&v.op1=" + _2 + "&v.op2=" + _3
}
var _4 = unescape(QueryString.get("ref"));
if (typeof _4 != "undefined" && _4 != "undefined" && _4 != "") {
_1 += "&ref=" + _4
}
window.location = _1;
return false
} else {
alert(ENV.error)
}
return true
}
function log(_5, _6) {
Logger.log("http://install." + ENV.DOMAIN_NAME + "/log/zcsoftware/" + _6 + "/" + _5, {
"nc": (new Date().getTime())
}, false)
}
log(zcFeedConfig["param"], "impression");
return {
"onDownloadClick": onDownloadClick
}
})();
window["ZCGPL"] = ZCGPL;Thankfully the jscript doesnt work if u click the download button. But this does look like they are planning something...