Monday, April 23, 2012

JavaScript Obfuscation - Manual Armor (2)

Everyday we encounter different set of obfuscated scripts running hidden iframes in the infected websites. Several of the Brazilian (.br) domains are serving a similar set of obfuscated scripts. One of the example has been discussed earlier in our article - JavaScript Obfuscation - Manual Armor (1). We came across another variant of this file. A simple methodology has been presented in the earlier post. This time we have an obfuscated JavaScript as follows

So, we need to clean it and we did as follows:

At this point, we need to get the value of variable "f" which can be calculated using JavaScript interpreter by triggering "split" calls. and then feeding into the loop so that every single element value is increased by 41 ( values with "+" and "-" will be added and subtracted respectively). After
all this, a simple python program having list with these elements and applied logic results in the deobfuscation of JavaScript as follows

So we get the URL serving malware, that's what we want. :)