OK, so now that I have my home machine I can dig into the anatomy of the uc8010[dot]com hack’s javascript.
First off after a site has been infected a web user that surfs to a hosted page will have a javascript file, typically named “0.js”, executed in an unprotected system as well as setting a cookie. This then calls an iframe and another javascript file that (in the instance I tested) was called “w.js”. It is this file which has an “eval” function that launches the exploit.
This second file (w.js) would launch another iframe that would call a counter from cnzz[dot]com as well as calling a third javascript file called “007.js”.
Smart ass.
This last javascript file would create another iframe that would call a page from mywordmyspace[dot]cn. This would in return with a script file that called another counter from a site called 51yes[dot]com.
The first counter I presume to announce to the hacker that a successful breach occurred and the second to indicate a payload delivered.
This is by no means an exhaustive test. I’ve only started teasing it apart.
Tags: uc8010, SQL Hack, Javascript, iframe
