Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Malicious javascript code in my website

Tags:

javascript

obfuscation

I found this code in my website sourcecode:

var _0xd28d=["\x5F\x30\x78\x33\x32\x6C\x73\x6A\x39","\x5F\x78\x6C\x74","\x5F\x78\x38\x66\x6B\x63\x33","\x66\x6C\x6F\x6F\x72","\x72\x61\x6E\x64\x6F\x6D","\x6C\x65\x6E\x67\x74\x68"];
var _0x9ae4=[_0xd28d[0],12,_0xd28d[1],_0xd28d[2],2,31,Math,_0xd28d[3]];
var _0xcd6e=[_0x9ae4[5],_0x9ae4[0],_0x9ae4[_0x9ae4[4]],_0x9ae4[3],4,_0xd28d[4]];
var _0xr6g0={};
_0xr6g0[_0xcd6e[2]]=0;
_0xr6g0[_0x9ae4[4]]=function (){
var _0x4c68x4={};
_0x4c68x4[_0xd28d[0]]=_0x9ae4[0];
do{
_0x4c68x4[_0x9ae4[0]]+=_0x4c68x4[_0xd28d[0]][_0x9ae4[6][_0x9ae4[7]](_0x9ae4[6][_0xcd6e[5]]()*_0x4c68x4[_0xd28d[0]][_0xd28d[5]])];
}while(_0x4c68x4[_0xd28d[0]][_0xd28d[5]]<_0xcd6e[0]);
_0x4c68x4[_0x4c68x4[_0x9ae4[0]]]=function (){
_0xr6g0[_0xcd6e[2]]++;
_0xr6g0[_0xcd6e[2]]%=_0x9ae4[1];
return _0x4c68x4[_0x4c68x4[_0x9ae4[0]]];
};
return _0x4c68x4[_0x4c68x4[_0xcd6e[1]]];
};
_0xr6g0[_0x9ae4[_0xcd6e[4]]]()()()()()()()()()()()()()()()();

I was wondering, what is it? And What does it does?

like image 267
Depami Avatar asked Apr 18 '10 00:04

Depami

People also ask

How can JavaScript be used maliciously?

One of the most sneaky uses of JavaScript is cross-site scripting (XSS). Simply put, XSS is a vulnerability that allows hackers to embed malicious JavaScript code into an legitimate website, which is ultimately executed in the browser of a user who visits the website.

Can a JavaScript file be malicious?

Attackers frequently send malicious JavaScript files through bogus emails. It's easy to block these files from reaching a hapless user. Here's how. There have been several recent reports of fake updaters that spoof Google Chrome, Mozilla Firefox, and Internet Explorer landing pages.

Can you get a virus from JavaScript?

The danger in these attacks lies in one key aspect: malware delivered via infected JavaScript files doesn't need user interaction. Better said, a user like you or me could get infected with malware without doing anything else than browsing a website.

Why do hackers use JavaScript?

Understanding JavaScript allows hackers to discover vulnerabilities and carry web exploitation since most of the applications on the web use JavaScript or its libraries. Cross-Site Scripting: JavaScript can be used to read saved cookies. It is used to develop cross-site scripting programs for hacking.

2 Answers

By itself, the code does nothing useful nor dangerous.

After manually deobfuscating:

count = 0;
func_a = function() {
    func_b = function() {
        count++;
        count %= 12;
        return func_b;
    };
    return func_b;
};
func_a()()()()()()()()()()()()()()()();

Looks like more an invalid attempt to keep the browser busy. But very valid to keep people curious.

UPDATE: fixed the deobfuscation.

like image 197
jweyrich Avatar answered Oct 18 '22 02:10

jweyrich

The first 5 lines initialize variables. After decrypting the \x escapes and indexing to other arrays, we get:

_0xd28d = ['_0x32lsj9', '_xlt', '_x8fkc3', 'floor', 'random', 'length']
_0x9ae4 = ['_0x32lsj9', 12, '_xlt', '_x8fkc3', 2, 31, Math, 'floor']
_0xcd6e = [31, '_0x32lsj9', '_xlt', '_x8fkc3', 4, 'random']
_0xr6g0 = {'_xlt': 0}

Lines 6-18 create a function (after expanding the array indexing):

_0xr6g0[2] = function() {
   var _0x4c68x4={};
   _0x4c68x4['_0x32lsj9'] = '_0x32lsj9';

   do{
      _0x4c68x4['_0x32lsj9']+=_0x4c68x4['_0x32lsj9'][Math['floor'](Math['random']()*_0x4c68x4['_0x32lsj9']['length'])];
   } while(_0x4c68x4['_0x32lsj9']['length'] < 31);

      _0x4c68x4[_0x4c68x4['_0x32lsj9']] = function (){
      _0xr6g0['_xlt']++;
      _0xr6g0['_xlt'] %= 12;
      return _0x4c68x4[_0x4c68x4['_0x32lsj9']];
   };

   return _0x4c68x4[_0x4c68x4['_0x32lsj9']];
};

Javascript allows a['b'] as an alternate syntax for a.b, so this is equivalent to:

 _0xr6g0[2] = function() {
   var _0x4c68x4 = {'_0x32lsj9': '_0x32lsj9'};

   do{
      _0x4c68x4._0x32lsj9 += _0x4c68x4._0x32lsj9[Math.floor(Math.random()*_0x4c68x4._0x32lsj9.length)];
   } while(_0x4c68x4._0x32lsj9.length < 31);

   _0x4c68x4[_0x4c68x4._0x32lsj9] = function (){
      _0xr6g0._xlt++;
      _0xr6g0._xlt %= 12;
      return _0x4c68x4[_0x4c68x4._0x32lsj9];
   };

   return _0x4c68x4[_0x4c68x4._0x32lsj9];
};

The inner function has a randomly-generated 31-character name that doesn't matter, so it can be simplified to:

_0xr6g0[2] = function() {
   function f()
   {
      _0xr6g0._xlt++;
      _0xr6g0._xlt %= 12;
      return f;
   };

   return f;
};

The last line calls _0xr6g0[2] 16 times, and this is an obfuscated way of writing

_0xr6g0._xlt = 4
like image 26
dan04 Avatar answered Oct 18 '22 02:10

dan04
Sign in to Comment

Related questions

Correctly pass a Groovy list to Javascript code in GSP
How can I get jQuery to call an event handler when an image actually appears on-screen?
Open-source client-side JavaScript-based 2D data plotting?
remove elements with "display: none;" for email using javascript
JavaScript: Replace hexadecimal character
When should you use "prototype" during object augmentation in javascript?
Load more function in Javascript
Is enabling JavaScript in browser a MUST to get working ASP.NET pages?
jQuery/JS for different pages - best way of doing this?
google caja how to use
SHA1 base64 algorithm in javascript and C#
Wait until image loads before performing function
Using jQuery, hide a textbox if a radio button is selected
Javascript data store solution using PhoneGap
Deriving an HTMLElement Object from jQuery Object
How do you conditionally style a cell in a Dojo data grid?
Why does Google's closure library not use real private members?
Access browser's page zoom controls with javascript
URL detection with JavaScript
Sending multiple checkbox options

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!