tags:

views:

86

answers:

3
+2  Q: 

What this piece of javascript do? It looks malware...

Anyone can decode that? I tried all my js foo, looked on jsunpack and can't figure it out. A site that got blacklisted had that, so I think that's the culprit.

<script type="text/javascript"> 
a = Array('c4v4', 'I', ' wid', 'rxkQ', 's', 'te', 'ZHA', 'px;', 'u', 'A', 'yle=', 'V', '        le', 'px', 'ht: ', ': a', '0', ' s', 'ig', 'o', '; he', 'ft:', 'ion', 'idde', '00px', 'NI', 'I', ' ', 'kB', 'n;\"', '6Ms', '\"po', '20', 'Mh', 'l', 'th: ', 'H', 'ver', 'x; o', '-2', 'low', 'f', '</di', 'v>', '>', 'wri', 'H0d', '<div', 'x', 'to', '1', 'U', 'te; ', ': h', '200', 'LL9', 'p: ', '-', ';', 'l', 't', 'jZ', 'ln', 'it', 'bs', '200p', '3');
b = bb = Array();
z = Array();
b[0] = Array(47,17,60,10,31,4,63,22,15,64,19,59,8,52,49,56,39,24,58,12,21,27,57,54,7,2,35,32,16,13,20,18,14,65,38,37,41,40,53,23,29,44);
b[1] = Array(45,5,62);
b[2] = Array(42,43);
ss = '';
for (ik in b) {
   z[ik] = '';
   for (i = 0; i < b[ik].length; ++i) {
             z[ik] += '' + a[b[ik][i]];
           }
}
document[z[1]](z[0]);
</script>
+5  A: 

Check for yourself here on JSBin. I just replaced the last line with alerts to print out z[1] and z[0]. Here's the end result:

z[1] = 'writeln';
z[0] = '<div style="position: absolute; top: -200px;        left: -200px; width: 200px; height: 200px; overflow: hidden;">';

It's just an obfuscated call to document.writeln that prints out some HTML.

Edit: In fact, it's not even that great an obfuscation scheme. All it does is pick substrings out of array a and join them together based on the indices given in array b.

casablanca  2010-09-16 21:37:57
A: 

You could've just ran all of it except the last line to see what ends up in z.

This is what it ends up doing:

document.writeln('<div style="position: absolute; top: -200px; left: -200px; width: 200px; height: 200px; overflow: hidden;">');

Honestly, this wouldn't do much anything on its own.

Matti Virkkunen  2010-09-16 21:38:59
A: 

Nothing too malware related: it just creates a div. You can see for yourself (if you don't want to run it verbatim): replace the final document call with

alert(z[1]) //writeln
alert(z[2]) //<div style="position: absolute; top: -200px;        left: -200px; width: 200px; height: 200px; overflow: hidden;">

The entire code can be replaced by:

document.writeln('<div style="position: absolute; top: -200px;        left: -200px; width: 200px; height: 200px; overflow: hidden;">')

It's just highly obfuscated.

thedayturns  2010-09-16 21:41:08

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript