Obfuscated code tends to stand out to human eyes because it creates patterns that are very distinct from the code on the rest of the page. There are different styles, so this example won’t teach you to spot all of them but believe me when I say that once you’ve seen a few you will be able to rapidly scroll through a page and spot the blocks of evil code. In my example, the evil code looks like this:
Distinguishing features include:
- large wall of text where code above and below is relatively short and spaced out
- random looking letters that make no sense
- lots of little groups of numbers
- a “document.write” command
The first thing you need to do is break out the stuff between the script tags into a separate file to play around with it. I’m going to do my decoding using Python because that’s what I’m used to but you can use pretty much any language for this. Find statements separated by semicolons and split them on to new lines so it’s easier to follow (for large, complicated blocks you might want to use a tool like JSPretty but this one is quite simple).
Once you’ve done that you can start to get an idea of what is in there. In this example, there are variables ‘a’, ‘b’, ‘c’, ‘clen’, then a for loop, and finally an unescape statement. Breaking down the for loop further, it does the following:
- iterates through every character in ‘a’
- in each iteration, get the numeric ASCII value of the character
- bitwise XOR that value with 2
- convert the resulting value into a new ASCII character
- append the new ASCII character to a string
This is something that converts very readily to Python, like so:
Followed by the output:
This gives us a URL-encoded string (character codes preceded by % symbols). Python has a built-in library, urllib, which can decode this for us.
Finally, we get a human-readable version of the content.
The “document.write” command would have written the decoded content to the browser which as you can now see would have created an 0x0 sized iframe calling a resource from teaserguide[.]com. If you haven’t already read Zscaler’s article showing what happens after that, I highly recommend that you do so now.
Pingback: Angler knows when you’re fakin’ it | unsafehex