Malware Related > Malware Analysis

Deobfuscate exploit kits using Malzilla

<< < (3/4) > >>

promised:
It seems that pmswalker can deal with it automatically ;D

SysAdMini:
This article has been written by our member Ocean.

Blackhole deobfuscation with Malzilla
http://ocean.inseclab.org/2011/10/04/blackhole-deobfuscation-with-malzilla/

Securettyphreak:
Perhaps, I've stumbled upon another version:


--- Quote ---Start of obfuscation:
<html><body><script>
null+function(){
c='createCommen';
}();
aa=(document[c.concat('t')]+'qwe').substr(2,4);
a=[null,new Array(90,
101,
89,
--- End quote ---




--- Quote ---End of obfuscation:

if((aa=='ncti')||(aa=='ctio')||(aa=='unct')){w=String;}
md="a";
         c='';
         i=0;
         s=a[4-3];
         while(i!=s.length){
            c=c+w["f"+"r"+"omCharCo"+"d"+'e'](s + 10);
            i++;
         }
            e=eval;
            e(c);
--- End quote ---

I've come close, but I'm missing something simple!

Any help would be greatly appreciated.

Thanks..

SysAdMini:

--- Quote from: Securettyphreak on December 20, 2011, 04:34:04 pm ---Perhaps, I've stumbled upon another version:

--- End quote ---

There are minor modifications almost daily.

In the version that you posted, I do it this way :

that is the start of script.

--- Quote ---//<html><body><script>
//null+function(){
//c='createCommen';
//}();
//aa=(document[c.concat('t')]+'qwe').substr(2,4);
s=new Array(90,
--- End quote ---

remove closing square bracket

--- Quote ---49);
--- End quote ---

end of script

--- Quote ---w=String;
md="a";
         c='';
         i=0;
//         s=a[4-3];
         while(i!=s.length){
            c=c+w["f"+"r"+"omCharCo"+"d"+'e'](s + 10);
            i++;
         }
            e=eval;
            e(c);
   //   </script></body></html>
--- End quote ---
   

MysteryFCM:
Interestingly, I posted a few articles on my blog concerning this too (thought I'd posted them over here already);

Blackhole exploit: For those wondering, Part 4 - Now its Amazons turn
http://hphosts.blogspot.com/2011/12/blackhole-exploit-for-those-wondering_3980.html

Blackhole exploit: For those wondering, Part 3 - Fake Facebook e-mail
http://hphosts.blogspot.com/2011/12/blackhole-exploit-for-those-wondering_08.html

Blackhole exploit: For those wondering, Part 2
http://hphosts.blogspot.com/2011/12/blackhole-exploit-for-those-wondering_05.html

Blackhole exploit: For those wondering
http://hphosts.blogspot.com/2011/12/blackhole-exploit-for-those-wondering.html

Only posted the basics, so unless you're new to this, you'll already be familiar with everything I posted.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version