Author Topic: Obfuscating JS online! (Read 3493 times)

polonus · « **on:** December 29, 2008, 09:59:41 PM »

Hi malware fighters,

Interesting javascript obfuscating done here:
Here the example:

<script>
function recurse ( onClick="javascript:history.go(-1;" );
{
var x = 1;
recurse (onClick="javascript:history.go(-2)");
var x = 2
}
user_pref ( "javascript allow file_scr_from_non_file ", true UniversalPreferenceRead;
function captureClicks(onClick="javascript:history.go(-1;" ) {
Netscapesearching PrivilegeManager enablePrivilege(ÜniversalBrowserWrite");
enableExternalCapture(onClick="javascript:history.go(-2)");
captureEvents (Event.Click);
}
</script>
Now the obfuscation, and packed:
[code]eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('<6>7 8(3="0:4.5(-1;");{9 a=1;8(3="0:4.5(-2)");9 a=2}b("0 c d ",e f;7 g(3="0:4.5(-1;"){h i j(Ük");\nl(3="0:4.5(-2)");m(n.o)}</6>',25,25,'javascript|||onClick|history|go|script|function|recurse|var|x|user_pref|allow|file_scr_from_non_file|true|UniversalPreferenceRead|captureClicks|Netscapesearching|PrivilegeManager|enablePrivilege|niversalBrowserWrite|enableExternalCapture|captureEvents|Event|Click'.split('|'),0,{}))

Enjoy it here: http://dean.edwards.name/packer/

polonus
[*code][/code]

DavidR · « **Reply #1 on:** December 30, 2008, 12:17:42 AM »

You have to take care when posting such scripts as it is entirely possible that avast might just detect it as the real deal. e.g. JS:Packer-?

I had this problem before when posting the javascript code that was causing an alert on it even when wrapped in the BBC Code tags, I tried all sorts to stop avast alerting broken lines, etc., but nothing worked I had to remove it completely.

So when giving an example something I didn't think of at the time, breaking the script over two sets of code tags in the forums so it didn't alert, then or possibly in the future when some innocent visits this or other similar topic

polonus · « **Reply #2 on:** December 30, 2008, 01:33:30 AM »

Hi DavidR,

No flags so far, here the DrWeb linkchecker scan for the site there,
Checking: http://dean.edwards.name/packer/
Engine version: 4.44.0.9170
File size: 4360 bytes

http://dean.edwards.name/packer/ - Ok

Checking: http://dean.edwards.name/packer/Words.js
File size: 1335 bytes

The script example is absolutely harmless (so is the other version below) as it can be used in a browser with no much ado, the obfuscated script was checked by me with Script Sentry, verdict: NO PROBLEMS WERE FOUND, look: http://www.virustotal.com/analisis/4a1c6fce2cc125dde2e9d4f521867ff4

polonus

DavidR · « **Reply #3 on:** December 30, 2008, 02:46:21 AM »

I doubt you will get flags for the site, my concerns are for posting the obfuscated/packed script content in the forums as that could trigger the JS:Packed detection as you know it is quite sensitive in the obfuscating of code which under normal circumstances would be plain language.

So I would say that malware signature is more heavily weighted towards why/what are they trying to hide in a language that is a plain language script.

Author Topic: Obfuscating JS online! (Read 3493 times)

polonus

Obfuscating JS online!

DavidR

Re: Obfuscating JS online!

polonus

Re: Obfuscating JS online!

DavidR

Re: Obfuscating JS online!