Author Topic: Obfuscating JS online!  (Read 3425 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33977
  • malware fighter
Obfuscating JS online!
« on: December 29, 2008, 09:59:41 PM »
Hi malware fighters,

Interesting javascript obfuscating done here:
Here the example:
Code: [Select]
<script>
function recurse ( onClick="javascript:history.go(-1;" );
{
var x = 1;
recurse (onClick="javascript:history.go(-2)");
var x = 2
}
user_pref ( "javascript allow file_scr_from_non_file ", true UniversalPreferenceRead;
function captureClicks(onClick="javascript:history.go(-1;" ) {
Netscapesearching PrivilegeManager enablePrivilege(ÜniversalBrowserWrite");
enableExternalCapture(onClick="javascript:history.go(-2)");
captureEvents (Event.Click);
}
</script>
Now the obfuscation, and packed:
[code]eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('<6>7 8(3="0:4.5(-1;");{9 a=1;8(3="0:4.5(-2)");9 a=2}b("0 c d ",e f;7 g(3="0:4.5(-1;"){h i j(Ük");\nl(3="0:4.5(-2)");m(n.o)}</6>',25,25,'javascript|||onClick|history|go|script|function|recurse|var|x|user_pref|allow|file_scr_from_non_file|true|UniversalPreferenceRead|captureClicks|Netscapesearching|PrivilegeManager|enablePrivilege|niversalBrowserWrite|enableExternalCapture|captureEvents|Event|Click'.split('|'),0,{}))
Enjoy it here: http://dean.edwards.name/packer/

polonus
[*code][/code]
« Last Edit: December 29, 2008, 10:05:15 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89428
  • No support PMs thanks
Re: Obfuscating JS online!
« Reply #1 on: December 30, 2008, 12:17:42 AM »
You have to take care when posting such scripts as it is entirely possible that avast might just detect it as the real deal. e.g. JS:Packer-?

I had this problem before when posting the javascript code that was causing an alert on it even when wrapped in the BBC Code tags, I tried all sorts to stop avast alerting broken lines, etc., but nothing worked I had to remove it completely.

So when giving an example something I didn't think of at the time, breaking the script over two sets of code tags in the forums so it didn't alert, then or possibly in the future when some innocent visits this or other similar topic ;D
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33977
  • malware fighter
Re: Obfuscating JS online!
« Reply #2 on: December 30, 2008, 01:33:30 AM »
Hi DavidR,

No flags so far, here the DrWeb linkchecker scan for the site there,
Checking: http://dean.edwards.name/packer/
Engine version: 4.44.0.9170
File size: 4360 bytes

http://dean.edwards.name/packer/ - Ok

Checking: http://dean.edwards.name/packer/Words.js
File size: 1335 bytes

The script example is absolutely harmless (so is the other version below) as it can be used in a browser with no much ado, the obfuscated script was checked by me with Script Sentry, verdict:  NO PROBLEMS WERE FOUND, look: http://www.virustotal.com/analisis/4a1c6fce2cc125dde2e9d4f521867ff4

polonus
« Last Edit: December 30, 2008, 01:52:47 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89428
  • No support PMs thanks
Re: Obfuscating JS online!
« Reply #3 on: December 30, 2008, 02:46:21 AM »
I doubt you will get flags for the site, my concerns are for posting the obfuscated/packed script content in the forums as that could trigger the JS:Packed detection as you know it is quite sensitive in the obfuscating of code which under normal circumstances would be plain language.

So I would say that malware signature is more heavily weighted towards why/what are they trying to hide in a language that is a plain language script.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security