The silent Storm and Javascript Decoding
Its been awhile since I've posted anything. I haven't lost touch, I've just been busy with the upcoming Holiday, and reserving myself for the next big Storm update.
A few of us were talking about Storm the other day, and Paul suggested that perhaps the authors have simply abandoned the current Storm botnet, in favor of laying low for a few months, and releasing a whole new version of the code, one with less bugs and some tactical modifications that might make it harder for security researchers to track them. I'm beginning to wonder if he's right. Storm has been silent since mid November. Is a New Year virus going to be born, something far more intrusive than Storm? Only time will tell. Thankfully we're getting a much needed break, so we can focus on other botnets.
---
There have been a good number of emails coming from users who wonder how we're able to decode some of the JavaScript seen on malware sites. The question usually comes after a reader has spotted a dangerous looking page, and we've confirmed it.
Daniel Wesemann has a great write up here. In fact Daniel sparked my interest in decoding malicious javascript instead of just running it through Rhino.
He and Jose Nazario with Arbor Networks have been great mentors. I thought I'd share something I put together using the skills taught by these two fellows.
I've built an automatic Javascript Decoder, which you can freely download and use. It is coded with an eye towards the unix flavor of OS, but should work fine if you have SpiderMonkey installed for windows, and don't mind modifying the code slightly. Jsdecode a public domain script that is simply a wrapper for Mozilla's SpiderMonkey application. Therefore, SpiderMonkey must be installed before this script will work.
Most of the malicious Javascript can be decoded by simply running it through this script. So far I've only had a handful of malicious javascripts requiring more advanced thought. The script isn't magic. It just creates a document.write function for you, and modifies eval statements so they print to the screen, and reruns the decoded javascript to make sure its just not double encoded. Other security researchers have written much better products, for example Malzilla from Boban Spasic.
This script just solves the "quick and dirty" requests I get on an almost daily basis. As is the case with any of my scripts, you're welcome to share them, modify them, even call them your own - but please give credit where credit is due, specifically to Jose and Daniel. If you use the script, or its techniques, consider dropping them a line and thanking them for helping educate the rest of us.
Happy Holidays,
Nicholas
jsdecode.pl.txt (rename to jsdecode.pl)
A few of us were talking about Storm the other day, and Paul suggested that perhaps the authors have simply abandoned the current Storm botnet, in favor of laying low for a few months, and releasing a whole new version of the code, one with less bugs and some tactical modifications that might make it harder for security researchers to track them. I'm beginning to wonder if he's right. Storm has been silent since mid November. Is a New Year virus going to be born, something far more intrusive than Storm? Only time will tell. Thankfully we're getting a much needed break, so we can focus on other botnets.
---
There have been a good number of emails coming from users who wonder how we're able to decode some of the JavaScript seen on malware sites. The question usually comes after a reader has spotted a dangerous looking page, and we've confirmed it.
Daniel Wesemann has a great write up here. In fact Daniel sparked my interest in decoding malicious javascript instead of just running it through Rhino.
He and Jose Nazario with Arbor Networks have been great mentors. I thought I'd share something I put together using the skills taught by these two fellows.
I've built an automatic Javascript Decoder, which you can freely download and use. It is coded with an eye towards the unix flavor of OS, but should work fine if you have SpiderMonkey installed for windows, and don't mind modifying the code slightly. Jsdecode a public domain script that is simply a wrapper for Mozilla's SpiderMonkey application. Therefore, SpiderMonkey must be installed before this script will work.
Most of the malicious Javascript can be decoded by simply running it through this script. So far I've only had a handful of malicious javascripts requiring more advanced thought. The script isn't magic. It just creates a document.write function for you, and modifies eval statements so they print to the screen, and reruns the decoded javascript to make sure its just not double encoded. Other security researchers have written much better products, for example Malzilla from Boban Spasic.
This script just solves the "quick and dirty" requests I get on an almost daily basis. As is the case with any of my scripts, you're welcome to share them, modify them, even call them your own - but please give credit where credit is due, specifically to Jose and Daniel. If you use the script, or its techniques, consider dropping them a line and thanking them for helping educate the rest of us.
Happy Holidays,
Nicholas
jsdecode.pl.txt (rename to jsdecode.pl)
Labels: ISC, javascript, nuwar, peacomm, peed, requests, Storm
posted by Nicholas at
01:49
2 Comments
