Help us to put this illegal site down
#8
Yep. More discoveries on why this site should be taken down immediately:
Indisputable evidence that proves malware content.

It indeed will attempt to configure and install Hotbar as coded in the gpl_lp.js
obfuscated file on their home site.

DO NOT ATTEMPT TO DOWNLOAD ANYTHING POSTED AS A LINK HERE!!!
If the download button is clicked it will attempt to contact and write a log
to

http://install.securewebsiteaccess.com/l...8e1cfab80a

MALWARE
install.securewebsiteaccess.com/installer/zcdownload/1909f217a9cac614cd707eb7777a01dc8945a45aae188217a3d8eaf4c7535365a7e3ca720f85a9d6d32861c69ee7595d6b39a85da44055735fc80a46d24ef0b4a905bd2b93735d7344ee7236563f0daf20e95802a0f38922f9:18ce49458722f7416697ab2175c83697

securewebsiteaccess.com does host malware. It will download AssaultCube.exe from http://origin-ics.hotbar.com (200 kb)
I will compile a report on that file very shortly

Here is the code: (thanks javascript beautifier)
var Err = (function () {
    return {
        log: function (e) {
            if (ENV.DEV_MODE && "console" in window) {
                console.log(e.toString)
            }
        }
    }
})();
var ENV = (function () {
    var _2 = false,
        _3 = "securewebsiteaccess.com";
    if (document.domain.indexOf("dev.mtl.dev") != -1) {
        _3 = document.domain.substring(document.domain.indexOf(".") + 1);
        _2 = true
    }
    function isIE(_4) {
        if (_4) {
            return userAgentContains("MSIE " + _4)
        } else {
            return userAgentContains("MSIE 6") || userAgentContains("MSIE 7") ||

userAgentContains("MSIE 8")
        }
    }
    function isFF() {
        return userAgentContains("Firefox/1.5") || userAgentContains("Firefox/2.") ||

userAgentContains("Firefox/3.")
    }
    function isWinXP() {
        return userAgentContains("windows nt 5.1") || userAgentContains("windows xp")
    }
    function isWinVista() {
        return userAgentContains("windows nt 6.0")
    }
    function isWin7() {
        return userAgentContains("windows nt 6.1")
    }
    function isWin2K3() {
        return userAgentContains("windows nt 5.2")
    }
    function userAgentContains(t) {
        return navigator.userAgent.toLowerCase().indexOf(t.toLowerCase()) != -1
    }
    return {
        DEV_MODE: _2,
        DOMAIN_NAME: _3,
        isIE: isIE,
        isFF: isFF,
        isWindows: function () {
            return (isWinXP() || isWinVista() || isWin2K3() || isWin7())
        },
        isTargetEnv: function () {
            return (isWinXP() || isWinVista() || isWin2K3() || isWin7()) && (isIE() || isFF())
        },
        error: "We're sorry, our content is not compatible with your computer configuration. To

access content, your computer must use Microsoft Windows XP or higher, with Microsoft Internet

Explorer 6 or higher, or Mozilla Firefox 3 or higher."
    }
})();
var ZCUtils = (function () {
    var _6 = false;
    if (document.addEventListener) {
        document.addEventListener("DOMContentLoaded", function () {
            document.removeEventListener("DOMContentLoaded", arguments.callee, false);
            _6 = true
        }, false)
    } else {
        if (document.attachEvent) {
            document.attachEvent("onreadystatechange", function () {
                if (document.readyState === "complete") {
                    document.detachEvent("onreadystatechange", arguments.callee);
                    _6 = true
                }
            });
            if (document.documentElement.doScroll && window == window.top) {
                (function () {
                    if (_6) {
                        return
                    }
                    try {
                        document.documentElement.doScroll("left")
                    } catch (error) {
                        setTimeout(arguments.callee, 0);
                        return
                    }
                    _6 = true
                })()
            }
        }
    }
    return {
        domReady: function () {
            return _6
        },
        merge: function () {
            if (!arguments.length) {
                return false
            }
            var _7 = (arguments[0].length == undefined ? {} : []);
            var _8 = (_7.length != undefined);
            for (var i = 0; i < arguments.length; i++) {
                var _a = arguments[i];
                if (_8) {
                    if (_a.length == undefined) {
                        continue
                    }
                    for (var j = 0; j < _a.length; j++) {
                        _7.push(_a[j])
                    }
                } else {
                    for (var e in _a) {
                        _7[e] = _a[e]
                    }
                }
            }
            return _7
        },
        each: function (_d, _e, _f) {
            var _10, i = 0,
                _12 = _d.length;
            if (_f) {
                if (_12 === undefined) {
                    for (_10 in _d) {
                        if (_e.apply(_d[_10], _f) === false) {
                            break
                        }
                    }
                } else {
                    for (; i < _12;) {
                        if (_e.apply(_d[i++], _f) === false) {
                            break
                        }
                    }
                }
            } else {
                if (_12 === undefined) {
                    for (_10 in _d) {
                        if (_e.call(_d[_10], _10, _d[_10]) === false) {
                            break
                        }
                    }
                } else {
                    for (var _13 = _d[0]; i < _12 && _e.call(_13, i, _13) !== false; _13 = _d[+

+i]) {}
                }
            }
            return _d
        },
        attachEvent: function (_14, _15, cb) {
            if (_14.addEventListener) {
                _14.addEventListener(_15, cb, false)
            } else {
                if (_14.attachEvent) {
                    _14.attachEvent("on" + _15, cb)
                } else {
                    return false
                }
            }
            return true
        },
        insertHTML: function (_17, doc, _19) {
            if (!doc) {
                doc = document
            }
            if (!_6) {
                if (_19) {
                    doc.write(_17);
                    return
                } else {
                    setTimeout(function () {
                        ZCUtils.insertHTML(_17, doc)
                    }, 0);
                    return
                }
            }
            var _1a = doc.getElementsByTagName("BODY")[0];
            var _1b = doc.createElement("SPAN");
            _1b.innerHTML = _17;
            for (var i = 0; i < _1b.childNodes.length; i++) {
                _1a.appendChild(_1b.childNodes[i])
            }
        },
        loadScript: function (_1d) {
            var _1e = {
                url: false,
                loadValidator: function () {
                    return true
                },
                loadValidationInterval: 0,
                successCB: function () {
                    return true
                },
                errorCB: function () {
                    return false
                },
                timeout: 10000,
                document: document
            };
            _1d = this.merge(_1e, _1d);
            if (!_1d.url) {
                return false
            }
            if (!_6) {
                setTimeout(function () {
                    ZCUtils.loadScript(_1d)
                }, 0);
                return false
            }
            var _1f = _1d.document.createElement("script");
            _1f.src = _1d.url;
            _1d.document.getElementsByTagName("HEAD")[0].appendChild(_1f);
            var _20 = 0;
            setTimeout(function () {
                if (_20 > _1d.timeout) {
                    return _1d.errorCB()
                }
                if (_1d.loadValidator()) {
                    return _1d.successCB()
                }
                _20 += _1d.loadValidationInterval;
                setTimeout(arguments.callee, _1d.loadValidationInterval)
            }, _1d.loadValidationInterval)
        },
        postCall: function (to, _22) {
            var _23 = document.createElement("form");
            _23.method = "post";
            _23.action = to;
            for (var k in _22) {
                var _25 = document.createElement("input");
                _25.setAttribute("name", k);
                _25.setAttribute("value", _22[k]);
                _23.appendChild(_25)
            }
            document.body.appendChild(_23);
            _23.submit();
            document.body.removeChild(_23)
        }
    }
})();
if (!document.getElementsByClassName) {
    document.getElementsByClassName = function (cl) {
        var _27 = [];
        var _28 = new RegExp("\\b" + cl + "\\b");
        var _29 = this.getElementsByTagName("*");
        for (var i = 0; i < _29.length; i++) {
            var _2b = _29[i].className;
            if (_28.test(_2b)) {
                _27.push(_29[i])
            }
        }
        return _27
    }
}
if (!Array.prototype.indexOf) {
    Array.prototype.indexOf = function (elt) {
        var len = this.length;
        var _2e = Number(arguments[1]) || 0;
        _2e = (_2e < 0) ? Math.ceil(_2e) : Math.floor(_2e);
        if (_2e < 0) {
            _2e += len
        }
        for (; _2e < len; _2e++) {
            if (_2e in this && this[_2e] === elt) {
                return _2e
            }
        }
        return -1
    }
}
var Logger = (function () {
    function log(_1, _2, _3) {
        var i = new Image();
        _1 = _getLoggingUrl(_1, _2);
        if (_3 || typeof _3 == "undefined") {
            i.onerror = function () {
                this.onerror = null;
                this.src = _1
            }
        }
        i.src = _1;
        return true
    }
    function _getLoggingUrl(_5, _6) {
        var _7 = "?";
        if (_5.indexOf(_7) != -1) {
            _7 = "&"
        }
        for (var _8 in _6) {
            if (typeof _6[_8] != "function" && _6[_8]) {
                _5 += _7 + _8 + "=" + escape(_6[_8]);
                _7 = "&"
            }
        }
        return _5
    }
    return {
        log: log
    }
})();
var ZCCookie = (function () {
    function read(_1) {
        var _2 = new RegExp(_1 + "s*=s*(.*?)(;|$)");
        var _3 = document.cookie.toString();
        var _4 = _3.match(_2);
        if (_4) {
            return unescape(_4[1])
        }
        return ""
    }
    function write(_5, _6, _7) {
        if (!_7) {
            _7 = 365 * 24 * 60 * 60
        }
        _7 = _7 * 1000;
        var _8 = new Date();
        _8.setTime(_8.getTime() + _7);
        document.cookie = _5 + "=" + escape(_6) + "; expires=" + _8.toGMTString() + "; path=/";
        return true
    }
    function remove(_9) {
        if (read(_9)) {
            document.cookie = _9 + "=" + ";expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"
        }
    }
    return {
        read: read,
        write: write,
        remove: remove
    }
})();
var QueryString = (function () {
    function QueryString(qs) {
        this.params = {};
        if (qs == null) {
            qs = location.search.substring(1, location.search.length)
        }
        if (qs.length == 0) {
            return
        }
        qs = qs.replace(/\+/g, " ");
        var _2 = qs.split("&");
        for (var i = 0; i < _2.length; i++) {
            var _4 = _2[i].split("=");
            var _5 = decodeURIComponent(_4[0]);
            var _6 = (_4.length == 2) ? decodeURIComponent(_4[1]) : _5;
            this.params[_5] = _6
        }
    }
    QueryString.prototype.get = function (_7, _8) {
        var _9 = this.params[_7];
        return (_9 != null) ? _9 : _8
    };
    return {
        get: function (_a, _b, qs) {
            return (new QueryString(qs)).get(_a, _b)
        }
    }
})();
var ZCGPL = (function () {
    function onDownloadClick() {
        if (ENV.isWindows()) {
            var _1 = "http://install." + ENV.DOMAIN_NAME + "/installer/zcdownload/" +

zcFeedConfig["paramContent"];
            var _2 = (typeof opcrid != "undefined" ? opcrid : ZCCookie.read("opcrid"));
            var _3 = (typeof opwaveid != "undefined" ? opwaveid : ZCCookie.read("opwaveid"));
            _1 += "?ld=1";
            if (_2 && _3) {
                _1 += "&v.op1=" + _2 + "&v.op2=" + _3
            }
            var _4 = unescape(QueryString.get("ref"));
            if (typeof _4 != "undefined" && _4 != "undefined" && _4 != "") {
                _1 += "&ref=" + _4
            }
            window.location = _1;
            return false
        } else {
            alert(ENV.error)
        }
        return true
    }
    function log(_5, _6) {
        Logger.log("http://install." + ENV.DOMAIN_NAME + "/log/zcsoftware/" + _6 + "/" + _5, {
            "nc": (new Date().getTime())
        }, false)
    }
    log(zcFeedConfig["param"], "impression");
    return {
        "onDownloadClick": onDownloadClick
    }
})();
window["ZCGPL"] = ZCGPL;

Thankfully the jscript doesnt work if u click the download button. But this does look like they are planning something...
Thanks given by:


Messages In This Thread
RE: Help us to put this illegal site down - by eynstyne - 29 Oct 10, 07:14PM