[Emerging-Sigs] Proposed Signature for Blackhole Exploit Landing malicious applet

Chris Wakelin c.d.wakelin at reading.ac.uk
Wed Oct 5 14:11:00 EDT 2011


On 05/10/11 18:44, Nick Randolph wrote:
> If you replace "eval" with "alert" and open it in a browser you get a
> deobfuscated version of the javascript.

You're a bit braver than me, though I guess it's safe!

I use a yucky awk script similar to

> #! /bin/sh
> 
> awk '
> /[sS]tring.*[Cc]har/{ # Extract cipher
>   a=gensub("^.*String.*Char.*\\(([0-9.*+,-]*)\\).*$","\\1","g",$0)
>   cipher_len=split(a,cipher,",")
> }
> END { # Print it out
>   for (i=1;i<=cipher_len;i++){
>     c=cipher[i];
>     if (split(cipher[i],b,"*") == 2 ) { c = b[1] * b[2] } 
>     if (split(cipher[i],b,"+") == 2 ) { c = b[1] + b[2] } 
>     if (split(cipher[i],b,"-") == 2 ) { c = b[1] - b[2] }
>     printf("%c",c)
>   }
> }'

though with a bit of munging with sed as well, so the last few I've seen
are deobfuscated with something like

> sed -e 's/,/+30,/g;s/s=/StringChar=/' /var/tmp/e.bridgees.in-main.php-page-6d4bf85d94a5bf4a-051011-174647 | ./decoder.sh | jsbeautifier.py -i | less

and earlier ones with "[98-w,.." and the like  with

> sed -e 's/-w/+2/g' <file> | ./decoder.sh ...

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094


More information about the Emerging-sigs mailing list