Wednesday, April 21, 2010


First of all thanks to the guys at malwaredomainlist
Been quite a while since I posted - not that am busy with something but I was trying to post something better :S
Back at malware domains there was one javascript that was posted which was very obfuscated. A deobfuscated script was posted in the same thread. I wondered if I can write a blog post on the same. Below is the glimpse of the obfuscated script loaded in Malzilla.

It looks like the code has too much of noise in it. We remove them all making it easier for Malzilla and for our own readability. Am referring to this part of the code.

Following that there are lot of junk data in the code. Removing them makes the script more readable. You will find lot of those junk lying around the code here and there making it harder to decode what the code is upto.

There are also other modifications that has to be done to script in order for Malzilla to better understand the syntax. Malzilla wouldn't be able to pick getElementById. Hence we actually find the actual data and substitute it in it's place. The content of those objects can be found declared on the top of the code. Find this line in the code "var vPRPSbzqtF = yyhbk3ZcZXjhoTi(vqBoXVdaMH.getElementById("oxBVyHURRc").innerHTML);" and replace that with the data that was declared for the object"oxBVyHURRc" which is "aXo5T2FzUTBWMWhFaFdoUFVIRTFQZUNVdmw=".

There's also another object that is to be substituted. It is right behind the first getElementById that was already found.
We run the modified/updated script in Malzilla and we get the following.

The Malzilla output provides us with a shellcode as below.

Copy the shellcode convert them to hex and see what it does in the shellcode analyzer tab. It looks like it downloads malicious files. UrlDownloadToFile - classic.

Well, thats for now. Till next post Adieus - binaryhax0r.

No comments:

Post a Comment