Unobfuscated Javascript Malware - Caution - not for the unexperienced...

Hi malware fighters,

In websites we will come across loads of obfuscated Javascript code being used by both code protectors for commercial tracking and evaluation purposes but also by malcreants to avoid detection of code they insert into reputable websites. Detecting this process should be done with utmost care, else you could infect your machine or peripherals. Best policy is to use the browser for this in a sandbox or use a sandboxed tool like malzilla:
Also preferably disconnect from the Internet and use a virtual closed environment.
To de-obfuscate a URL or JS there are specfic generic packers online…the experienced and professional users knows where to look…
This the instructions to use a generic Javascript unpacker
Always use your tools with normal user rights and have additional protection of the NoScript extension and the Request Policy extension inside Firefox or Flock browser run in a sandbox environment.
Proceedings:

  1. Open a new text file in a text editor.
  2. Copy the JavaScript code into the file, including the tags.
  3. Replace all instances of “document.write” and “eval” in the code with “alert”. This is the
    step essential and vital to neutralize the malware, so make sure to do it carefully step by step.
  4. Save the text file with a .html extension.
  5. Open the file in malzilla or a rich txt webbrowser, the unobfuscated code will be displayed
    in an alert box. ( http://lynx.browser.org/ and Lynx viewer:
    http://www.delorie.com/web/lynxview.html )

Also for obfuscate/deobfuscate you could go here: http://www.gosu.pl/decoder/

Pre-evaluation can also be done online and I use the following range of online tools:
Mind these online checkers aren’t full proof.
For a mainland China site use: http://www.knownsec.com/en/index.html

If norton has scanned the site they also give the malware threats with location:
http://safeweb.norton.com/
Rather good and reliable if the malcode was not cleansed and updated after or before the crawler visited: http://www.unmaskparasites.com/
Then also try here: https://qa.securecloud.com/reputation/query?locale=en-US
Scan for iFrames: http://www.novirusthanks.org/services/scan-websites-for-iframes/
Multi-engine av scanner, also for urls: http://scanner.novirusthanks.org/#
You could also query jotti’s and virustotal’s.
Scan for suspicious URL at http://wepawet.iseclab.org/ Flash/JS
or use one of their projects here: http://www.cs.ucsb.edu/~seclab/projects.html
From another angle you can get info here: http://sucuri.net/index.php?page=scan
You could search WOT here, safebrowsing tool: http://www.mywot.com/
Finjan, URL analysis: http://www.finjan.com/Content.aspx?id=574
DrWeb online check: http://online.us.drweb.com/
http://www.anti-malvertising.com/
Mind that real time and reputation scanners could have their weak spots and do not scan deep enough to get all malware. Use google on all finds, and this add-on for Firefox- MalwareSearch:
https://addons.mozilla.org/en-US/firefox/addon/6718
For IP info: robtex: http://www.robtex.com/

Trust your avast shields, they are getting better and better every day, and whatever you hunt report it to avast to even make it better. If reporting suspicious addresses are notated like hxtp and wXw, and scripts are always given as screenshots or use PicPick: http://picpick.wiziple.net/download

Good hunting, malware fighters,

polonus

To de-obfuscate a URL or JS go here: http://jsunpack.jeek.org/dec/go This is a generic Javascript unpacker

One slight problem in this and many other such analysis tool sites, they actually import the suspect code and avast will alert on this page or its results as the code exists on the page. So you would have to exclude the results page of such tools.

Personally I don’t feel these tools should be used by everyone (unless you are prepared for the possible consequences), as first you have to have visited the suspect site if you are going to capture the code, rather than point at the URL.

the page mentions this:

CAUTION: jsunpack was designed for security researchers and computer professionals

…so people are warned :wink:

A bit late when they have gone gathering the information, visiting the suspect site first before using the tool and seeing the Caution.

Hi DavidR and Logos,

I give the info on this with all the precautions. There are more sites where code is given and avast flags parts of that code, even when it won’t infect because NoScript prevents it to run. As I said part of this exercise is not for the unaware and average user, the machine should be in a specific lab setting to do this. Normally one has enough information from the online resources I gave here. I also wrote that live links should not be given and the code should be given only in such a form it cannot harm (gif, jpg screendump). No one in his right mind would start experimenting on a file-infector etc.
I changed the subject title and the posting accordingly,

polonus


And, the thread title now states …

Caution - not for the unexperienced…

So, they are warned in advance.


Hi malware fighters,

Here is also an interesting link: http://www.woodmann.com/forum/archive/index.php/t-13385.html

There you find that malware analysis should be performed in a specific settings. If you had a live virus you would not inspect it at the kitchen sink at home.
Interesting tools are APIMON and DependencyWalker, Process Explorer and PID analysis tools,

polonus

;D

For a quick and dirty on what the code does: http://www.norman.com/security_center/security_tools/
explanation: https://www.eviloctal.com/thread-17210-1-1.html
also read here: http://cansecwest.com/csw07/csw07-nazario.pdf

polonus