Manually De-obfuscating Malicious Content

July 21, 2011 - 3 Min. de leitura

Conteúdo

Article
Mais blogs

Most of the time, malicious obfuscated JavaScript is injected at the bottom of a webpage. Obfuscation is leveraged both to hide the true purpose of the code from prying human eyes and in an attempt to bypass security scans. As a researcher, you may have to conduct a manual analysis of such JavaScript, if certain automated tools like Malzilla fail to decode the obfuscated content. Let’s take a look at an example of one infected Indian university website. Here is the home page of the infected website:

The malicious obfuscated JavaScript is injected right after the closing HTML tag. Here is the screenshot of injected malicious code:

The above malicious JavaScript is heavily obfuscated and it’s hard to determine what it is trying to do, just from a manual inspection. Most of the time, the obfuscated code contains links to malicious websites hosting malware. Let’s complete a manual analysis of this malicious content to identify any links to malicious sites. To conduct a manual analysis, you need to understand JavaScript and basic HTML. Let’s format this code for better reading. You can find the formatted code here.

As you can see, the code still appears heavily obfuscated with numerous variables defined. You will also notice some JavaScript functions like “.substr”, “document.body.appendChild” which are commonly found in malicious code. Many of the variables defined receive a return value from function “D()” such as:

D() is clearly an interesting function, so we’ll begin there. We can see that function “D()” takes two parameters and returns a value. Let’s quickly find the “D()” function and look into the code. Here is what function “D()” looks like:

So function “D()” will do some string operations on the passed in parameters. We can now copy and paste this function and copy the variables, which use this function into a new HTML file called “test.html”. The goal is to identify return values from this function. For this function to work, we also need two variables, “Y” and “v”, which are used inside this function. These variables are available from the main script. Copy and paste those variables into the D() function. Now, we will call another JavaScript function called “alert()” to display the return value. Open the new “test.html” file we created in Internet explorer. The JavaScript function “alert()” will pop up the message box displaying the return value, as shown below:

Insert all of the variables, which use this function and read out all the strings returned by this function. Here is what our new “test.html” file looks like:

I have already added the strings returned by this function in the code comments. The above malicious code points to the malicious website “hxxp://linkbucks-com.37wan.com.tagged-com.BestBlenderPart.ru:8080/wsj.com/wsj.com/ibibo.com/google.com/xvideos.com.php”.

Umesh

Obrigado por ler

Esta postagem foi útil?？

Sim, muito útil!

Na verdade, não

Aviso legal: este post no blog foi criado pela Zscaler apenas para fins informativos e é fornecido "no estado em que se encontra", sem quaisquer garantias de exatidão, integridade ou confiabilidade. A Zscaler não se responsabiliza por quaisquer erros, omissões ou por quaisquer ações tomadas com base nas informações fornecidas. Quaisquer sites ou recursos de terceiros vinculados neste post são fornecidos apenas para sua conveniência, e a Zscaler não se responsabiliza por seu conteúdo ou práticas. Todo o conteúdo está sujeito a alterações sem aviso prévio. Ao acessar este blog, você concorda com estes termos e reconhece que é de sua exclusiva responsabilidade verificar e utilizar as informações conforme apropriado para suas necessidades.