What is suspicious about this script?

Viruses and worms
1

Hi malware fighters,

Found this link on a site: http://s.telemagazyn.pl/o/js/osnowa.js?811716 flagged by finjan,

polonus

2

Hi malware fighters,

What is suspicious here? Suspicious lookin’ GET request containing %3C, %3E and %22, suspiciously HTML-like…?

polonus

3

;D

suspicious, because it is file protection script ::slight_smile:

its not yet finish ::slight_smile:

where is the continuation ??? ::slight_smile:

4

Hi bong2x,

I have added what the script decodes to as a txt file, and fed it to jsunpack and here are the results:

input upload suspicious

polonus

5

Hi polonus!

thanks for the text file.

it is some kind of shell

redirect function to download adobe flash player 10

maybe its a script for loading net games.

and also gathering text format data

Regards!!!

6

Hi bong2x,

Sometimes obfuscation is used for protection and is not malicious by nature perse. But as one finds big chunks of obfuscation in a particular manner it is good to suspect it of something else. Both ad launchers and malcreants try to hide their code from the observant, the browser knows exactly what to run. Blocking is the safest way to go, ABP, NoScript, RequestPolicy extensions in the Firefox or flock browser and it does not trouble you anymore,

polonus

7

What is suspicious, It’s “Web Of Trust Rating” is a bit “untrusty”
http://www.mywot.com/en/scorecard/s.telemagazyn.pl
:stuck_out_tongue: