Wednesday, July 25, 2012

JavaScript unescape obfuscated code


A quick way to decode SOME simple obfuscation of Javascript is to use the Malzilla tool, found at http://malzilla.sourceforge.net/downloads.html

Malzilla can take a string, like this one found in an “INDICATOR-OBFUSCATION Potential obfuscated javascript eval unescape attack attempt” alert, and deobfuscate it, while replacing eval with evla, to prevent the script from running (to be safer, you should run this on a virtual machine with no networking or on a test box)

eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%69%64%62%40%62%61%63%6b%62%65%61%74%6d%65%64%69%61%2e%63%6f%6d%3f%73%75%62%6a%65%63%74%3d%69%44%6f%77%6e%6c%6f%61%64%42%6c%6f%67%25%32%30%41%64%76%65%72%74%69%73%69%6e%67%25%32%30%49%6e%66%6f%25%32%30%52%65%71%75%65%73%74%22%3e%41%64%76%65%72%74%69%73%65%3c%2f%61%3e%27%29%3b'))

Make sure when you copy this from the content data into the Decoder tab, your parenthesis match up. Once run through the tool (make sure you leave the “Replace eval with evla option enabled”), this decodes to:


This one wasn't malicious, but we didn't know that until we deobfuscated it. 

No comments:

Blog Archive