De-obfuscation online, an example..

[luntrus]

Hi forum friends,

Obfuscated code analysis is easy for browsers they know how to render it, humans can have some problems seeing what it attempts to do.

I like the following site: http://www.strictly-software.com/unpack-javascript.aspx
And tried the following code out there found here: http://securitythoughts.wordpress.com/2 ... t-malware/
And it worked see the output code deobfuscated unpacked at the online site I mentioned...
Also use this online tool, my friends: http://www.yehg.net/encoding/
and go here: http://www.patzcatz.com/unescape.htm ("Dodem deobfuscation!" worked like a charm)

Well, the obfuscated malware code at hand is known as JS:Obfuscated-BJ [Trj] as it comes detected by avast...
JS/Obfuscated.b is a generic detection for obfuscated malicious script files which attempts to exploit unpatched vulnerabilities in the system. Avast flagged it here: htxp://docs.google.com/View?id=dctvmpj6_28f9pwcrhd

This specially crafted javascript uses various obfuscation techniques to hide the real nature of attacks.

Symptoms -
This detection is sufficiently generic, such that it can cover a number of threats that contain the exploit code. Therefore, it is not possible to describe specific symptoms or details about system changes that can occur from this threat. However, simply seeing this detection does not mean that any exploit code was run at all as such exploit code could only run on a vulnerable system. You all are fully patched and have your wonderful NS up and running, eh, friends?

Additionally some exploits simply cause Internet Explorer to crash and nothing more.

Method of Infection -
This threat could be delivered via an email message, IM or an infectious web page,

luntrus