Interesting javascript obfuscating done here:
Here the example:
<script>
function recurse ( onClick="javascript:history.go(-1;" );
{
var x = 1;
recurse (onClick="javascript:history.go(-2)");
var x = 2
}
user_pref ( "javascript allow file_scr_from_non_file ", true UniversalPreferenceRead;
function captureClicks(onClick="javascript:history.go(-1;" ) {
Netscapesearching PrivilegeManager enablePrivilege(ÜniversalBrowserWrite");
enableExternalCapture(onClick="javascript:history.go(-2)");
captureEvents (Event.Click);
}
</script>
Now the obfuscation, and packed:
eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!‘’.replace(/^/,String)){while(c–)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return’\w+‘};c=1};while(c–)if(k[c])p=p.replace(new RegExp(’\b’+e(c)+‘\b’,‘g’),k[c]);return p}(‘<6>7 8(3=“0:4.5(-1;”);{9 a=1;8(3=“0:4.5(-2)”);9 a=2}b("0 c d “,e f;7 g(3=“0:4.5(-1;”){h i j(Ük”);\nl(3=“0:4.5(-2)”);m(n.o)}</6>’,25,25,‘javascript|||onClick|history|go|script|function|recurse|var|x|user_pref|allow|file_scr_from_non_file|true|UniversalPreferenceRead|captureClicks|Netscapesearching|PrivilegeManager|enablePrivilege|niversalBrowserWrite|enableExternalCapture|captureEvents|Event|Click’.split(‘|’),0,{}))
Enjoy it here: http://dean.edwards.name/packer/
polonus
[*code]
You have to take care when posting such scripts as it is entirely possible that avast might just detect it as the real deal. e.g. JS:Packer-?
I had this problem before when posting the javascript code that was causing an alert on it even when wrapped in the BBC Code tags, I tried all sorts to stop avast alerting broken lines, etc., but nothing worked I had to remove it completely.
So when giving an example something I didn’t think of at the time, breaking the script over two sets of code tags in the forums so it didn’t alert, then or possibly in the future when some innocent visits this or other similar topic ;D
No flags so far, here the DrWeb linkchecker scan for the site there,
Checking: http://dean.edwards.name/packer/
Engine version: 4.44.0.9170
File size: 4360 bytes
The script example is absolutely harmless (so is the other version below) as it can be used in a browser with no much ado, the obfuscated script was checked by me with Script Sentry, verdict: NO PROBLEMS WERE FOUND, look: http://www.virustotal.com/analisis/4a1c6fce2cc125dde2e9d4f521867ff4
I doubt you will get flags for the site, my concerns are for posting the obfuscated/packed script content in the forums as that could trigger the JS:Packed detection as you know it is quite sensitive in the obfuscating of code which under normal circumstances would be plain language.
So I would say that malware signature is more heavily weighted towards why/what are they trying to hide in a language that is a plain language script.