Jump to content
Sign in to follow this  
waugh

Slightly Obfuscated java scri_pt Program

Recommended Posts

If anyone reading this has the time and inclination to decode an obfuscated JS program, you can "curl" it from http://upqwtqkzt.www1.biz/main.php (referenced in spam) (if it hasn't already been taken down or changed). It shouldn't be that hard to substitute for the E V A L something that will display the embedded code, if you know java scri_pt and the DOM.

[edit] live link removed

Edited by Farelf

Share this post


Link to post
Share on other sites

According to VirusTotal McAfee-GW-Edition sees "Heuristic.BehavesLike.HTML.Suspicious.K" in that page (1 detection out of 42 analyses) but the site has not (yet) been picked up as dangerous by the usual rating sites. Googling "Heuristic.BehavesLike.HTML.Suspicious.K" certainly produces some worrisome results and we would be obliged NOT to have any spam payload URIs given live links here, especially suspect viral ones. :blink: Just averse, on general principles, to doing the spammers work for them in promulgating the ruddy things in full working order to a wider audience.

Share this post


Link to post
Share on other sites

...http://upqwtqkzt.www1.biz/main.php (referenced in spam) (if it hasn't already been taken down or changed). It shouldn't be that hard to substitute for the E V A L something that will display the embedded code, if you know java scri_pt and the DOM....

I ran across a spam with a main.php evilness... I wrote a little snippet of c to decode it.

I got another layer of obfuscation.

It was rather intriguing.

I'll see if I can find the output...

Share this post


Link to post
Share on other sites
. . . the site has not (yet) been picked up as dangerous by the usual rating sites.

Well, I think that if anyone wanted to submit it to said rating sites (which I won't take the time to do; sorry), they'd be standing on firm ground. I have not the slightest doubt that it is malware of some kind.

Share this post


Link to post
Share on other sites

Well, I think that if anyone wanted to submit it to said rating sites (which I won't take the time to do; sorry), they'd be standing on firm ground. I have not the slightest doubt that it is malware of some kind.

Welp. It's an exploit of some kind. Here's a (slightly) de-obfuscated version of the code created by main.php...

document.write('<center><h1>Please wait page is loading...</h1></center><hr>');
[redacted]

Notice the function getShellCode. Seems to be targeting (surprise surprise) adobe apps.

Anyhoo. I found the slightly de-obfuscated version, and it is above.

This main.php is all over the place, btw. Just pasting it in here triggered an AntiVir alert.

Edited by Farelf

Share this post


Link to post
Share on other sites
...This main.php is all over the place, btw. Just pasting it in here triggered an AntiVir alert.
Nice! Does that mean what you've posted can end up in members' internet caches and do similar next time their AV scan? Or that Safe Web and others will identify these forums as an exploit? I'm putting that stuff into a codebox anyway - not that it will make much difference but it takes up less vertical space.

Codebox not that easy for actual code - no line wrapping (so lines broken pretty-much at random), some letter combinations are converted to emoticons (so arbitrarily replaced) - code fairly-well trashed.

Nope, on reflection, I'm pulling it off entirely. Even in its "denatured" state it is too much of a liability. This is not a good venue for detailed examination of exploit code, no open forum is - it gets indexed by search engines, saved into archives, sets off alarms everywhere and makes it all too easy, should we make a habit of it, for really bad stuff to be slipped in by really bad people. Sorry. No code. Thanks for your efforts and assistance in dealing with another member's inquiry - we'll take your analysis on trust, without the evidence.

Share this post


Link to post
Share on other sites

I did another partial de-obfuscation of another malware delivery vector. The result is still quite obfuscated and amounts to 15022 characters of JS. I don't know of any place to post my partial result for in case anyone wants to take it further.

Share this post


Link to post
Share on other sites

Perhaps those interested and capable can just send you a Personal Message Jack, and take it from there.

There are places that accept and pore over malware but I don't know their credentials or motives (I suppose if they're - partially - doing it in the public gaze they can't be totally feral).

Here's an appropriate forum in one such, you might find it informative to lurk there a bit and feel out the lay of the land (no, no, not that blonde celebrity heiress):

http://forum.tuts4you.com/forum/106-malicious-software-research/

I warmed to them a touch when I read their Admin's reaction to a call from "The Windows Support Center" in February 2011 (the www.support.me flavor - they're still in business), having myself suffered maybe 30 calls in perhaps 3 months from this (or similar) bunch of scammers-or-worse. Well, the latest lot of scammers ended up serenading me (it's a long story), so not entirely charmless. The tuts4you Admin should have persevered, obviously.

Steve

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×