Simple but effective obfuscation

[parody]

Found an exploit in my monitoring today for a customer. The exploit was CVE-2009-1141. The interesting part wasn't the multilayer encoders which malzilla decode fine but the fact that randomly placed in the raw file was NULL bytes. These null bytes stopped jsunpack, wepawet and malzilla from seeing anything.

Simple to fix with loading script into hexeditor, finding a character that wasn't present in the file and replacing 0x00 with 0x40 aka "@" and then using notepad++ remove the @'s and the scripts processed fine.

script is at hxxp://www.hao123.com.wwvv.us /images/css/jg.htm

http://www.virustotal.com/analisis/2a9b390fcb1082124e518aa5f49623451ad431b539ef9574dbdb2c28d3476ea7-1269862032

[MysteryFCM]

One of the reasons I wrote vURL to display the code "as is", rather than try and do anything with it

May want to pop a link to your finding, in the Malzilla thread so Bobby can fix it;

http://www.malwaredomainlist.com/forums/index.php?topic=218.0

I'll also drop Marco (Wepawet dev) and Blake (JSUnpack dev) an e-mail with a link to this, so they can fix them too.

[MysteryFCM]

JSUnpack has been fixed

http://jsunpack.jeek.org/dec/go?report=05ca73ff257bfe300e97d3cc8aa2007cd742e288

[parody]

Nice!