Decoding java-script malware
This document describes how to decode scripts you may acquire whilst investigating a security incident.
Users may have reported a suspect email that contain a hyperlink.
After collecting a few email samples and extracting the URLS, you would normally use an isolated laptop with internet access most likely running linux in a sandbox mode.
Use the wget command to fetch the code being served from the collection of URLS you have extracted.
Examine collected code and follow redirects to reach the payload server.
Normally this payload script will be obfuscated like in the image below;
Figure 1 - example of obfuscated java script
Latest Firefox Browser with the Firebug extension installed.
Possibly winmerge if you want to check if the scripts dynamically change.
Once you’ve found a script that looks obfuscated, the first step is to run it through http://jsbeautifier.org/
All this site does is save you having to manually find the semi colon character and add in the line ends and carriage return to break the script down and make it easier to read. See ‘Figure 2 - beautified code’
Copy the beautified script into a new file in notepad++, save this file into your incident working folder with the .html extension. Add in the html and script tags, with the closing tags after the first line of the original beautified script. !WARNING! The code within the tag will get executed be careful. In ‘Figure 3 - Edited code in html file’ you can see where I put the html tags. The line that gets executed just defines an array.
Now we open firefox and press F12 to open the developer tools and Firebug. Copy the path to your working folder into the address bar of firefox (it will list the contents of the directory), then open/click your file from the list, in my case it is ‘script3.html’
Now you can copy in some of the other script lines to find out how it was encoded. We can see that the second line of code is assigning values to an array, We can start to see that the array members name is peppered all over the script and that it’s value should replace the name. See ‘Figure 4 - firefox firebug console’
The next few lines keep adding to this array until one line adds a function, then the next line that begins with $.$($.$($.$$ + is where the decoding and then subsequent execution of the script would happen.
What we do now because we know $.$ calls an executable function is to omit this, so copy from after the second ( bracket the line. You will get syntax errors so just keep trimming the end of the line until this gets accepted.
Now the output of firebug should show lots of hex type code, copy this text and paste onto the site http://ddecode.com/hexdecoder/ this will decode the hex values into plaintext and you should now be able to read what the script is doing and take necessary actions to block the Trojan dropper sites.
This particular script decode into nonsense literature excerpts like below;
"return"document.write(\"<p>some star snorting first left</p><p>some little nursing right sure</p><p>creature directions snorting engine kept leave loud</p><p>legs kept straightenin nursing into undoing take this loud grunted</p>\");"
But this code could easily be an executable download.
Figure 2 - beautified code
Figure 3 - Edited code in html file
Figure 4 - firefox firebug console
Figure 5 - firebug decoded to hex values
Figure 6 - online hex decode site