The obfuscation wasn't too bad in this case... Just a couple tricks repeated
over and over.
I manually 'unwrapped' the layers of obfuscation, and ended up with some pretty
simple code.
For example:
c4239='do';
db749="coaujoimrggh".replace(/[oajirgh]+/g,"");
eaf76='ent.r';
f638e36f4="esgkfkusueduvrbo".replace(/[sgkudvbo]+/g,"");
gda746b57='rer';
a206c=eval(c4239+db749+eaf76+f638e36f4+gda746b57);
Is basically a set of strings containing extra characters, that are stripped
out by the replace commands, then merged. This can be simplified to:
c4239='do';
db749="cum";
eaf76='ent.r';
f638e36f4="efer";
gda746b57='rer';
a206c=eval("document.referer");
-Dave
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf
> Of David Shpritz
> Sent: Wednesday, December 02, 2009 12:44 PM
> To: PaulDotCom Security Weekly Mailing List
> Subject: Re: [Pauldotcom] phishing question
>
> Hey David,
> Would you mind telling us what method you used to deobfuscate the scripts?
> Usually I have done these
> by hand or used Malzilla, but I'm always looking for new methods. Thanks!
>
> David Shpritz
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]
> On Behalf Of David Auclair
> Sent: Wednesday, December 02, 2009 9:45 AM
> To: PaulDotCom Security Weekly Mailing List
> Subject: Re: [Pauldotcom] phishing question
>
> It looks like the javascript on the page you mentioned leads to this page:
> hxxp://www . businessinabox . com . au/357/?go
>
> Which is full of more obfuscated javascript, which leads to sites such as:
> hxxp:// 62.204.113.141 /d=www.facebook.com/0x3E8/f=fb2/view/console=yes/
>
> Which seems to have 'you need to update your flash player' image, linking to
> setup.exe
>
> According to virustotal, the setup.exe contains koobface:
> http://www.virustotal.com/analisis/5e9ce9c41a8f46d5dfc4ce366f6f47cb347bcbaa93cd1fcb132a72f61bab14e1-
> 1259705119
>
> -Dave
>
> > -----Original Message-----
> > From: [email protected]
> > [mailto:[email protected]] On
> Behalf
> > Of Chris Blazek
> > Sent: Wednesday, December 02, 2009 12:04 AM
> > To: PaulDotCom Security Weekly Mailing List
> > Subject: Re: [Pauldotcom] phishing question
> >
> > PJ,
> > Yeah, I had the user change all passwords from the email account to
> > fb. I had tried googling for that 1st part of the address, hoping
> > someone had posted something about it. That came up empty.
> > I tried to get malzilla to decode it, but I really have little
> > experience decoding JavaScript like that.
> > I'll try looking for deobfuscaters to see if something else can decode
> > it.
> > Sorry for the typos in the original email. :)
> >
> > Thanks for the help!
> >
> > Chris
> >
> >
> >
> > On Dec 1, 2009, at 8:47 PM, PJ McGarvey <[email protected]> wrote:
> >
> > > Well, if you mean what does the obfuscated code do, there are a few
> > > sites I've used that can "de-obfuscate" code however sometimes all
> > > that can tell you is that "yeah, it's probably malicious". I would
> > > google for "javascript deobfuscate".
> > >
> > > You could submit the blogspot site to an online sandbox for
> > > analysis, like I just did:
> > >
> > > http://anubis.iseclab.org/?action=result&task_id=1c4a179271c4d4ee4f5b9820e431f7281&format=html
> > >
> > > and possibly find other URLs found in the de-obfuscated code to see
> > > what they do.... like this one
> > > http://1nonsensical.cn/?pid=312s02&sid=4db12f
> > >
> > > ... I've yet to find a .cn domain name I could trust. LOL.
> > >
> > > Follow down the rabbit hole...
> > >
> > > That way you can find out if the PC was infected, and how to clean
> > > it up.
> > >
> > > Otherwise it would seem like some sort of facebook worm that spreads
> > > using the FB address book. Was the user logged into Facebook at the
> > > time? Might be a good idea to change their password, sounds like it
> > > either used the active facebook session to send itself out, or maybe
> > > a cookie with the user's saved credentials.
> > >
> > > PJ
> > >
> > > From: [email protected]
> > > Date: Tue, 1 Dec 2009 14:54:36 -0600
> > > To: [email protected]
> > > Subject: [Pauldotcom] phishing question
> > >
> > > A coworker clicked on a link in an email and was directed to
> > > facebook then redirected to the following site:
> > > despatiesmercemerce . blogspot . com
> > > All of there fb contacts then received the same email. I pulled up
> > > the site in malzilla and noticed a script block in the header that
> > > looks like it's obfuscated.
> > >
> > > I was wondering if someone in the group could figure out what the
> > > site was trying to do.
> > >
> > > Thanks,
> > > Chris
> > >
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > [email protected]
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> > _______________________________________________
> > Pauldotcom mailing list
> > [email protected]
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
