Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-10-31 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Ghoulies and Ghosties

Published: 2006-10-31
Last Updated: 2006-10-31 21:00:38 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

Ah, scary things are afoot and go bump while you surf the web! Increasingly unfriendly critters are set to leave you the choice between "trick or trick" whenever you open the browser!  One bit that recently caught my eye again is the increasing effort made by Javascript exploit authors to disguise their crud. Take this one:



Now, anyone can tell from looking at this that whoever wrote this code is trying to hide something. Gone are the days when simple substitutions (like: encoded B is an A, encoded C is a B, etc) were used to hide the URLs where the next bit of nefarious code was pulled from. Over the last months, attackers have apparently evolved beyond first grade math, to highly complex :) concoctions involving binary "shift" and "bitwise and" operations. Wow!

Good thing is though, no matter how many turns and twists they take, decoding the mess is still pretty easy. Frequent readers of this diary will know that "amending" such Javascript blobs with a little additional Javascript, like a carefully placed

Keywords:
0 comment(s)
Diary Archives