Hi malware fighters,
In websites we will come across loads of obfuscated Javascript code being used by both code protectors for commercial tracking and evaluation purposes but also by malcreants to avoid detection of code they insert into reputable websites. Detecting this process should be done with utmost care, else you could infect your machine or peripherals. Best policy is to use the browser for this in a sandbox or use a sandboxed tool like malzilla:
Also preferably disconnect from the Internet and use a virtual closed environment.
To de-obfuscate a URL or JS there are specfic generic packers online…the experienced and professional users knows where to look…
This the instructions to use a generic Javascript unpacker
Always use your tools with normal user rights and have additional protection of the NoScript extension and the Request Policy extension inside Firefox or Flock browser run in a sandbox environment.
Proceedings:
- Open a new text file in a text editor.
- Copy the JavaScript code into the file, including the tags.
- Replace all instances of “document.write” and “eval” in the code with “alert”. This is the
step essential and vital to neutralize the malware, so make sure to do it carefully step by step. - Save the text file with a .html extension.
- Open the file in malzilla or a rich txt webbrowser, the unobfuscated code will be displayed
in an alert box. ( http://lynx.browser.org/ and Lynx viewer:
http://www.delorie.com/web/lynxview.html )
Also for obfuscate/deobfuscate you could go here: http://www.gosu.pl/decoder/
Pre-evaluation can also be done online and I use the following range of online tools:
Mind these online checkers aren’t full proof.
For a mainland China site use: http://www.knownsec.com/en/index.html
If norton has scanned the site they also give the malware threats with location:
http://safeweb.norton.com/
Rather good and reliable if the malcode was not cleansed and updated after or before the crawler visited: http://www.unmaskparasites.com/
Then also try here: https://qa.securecloud.com/reputation/query?locale=en-US
Scan for iFrames: http://www.novirusthanks.org/services/scan-websites-for-iframes/
Multi-engine av scanner, also for urls: http://scanner.novirusthanks.org/#
You could also query jotti’s and virustotal’s.
Scan for suspicious URL at http://wepawet.iseclab.org/ Flash/JS
or use one of their projects here: http://www.cs.ucsb.edu/~seclab/projects.html
From another angle you can get info here: http://sucuri.net/index.php?page=scan
You could search WOT here, safebrowsing tool: http://www.mywot.com/
Finjan, URL analysis: http://www.finjan.com/Content.aspx?id=574
DrWeb online check: http://online.us.drweb.com/
http://www.anti-malvertising.com/
Mind that real time and reputation scanners could have their weak spots and do not scan deep enough to get all malware. Use google on all finds, and this add-on for Firefox- MalwareSearch:
https://addons.mozilla.org/en-US/firefox/addon/6718
For IP info: robtex: http://www.robtex.com/
Trust your avast shields, they are getting better and better every day, and whatever you hunt report it to avast to even make it better. If reporting suspicious addresses are notated like hxtp and wXw, and scripts are always given as screenshots or use PicPick: http://picpick.wiziple.net/download
Good hunting, malware fighters,
polonus