That section you unwrapped looks like it sets a location variable that is then used in the google friend connect stuff. I went looking through the script blocks and I'm not finding any reference to the businessinabox site. How did you get to that point? Just curious, trying to learn.
Chris On Wed, Dec 2, 2009 at 1:01 PM, Chris Blazek <[email protected]> wrote: > Thanks! The user sent me a snapshot of symantec finding the koobface > infection. I found a mcafee article that mentions the worm on what David > found: http://vil.nai.com/vil/content/v_148955.htm > > I was trying to use malzilla to decode that script block but really didn't > have much luck because of my experience with the app. > > Thanks for the help, great community! > > Chris > > > > > On Wed, Dec 2, 2009 at 12:03 PM, David Auclair <[email protected]>wrote: > >> The obfuscation wasn't too bad in this case... Just a couple tricks >> repeated over and over. >> >> I manually 'unwrapped' the layers of obfuscation, and ended up with some >> pretty simple code. >> >> For example: >> c4239='do'; >> db749="coaujoimrggh".replace(/[oajirgh]+/g,""); >> eaf76='ent.r'; >> f638e36f4="esgkfkusueduvrbo".replace(/[sgkudvbo]+/g,""); >> gda746b57='rer'; >> a206c=eval(c4239+db749+eaf76+f638e36f4+gda746b57); >> >> Is basically a set of strings containing extra characters, that are >> stripped out by the replace commands, then merged. This can be simplified >> to: >> c4239='do'; >> db749="cum"; >> eaf76='ent.r'; >> f638e36f4="efer"; >> gda746b57='rer'; >> a206c=eval("document.referer"); >> >> -Dave >> >> > -----Original Message----- >> > From: [email protected] [mailto: >> [email protected]] On Behalf >> > Of David Shpritz >> > Sent: Wednesday, December 02, 2009 12:44 PM >> > To: PaulDotCom Security Weekly Mailing List >> > Subject: Re: [Pauldotcom] phishing question >> > >> > Hey David, >> > Would you mind telling us what method you used to deobfuscate the >> scripts? Usually I have done these >> > by hand or used Malzilla, but I'm always looking for new methods. >> Thanks! >> > >> > David Shpritz >> > >> > -----Original Message----- >> > From: [email protected] [mailto: >> [email protected]] >> > On Behalf Of David Auclair >> > Sent: Wednesday, December 02, 2009 9:45 AM >> > To: PaulDotCom Security Weekly Mailing List >> > Subject: Re: [Pauldotcom] phishing question >> > >> > It looks like the javascript on the page you mentioned leads to this >> page: >> > hxxp://www . businessinabox . com . au/357/?go >> > >> > Which is full of more obfuscated javascript, which leads to sites such >> as: >> > hxxp:// 62.204.113.141 /d= >> www.facebook.com/0x3E8/f=fb2/view/console=yes/ >> > >> > Which seems to have 'you need to update your flash player' image, >> linking to setup.exe >> > >> > According to virustotal, the setup.exe contains koobface: >> > >> http://www.virustotal.com/analisis/5e9ce9c41a8f46d5dfc4ce366f6f47cb347bcbaa93cd1fcb132a72f61bab14e1- >> > 1259705119 >> > >> > -Dave >> > >> > > -----Original Message----- >> > > From: [email protected] [mailto: >> [email protected]] On >> > Behalf >> > > Of Chris Blazek >> > > Sent: Wednesday, December 02, 2009 12:04 AM >> > > To: PaulDotCom Security Weekly Mailing List >> > > Subject: Re: [Pauldotcom] phishing question >> > > >> > > PJ, >> > > Yeah, I had the user change all passwords from the email account to >> > > fb. I had tried googling for that 1st part of the address, hoping >> > > someone had posted something about it. That came up empty. >> > > I tried to get malzilla to decode it, but I really have little >> > > experience decoding JavaScript like that. >> > > I'll try looking for deobfuscaters to see if something else can decode >> > > it. >> > > Sorry for the typos in the original email. :) >> > > >> > > Thanks for the help! >> > > >> > > Chris >> > > >> > > >> > > >> > > On Dec 1, 2009, at 8:47 PM, PJ McGarvey <[email protected]> >> wrote: >> > > >> > > > Well, if you mean what does the obfuscated code do, there are a few >> > > > sites I've used that can "de-obfuscate" code however sometimes all >> > > > that can tell you is that "yeah, it's probably malicious". I would >> > > > google for "javascript deobfuscate". >> > > > >> > > > You could submit the blogspot site to an online sandbox for >> > > > analysis, like I just did: >> > > > >> > > > >> http://anubis.iseclab.org/?action=result&task_id=1c4a179271c4d4ee4f5b9820e431f7281&format=html >> > > > >> > > > and possibly find other URLs found in the de-obfuscated code to see >> > > > what they do.... like this one >> > > > http://1nonsensical.cn/?pid=312s02&sid=4db12f >> > > > >> > > > ... I've yet to find a .cn domain name I could trust. LOL. >> > > > >> > > > Follow down the rabbit hole... >> > > > >> > > > That way you can find out if the PC was infected, and how to clean >> > > > it up. >> > > > >> > > > Otherwise it would seem like some sort of facebook worm that spreads >> > > > using the FB address book. Was the user logged into Facebook at the >> > > > time? Might be a good idea to change their password, sounds like it >> > > > either used the active facebook session to send itself out, or maybe >> > > > a cookie with the user's saved credentials. >> > > > >> > > > PJ >> > > > >> > > > From: [email protected] >> > > > Date: Tue, 1 Dec 2009 14:54:36 -0600 >> > > > To: [email protected] >> > > > Subject: [Pauldotcom] phishing question >> > > > >> > > > A coworker clicked on a link in an email and was directed to >> > > > facebook then redirected to the following site: >> > > > despatiesmercemerce . blogspot . com >> > > > All of there fb contacts then received the same email. I pulled up >> > > > the site in malzilla and noticed a script block in the header that >> > > > looks like it's obfuscated. >> > > > >> > > > I was wondering if someone in the group could figure out what the >> > > > site was trying to do. >> > > > >> > > > Thanks, >> > > > Chris >> > > > >> > > > >> > > > _______________________________________________ >> > > > Pauldotcom mailing list >> > > > [email protected] >> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > > > Main Web Site: http://pauldotcom.com >> > > _______________________________________________ >> > > Pauldotcom mailing list >> > > [email protected] >> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > > Main Web Site: http://pauldotcom.com >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > > -- > http://www.kingbin.net/ > -- http://www.kingbin.net/ Sent from Lubbock, TX, United States
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
