MalZilla

[denmilu]

Hi MysteryFCM,

I think i need your help again, I have two files containing encrypted content, but this encrypt is not similar with some script i have seen, So can you show me how to decode them? And do you have any intruction if I use Firebug in this case?

I have attached 2 files bellow, and waiting your answer.

Thanks

[MysteryFCM]

The first is a standard Gumblar script and decodes just fine without modification, in Malzilla.

The second requires you modify the script a bit, so the div becomes a var (using the id= as the var name). In this case;

Code: [Select]

<div style="display:none" id="aots2010">60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,106,112,99,101,114,116,46,111,114,46,106,112,34,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,59,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,62,60,47,105,102,114,97,109,101,62</div>
Becomes;

Code: [Select]

var aots2010 = "60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,106,112,99,101,114,116,46,111,114,46,106,112,34,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,59,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,62,60,47,105,102,114,97,109,101,62";
You then just make the necessary removal in the unescape string;

Code: [Select]

var%20ww%20%3D%20document.getElementById%28%22aots2010%22%29.innerHTML
Becomes;

Code: [Select]

var%20ww%20%3D%20aots2010
I don't use Firebug I'm afraid, so can't help with that one.

[MysteryFCM]

I forgot to mention btw, the decoded result would be;

Code: [Select]

var ww = aots2010;var xx = ww.split(",");for (i=0; i<xx.length; i++){yy = String.fromCharCode(xx[i]);document.write(yy);}
You'd then need to throw this together with the first, so it becomes;

Code: [Select]

var aots2010 = "60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,106,112,99,101,114,116,46,111,114,46,106,112,34,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,59,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,62,60,47,105,102,114,97,109,101,62";

var c = unescape('var%20ww%20%3D%20aots2010%3Bvar%20xx%20%3D%20ww.split%28%22%2C%22%29%3Bfor%20%28i%3D0%3B%20i%3Cxx.length%3B%20i++%29%7Byy%20%3D%20String.fromCharCode%28xx%5Bi%5D%29%3Bdocument.write%28yy%29%3B%7D');eval(c);
var ww = aots2010;var xx = ww.split(",");for (i=0; i<xx.length; i++){yy = String.fromCharCode(xx[i]);document.write(yy);}
Which decodes to;

Code: [Select]

var ww = aots2010;var xx = ww.split(",");for (i=0; i<xx.length; i++){yy = String.fromCharCode(xx[i]);document.write(yy);}<iframe src="http://www.jpcert.or.jp" style="display:none;" width="0" height="0"></iframe>

[denmilu]

Hi MysteryFCM,

Thanks for all of your helping, I was completed my lecture, and I think it was a success lecture. In my individual, I has learnt more about malware analysic and that will help me more on my work.
 
Best Regards,

Den.

[MysteryFCM]

My pleasure

[parody]

MysteryFCM pointed out I should link my thread to here as I've spotted something for a potential update to Malzilla. :]
 
http://www.malwaredomainlist.com/forums/index.php?topic=4006.0

Exploit obfuscating itself from automated analysis with NULLs scattered throughout the file.

[MysteryFCM]

Updated user agent file for anyone using this. Let me know if there's any others that should be added.