tags:

views:

263

answers:

4
+5  Q: 

Malicious javascript code in my website

I found this code in my website sourcecode:

var _0xd28d=["\x5F\x30\x78\x33\x32\x6C\x73\x6A\x39","\x5F\x78\x6C\x74","\x5F\x78\x38\x66\x6B\x63\x33","\x66\x6C\x6F\x6F\x72","\x72\x61\x6E\x64\x6F\x6D","\x6C\x65\x6E\x67\x74\x68"];
var _0x9ae4=[_0xd28d[0],12,_0xd28d[1],_0xd28d[2],2,31,Math,_0xd28d[3]];
var _0xcd6e=[_0x9ae4[5],_0x9ae4[0],_0x9ae4[_0x9ae4[4]],_0x9ae4[3],4,_0xd28d[4]];
var _0xr6g0={};
_0xr6g0[_0xcd6e[2]]=0;
_0xr6g0[_0x9ae4[4]]=function (){
var _0x4c68x4={};
_0x4c68x4[_0xd28d[0]]=_0x9ae4[0];
do{
_0x4c68x4[_0x9ae4[0]]+=_0x4c68x4[_0xd28d[0]][_0x9ae4[6][_0x9ae4[7]](_0x9ae4[6][_0xcd6e[5]]()*_0x4c68x4[_0xd28d[0]][_0xd28d[5]])];
}while(_0x4c68x4[_0xd28d[0]][_0xd28d[5]]<_0xcd6e[0]);
_0x4c68x4[_0x4c68x4[_0x9ae4[0]]]=function (){
_0xr6g0[_0xcd6e[2]]++;
_0xr6g0[_0xcd6e[2]]%=_0x9ae4[1];
return _0x4c68x4[_0x4c68x4[_0x9ae4[0]]];
};
return _0x4c68x4[_0x4c68x4[_0xcd6e[1]]];
};
_0xr6g0[_0x9ae4[_0xcd6e[4]]]()()()()()()()()()()()()()()()();

I was wondering, what is it? And What does it does?

A: 

The hex in this code is creating a string with the text "_0x32lsj9_xlt_x8fkc3floorrandomlength"

The rest is parsing that to run some sort of javascript.

Michael Shnitzer  2010-04-18 00:44:19
A: 

It looks like obsfucated code, meaning code that has been encrypted - there is no way to decrypt it unless you know the encryption key which is something that will only be known by the one who obsfucated it in the first place.

This:

_0xd28d

is obviously some variable and this:

["\x5F\x30\x78\x33\x32\x6C\x73\x6A\x39","\x5F\x78\x6C\x74","\x5F\x78\x38\x66\x6B\x63\x33","\x66\x6C\x6F\x6F\x72","\x72\x61\x6E\x64\x6F\x6D","\x6C\x65\x6E\x67\x74\x68"];var _0x9ae4=[_0xd28d[0],12,_0xd28d[1],_0xd28d[2],2,31,Math,_0xd28d[3]];var _0xcd6e=[_0x9ae4[5],_0x9ae4[0],_0x9ae4[_0x9ae4[4]],_0x9ae4[3],4,_0xd28d[4]];var _0xr6g0={};_0xr6g0[_0xcd6e[2]]=0;_0xr6g0[_0x9ae4[4]]=function (){var _0x4c68x4={};_0x4c68x4[_0xd28d[0]]=_0x9ae4[0];do{_0x4c68x4[_0x9ae4[0]]+=_0x4c68x4[_0xd28d[0]][_0x9ae4[6][_0x9ae4[7]](_0x9ae4[6][_0xcd6e[5]]()*_0x4c68x4[_0xd28d[0]][_0xd28d[5]])];} while(_0x4c68x4[_0xd28d[0]][_0xd28d[5]]<_0xcd6e[0]);;_0x4c68x4[_0x4c68x4[_0x9ae4[0]]]=function (){_0xr6g0[_0xcd6e[2]]++;_0xr6g0[_0xcd6e[2]]%=_0x9ae4[1];return _0x4c68x4[_0x4c68x4[_0x9ae4[0]]];} ;return _0x4c68x4[_0x4c68x4[_0xcd6e[1]]];} ;_0xr6g0[_0x9ae4[_0xcd6e[4]]]()()()()()()()()()()()()()()()()

is it's value. Beyond that there's nothing I can tell you.

Mousasi_Will_Win_Tonight  2010-04-18 00:46:09
I don't think it's encrypted, it looks like it's hex.
Michael Shnitzer  2010-04-18 00:47:04
Obfuscation and encryption are different things. The code is clearly obfuscated, and not encrypted.
jweyrich  2010-04-18 00:58:43
Encrypted javascript wouldn't be executable without decrypting it. So it can't be encrypted.
WoLpH  2010-04-18 01:55:34
+3  A: 

The first 5 lines initialize variables. After decrypting the \x escapes and indexing to other arrays, we get:

_0xd28d = ['_0x32lsj9', '_xlt', '_x8fkc3', 'floor', 'random', 'length']
_0x9ae4 = ['_0x32lsj9', 12, '_xlt', '_x8fkc3', 2, 31, Math, 'floor']
_0xcd6e = [31, '_0x32lsj9', '_xlt', '_x8fkc3', 4, 'random']
_0xr6g0 = {'_xlt': 0}

Lines 6-18 create a function (after expanding the array indexing):

_0xr6g0[2] = function() {
   var _0x4c68x4={};
   _0x4c68x4['_0x32lsj9'] = '_0x32lsj9';

   do{
      _0x4c68x4['_0x32lsj9']+=_0x4c68x4['_0x32lsj9'][Math['floor'](Math['random']()*_0x4c68x4['_0x32lsj9']['length'])];
   } while(_0x4c68x4['_0x32lsj9']['length'] < 31);

      _0x4c68x4[_0x4c68x4['_0x32lsj9']] = function (){
      _0xr6g0['_xlt']++;
      _0xr6g0['_xlt'] %= 12;
      return _0x4c68x4[_0x4c68x4['_0x32lsj9']];
   };

   return _0x4c68x4[_0x4c68x4['_0x32lsj9']];
};

Javascript allows a['b'] as an alternate syntax for a.b, so this is equivalent to:

 _0xr6g0[2] = function() {
   var _0x4c68x4 = {'_0x32lsj9': '_0x32lsj9'};

   do{
      _0x4c68x4._0x32lsj9 += _0x4c68x4._0x32lsj9[Math.floor(Math.random()*_0x4c68x4._0x32lsj9.length)];
   } while(_0x4c68x4._0x32lsj9.length < 31);

   _0x4c68x4[_0x4c68x4._0x32lsj9] = function (){
      _0xr6g0._xlt++;
      _0xr6g0._xlt %= 12;
      return _0x4c68x4[_0x4c68x4._0x32lsj9];
   };

   return _0x4c68x4[_0x4c68x4._0x32lsj9];
};

The inner function has a randomly-generated 31-character name that doesn't matter, so it can be simplified to:

_0xr6g0[2] = function() {
   function f()
   {
      _0xr6g0._xlt++;
      _0xr6g0._xlt %= 12;
      return f;
   };

   return f;
};

The last line calls _0xr6g0[2] 16 times, and this is an obfuscated way of writing

_0xr6g0._xlt = 4
dan04  2010-04-18 01:14:36
+5  A: 

By itself, the code does nothing useful nor dangerous.

After manually deobfuscating:

count = 0;
func_a = function() {
    func_b = function() {
        count++;
        count %= 12;
        return func_b;
    };
    return func_b;
};
func_a()()()()()()()()()()()()()()()();

Looks like more an invalid attempt to keep the browser busy. But very valid to keep people curious.

UPDATE: fixed the deobfuscation.

jweyrich  2010-04-18 01:34:58
Technically I think you need to leave the original string alone in the line `var5[100] = "_0x32lsj9"`, since later on the code tests the length of that string.
David Zaslavsky  2010-04-18 01:40:45
@David, you're right. I overlooked that.
jweyrich  2010-04-18 01:42:06
"By itself, the code does nothing useful nor dangerous." - It is *possible* that this is an attempted exploit using a (hypothetical) bug in certain implementations of Javascript ...
Stephen C  2010-04-18 01:53:30

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript