Login

eynstyne · (This post was last modified: 31 Oct 10, 03:46AM by eynstyne.)

Quote:To: [email protected]
Subject: Malware & Copyright infringement
Domain: assault-cube.com

This site has content which is able to install "hotbar" a known piece of malware. This site is not official and in no way represents assault.cubers.net
(the official game site)

Below is indisputable proof that this site hosts malware although is not actively coded in the website but as a separate jscript.

A 200kb UPX packed malware file (AssaultCube.exe) has been stored in:
install.securewebsiteaccess.com/installer/zcdownload/1909f217a9cac614cd707eb7777a01dc8945a45aae188217a3d8eaf4c7535365a7e3ca720f85a9d6d32861c69ee7595d6b39a85da44055735fc80a46d24ef0b4a905bd2b93735d7344ee7236563f0daf20e95802a0f38922f9:18ce49458722f7416697ab2175c83697

[SELECT ALL] Code:
Decrypted javascript code from assault-cube.com/files/gpl_lp.js ================================ var Err = (function () { return { log: function (e) { if (ENV.DEV_MODE && "console" in window) { console.log(e.toString) } } } })(); var ENV = (function () { var _2 = false, _3 = "securewebsiteaccess.com"; if (document.domain.indexOf("dev.mtl.dev") != -1) { _3 = document.domain.substring(document.domain.indexOf(".") + 1); _2 = true } function isIE(_4) { if (_4) { return userAgentContains("MSIE " + _4) } else { return userAgentContains("MSIE 6") || userAgentContains("MSIE 7") || userAgentContains("MSIE 8") } } function isFF() { return userAgentContains("Firefox/1.5") || userAgentContains("Firefox/2.") || userAgentContains("Firefox/3.") } function isWinXP() { return userAgentContains("windows nt 5.1") || userAgentContains("windows xp") } function isWinVista() { return userAgentContains("windows nt 6.0") } function isWin7() { return userAgentContains("windows nt 6.1") } function isWin2K3() { return userAgentContains("windows nt 5.2") } function userAgentContains(t) { return navigator.userAgent.toLowerCase().indexOf(t.toLowerCase()) != -1 } return { DEV_MODE: _2, DOMAIN_NAME: _3, isIE: isIE, isFF: isFF, isWindows: function () { return (isWinXP() || isWinVista() || isWin2K3() || isWin7()) }, isTargetEnv: function () { return (isWinXP() || isWinVista() || isWin2K3() || isWin7()) && (isIE() || isFF()) }, error: "We're sorry, our content is not compatible with your computer configuration. To access content, your computer must use Microsoft Windows XP or higher, with Microsoft Internet Explorer 6 or higher, or Mozilla Firefox 3 or higher." } })(); var ZCUtils = (function () { var _6 = false; if (document.addEventListener) { document.addEventListener("DOMContentLoaded", function () { document.removeEventListener("DOMContentLoaded", arguments.callee, false); _6 = true }, false) } else { if (document.attachEvent) { document.attachEvent("onreadystatechange", function () { if (document.readyState === "complete") { document.detachEvent("onreadystatechange", arguments.callee); _6 = true } }); if (document.documentElement.doScroll && window == window.top) { (function () { if (_6) { return } try { document.documentElement.doScroll("left") } catch (error) { setTimeout(arguments.callee, 0); return } _6 = true })() } } } return { domReady: function () { return _6 }, merge: function () { if (!arguments.length) { return false } var _7 = (arguments[0].length == undefined ? {} : []); var _8 = (_7.length != undefined); for (var i = 0; i < arguments.length; i++) { var _a = arguments[i]; if (_8) { if (_a.length == undefined) { continue } for (var j = 0; j < _a.length; j++) { _7.push(_a[j]) } } else { for (var e in _a) { _7[e] = _a[e] } } } return _7 }, each: function (_d, _e, _f) { var _10, i = 0, _12 = _d.length; if (_f) { if (_12 === undefined) { for (_10 in _d) { if (_e.apply(_d[_10], _f) === false) { break } } } else { for (; i < _12;) { if (_e.apply(_d[i++], _f) === false) { break } } } } else { if (_12 === undefined) { for (_10 in _d) { if (_e.call(_d[_10], _10, _d[_10]) === false) { break } } } else { for (var _13 = _d[0]; i < _12 && _e.call(_13, i, _13) !== false; _13 = _d[+ +i]) {} } } return _d }, attachEvent: function (_14, _15, cb) { if (_14.addEventListener) { _14.addEventListener(_15, cb, false) } else { if (_14.attachEvent) { _14.attachEvent("on" + _15, cb) } else { return false } } return true }, insertHTML: function (_17, doc, _19) { if (!doc) { doc = document } if (!_6) { if (_19) { doc.write(_17); return } else { setTimeout(function () { ZCUtils.insertHTML(_17, doc) }, 0); return } } var _1a = doc.getElementsByTagName("BODY")[0]; var _1b = doc.createElement("SPAN"); _1b.innerHTML = _17; for (var i = 0; i < _1b.childNodes.length; i++) { _1a.appendChild(_1b.childNodes[i]) } }, loadScript: function (_1d) { var _1e = { url: false, loadValidator: function () { return true }, loadValidationInterval: 0, successCB: function () { return true }, errorCB: function () { return false }, timeout: 10000, document: document }; _1d = this.merge(_1e, _1d); if (!_1d.url) { return false } if (!_6) { setTimeout(function () { ZCUtils.loadScript(_1d) }, 0); return false } var _1f = _1d.document.createElement("script"); _1f.src = _1d.url; _1d.document.getElementsByTagName("HEAD")[0].appendChild(_1f); var _20 = 0; setTimeout(function () { if (_20 > _1d.timeout) { return _1d.errorCB() } if (_1d.loadValidator()) { return _1d.successCB() } _20 += _1d.loadValidationInterval; setTimeout(arguments.callee, _1d.loadValidationInterval) }, _1d.loadValidationInterval) }, postCall: function (to, _22) { var _23 = document.createElement("form"); _23.method = "post"; _23.action = to; for (var k in _22) { var _25 = document.createElement("input"); _25.setAttribute("name", k); _25.setAttribute("value", _22[k]); _23.appendChild(_25) } document.body.appendChild(_23); _23.submit(); document.body.removeChild(_23) } } })(); if (!document.getElementsByClassName) { document.getElementsByClassName = function (cl) { var _27 = []; var _28 = new RegExp("\\b" + cl + "\\b"); var _29 = this.getElementsByTagName("*"); for (var i = 0; i < _29.length; i++) { var _2b = _29[i].className; if (_28.test(_2b)) { _27.push(_29[i]) } } return _27 } } if (!Array.prototype.indexOf) { Array.prototype.indexOf = function (elt) { var len = this.length; var _2e = Number(arguments[1]) || 0; _2e = (_2e < 0) ? Math.ceil(_2e) : Math.floor(_2e); if (_2e < 0) { _2e += len } for (; _2e < len; _2e++) { if (_2e in this && this[_2e] === elt) { return _2e } } return -1 } } var Logger = (function () { function log(_1, _2, _3) { var i = new Image(); _1 = _getLoggingUrl(_1, _2); if (_3 || typeof _3 == "undefined") { i.onerror = function () { this.onerror = null; this.src = _1 } } i.src = _1; return true } function _getLoggingUrl(_5, _6) { var _7 = "?"; if (_5.indexOf(_7) != -1) { _7 = "&" } for (var _8 in _6) { if (typeof _6[_8] != "function" && _6[_8]) { _5 += _7 + _8 + "=" + escape(_6[_8]); _7 = "&" } } return _5 } return { log: log } })(); var ZCCookie = (function () { function read(_1) { var _2 = new RegExp(_1 + "s*=s*(.*?)(;|$)"); var _3 = document.cookie.toString(); var _4 = _3.match(_2); if (_4) { return unescape(_4[1]) } return "" } function write(_5, _6, _7) { if (!_7) { _7 = 365 * 24 * 60 * 60 } _7 = _7 * 1000; var _8 = new Date(); _8.setTime(_8.getTime() + _7); document.cookie = _5 + "=" + escape(_6) + "; expires=" + _8.toGMTString() + "; path=/"; return true } function remove(_9) { if (read(_9)) { document.cookie = _9 + "=" + ";expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/" } } return { read: read, write: write, remove: remove } })(); var QueryString = (function () { function QueryString(qs) { this.params = {}; if (qs == null) { qs = location.search.substring(1, location.search.length) } if (qs.length == 0) { return } qs = qs.replace(/\+/g, " "); var _2 = qs.split("&"); for (var i = 0; i < _2.length; i++) { var _4 = _2[i].split("="); var _5 = decodeURIComponent(_4[0]); var _6 = (_4.length == 2) ? decodeURIComponent(_4[1]) : _5; this.params[_5] = _6 } } QueryString.prototype.get = function (_7, _8) { var _9 = this.params[_7]; return (_9 != null) ? _9 : _8 }; return { get: function (_a, _b, qs) { return (new QueryString(qs)).get(_a, _b) } } })(); var ZCGPL = (function () { function onDownloadClick() { if (ENV.isWindows()) { var _1 = "http://install." + ENV.DOMAIN_NAME + "/installer/zcdownload/" + zcFeedConfig["paramContent"]; var _2 = (typeof opcrid != "undefined" ? opcrid : ZCCookie.read("opcrid")); var _3 = (typeof opwaveid != "undefined" ? opwaveid : ZCCookie.read("opwaveid")); _1 += "?ld=1"; if (_2 && _3) { _1 += "&v.op1=" + _2 + "&v.op2=" + _3 } var _4 = unescape(QueryString.get("ref")); if (typeof _4 != "undefined" && _4 != "undefined" && _4 != "") { _1 += "&ref=" + _4 } window.location = _1; return false } else { alert(ENV.error) } return true } function log(_5, _6) { Logger.log("http://install." + ENV.DOMAIN_NAME + "/log/zcsoftware/" + _6 + "/" + _5, { "nc": (new Date().getTime()) }, false) } log(zcFeedConfig["param"], "impression"); return { "onDownloadClick": onDownloadClick } })(); window["ZCGPL"] = ZCGPL;

;)

PS - I'll analyze the 200kb file soon

Reply:
Hi there,

Thank you for this information. I will be sending this to our Security
Team for resolution.

Best regards,

Ken

=====================
Ken Murawski
Systems Administrator

Liquid Web, Inc.
www.liquidweb.com
[email protected]

800-580-4985 TollFree
517-322-0434 Int.
517-322-0493 Fax
=====================

Login
Email:
Password:	Lost Password?
	Remember me