Monday, May 18, 2009

Compromise Investigation: JavaScript Unescape

A simple method of obfuscating JavaScript code in a page is to use escaped characters - you get text like this:

\%100\%101\%%118\%105\%108\%115\%97\%100\%118\%111\%99\%97\%116\%101\%115\%101\%99\%117\%114\%105\%116\%121
This is then wrapped in a simple call as a normal JavaScript:

eval(unescape('data'));

This results in a block that isn't intelligible to the average user, but which also doesn't require much effort. The example that this came from was a simple webpage re-direct in a compromised web directory which was set up as a search engine redirect site. Simple, and yet reasonably effective and somewhat hard to locate using my normal searches.

How can you read this if you run into it? Simple. On a secure machine that is properly protected from exploits, copy the page, make sure that none of the other code is malicious, and replace "eval" with "document.write". Open the page in your web browser and you will see the actual text.

Where did this script point? An alias to another site, both of which appear to be used for search engine based advertising spam.

No comments: