A
quick way to decode SOME simple obfuscation of Javascript is to use the
Malzilla tool, found at http://malzilla.sourceforge.net/downloads.html
Malzilla
can take a string, like this one found in an “INDICATOR-OBFUSCATION Potential
obfuscated javascript eval unescape attack attempt” alert, and deobfuscate it, while replacing eval with evla, to prevent the script from running (to be safer, you should run this on a virtual machine with no networking or on a test box)
eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%69%64%62%40%62%61%63%6b%62%65%61%74%6d%65%64%69%61%2e%63%6f%6d%3f%73%75%62%6a%65%63%74%3d%69%44%6f%77%6e%6c%6f%61%64%42%6c%6f%67%25%32%30%41%64%76%65%72%74%69%73%69%6e%67%25%32%30%49%6e%66%6f%25%32%30%52%65%71%75%65%73%74%22%3e%41%64%76%65%72%74%69%73%65%3c%2f%61%3e%27%29%3b'))
Make
sure when you copy this from the content data into the Decoder tab, your
parenthesis match up. Once run through the tool (make sure you leave the
“Replace eval with evla option enabled”), this decodes to:
document.write('subject=iDownloadBlog%20Advertising%20Info%20Request">Advertise');
This one wasn't malicious, but we didn't know that until we deobfuscated it.
No comments:
Post a Comment