Unobfuscated Javascript Malware - How to detect - an introdu

[luntrus]

Dear forum friends and users of NS,

In websites we will come across loads of obfuscated Javascript code being used by both code protectors for commercial tracking and evaluation purposes but also by malcreants to avoid detection of code they insert into reputable websites. Detecting this process should be done with utmost care, else you could infect your machine or peripherals. Best policy is to use the browser for this in a sandbox or use a sandboxed tool like malzilla:
Also preferably disconnect from the Internet and use a virtual closed environment.
To de-obfuscate a URL or JS, the experienced and professional user will know where to go for a generic
Javascript unpacker
Always use your tools with normal user rights and have additional protection of the NoScript extension and the Request Policy extension inside Firefox or Flock browser run in a sandbox environment and the Internet disconnected.
Proceedings:
1. Open a new text file in a text editor.
2. Copy the JavaScript code into the file, including the <script> and </script> tags.
3. Replace all instances of "document.write" and "eval" in the code with "alert". This is the
step essential and vital to neutralize the malware, so make sure to do it carefully step by step.
4. Save the text file with a .html extension.
5. Open the file in malzilla or a rich txt webbrowser, the unobfuscated code will be displayed
in an alert box. ( http://lynx.browser.org/ and Lynx viewer:
http://www.delorie.com/web/lynxview.html )

Also for obfuscate/deobfuscate you could go here: http://www.gosu.pl/decoder/

Pre-evaluation can also be done online and I use the following range of online tools:
Mind these online checkers aren't full proof.
For a mainland China site use: http://www.knownsec.com/en/index.html

If norton has scanned the site they also give the malware threats with location:
http://safeweb.norton.com/
Rather good and reliable if the malcode was not cleansed and updated after or before the crawler visited: http://www.unmaskparasites.com/
Then also try here: https://qa.securecloud.com/reputation/q ... cale=en-US
Scan for iFrames: http://www.novirusthanks.org/services/s ... r-iframes/
Multi-engine av scanner, also for urls: http://scanner.novirusthanks.org/#
You could also query jotti's and virustotal's.
Scan for suspicious URL at http://wepawet.iseclab.org/ Flash/JS
or use one of their projects here: http://www.cs.ucsb.edu/~seclab/projects.html
From another angle you can get info here: http://sucuri.net/index.php?page=scan
You could search WOT here, safebrowsing tool: http://www.mywot.com/
Finjan, URL analysis: http://www.finjan.com/Content.aspx?id=574
DrWeb online check: http://online.us.drweb.com/
http://www.anti-malvertising.com/
Mind that real time and reputation scanners could have their weak spots and do not scan deep enough to get all malware. Use google on all finds, and this add-on for Firefox- MalwareSearch:
https://addons.mozilla.org/en-US/firefox/addon/6718
For IP info: robtex: http://www.robtex.com/

Trust NS, it is getting better and better every day, and whatever you hunt report it to even make it better. If reporting suspicious addresses are notated like hxtp and wXw, and scripts should always given as screenshots for obvious reasons and to protect the curious and unaware,

Good hunting,

luntrus

[luntrus]

Hi forum friends,

An example of analysis of some packed compressed code ( 100% beningn) to see what it is:
http://jsunpack.jeek.org/dec/go?report= ... 7693618115

luntrus

[dhouwn]

Theoretically, an obfuscation code needs neither document.write() nor eval().