Hello and welcome to the Monday, April 13, 2006 edition of the Sands Inlet Storm Centers.

Stormcast, my name is Johannes Ulrich, record today from Stockholm, Germany.

And this episode is brought you by the sands.edu credit certificate program in penetration

testing and ethical hacking. Got two diaries today to talk about. First one is by Xavier,

Xavier did run into an interesting piece of JavaScript that ultimately dropped a forum book,

but had some interesting

obfuscation quirks. First of all, it did contain 11 megabytes of JavaScript. It was really

just not used. That JavaScript was ESMDB, which is a database of assembly commands, kind of

documentation essentially about these assembly commands

as a JavaScript file.

So really meaningless, nothing malicious whatsoever.

But then there is a little bit of less obfuscated JavaScript that will then just download

three PNG files.

Turns out these PNG files are not images in a classical sense,

but AS encrypted PowerShell scripts that will then download Formbook.

So that's the tag chain here in short.

If you want to look at more details, how to de-obuscate these scripts,

well, then check out Xavier's Great Diary.

And Jesse did a very nice and detailed analysis of the use of numbers in passwords being attempted against our honeypots.

Now, the hypothesis behind this was something along the lines of users often

selecting to add years like 2026 to their password. So maybe attackers are attempting

the same thing. And that's definitely true. So the most common digits are 0123, in part because of, well, 2.0 as in 20, is now

...