Today, we observed some potentially dangerous Javascript client-side code out in the wild. The code, which we were able to obtain at great lengths, is reproduced below:
_0x65f5=["\x36\x3D\x5B\x22\x5C\x6A\x5C\x69\x5C\x61\x5C\x6E\x5C\x38\x5C\x62\x22\x2C\x22\x5C\x68\x5C\x61\x5C\x37\x5C\x6B\x5C\x62\x5C\x37\x5C\x6F\x5C\x66\x5C\x37\x5C\x70\x5C\x37\x5C\x67\x5C\x62\x22\x2C\x22\x5C\x6B\x5C\x38\x5C\x38\x5C\x37\x5C\x67\x5C\x39\x5C\x69\x5C\x65\x5C\x6D\x5C\x66\x5C\x39\x22\x2C\x22\x5C\x71\x5C\x72\x5C\x39\x5C\x6C\x22\x2C\x22\x5C\x6A\x5C\x61\x5C\x68\x22\x2C\x22\x5C\x63\x5C\x63\x5C\x38\x5C\x74\x5C\x79\x5C\x7A\x5C\x41\x5C\x78\x5C\x63\x5C\x65\x5C\x77\x22\x5D\x3B\x64\x3D\x75\x3B\x73\x3D\x64\x5B\x36\x5B\x31\x5D\x5D\x28\x36\x5B\x30\x5D\x29\x3B\x64\x5B\x36\x5B\x33\x5D\x5D\x5B\x36\x5B\x32\x5D\x5D\x28\x73\x29\x3B\x73\x5B\x36\x5B\x34\x5D\x5D\x3D\x36\x5B\x35\x5D\x3B\x76\x28\x30\x29\x3B","\x7C","\x73\x70\x6C\x69\x74","\x7C\x7C\x7C\x7C\x7C\x7C\x5F\x30\x78\x65\x30\x61\x32\x7C\x78\x36\x35\x7C\x78\x37\x30\x7C\x78\x36\x34\x7C\x78\x37\x32\x7C\x78\x37\x34\x7C\x78\x32\x46\x7C\x7C\x78\x36\x38\x7C\x78\x36\x43\x7C\x78\x36\x45\x7C\x78\x36\x33\x7C\x78\x34\x33\x7C\x78\x37\x33\x7C\x78\x36\x31\x7C\x78\x37\x39\x7C\x78\x36\x39\x7C\x78\x34\x39\x7C\x78\x34\x35\x7C\x78\x36\x44\x7C\x78\x36\x32\x7C\x78\x36\x46\x7C\x7C\x78\x33\x33\x7C\x64\x6F\x63\x75\x6D\x65\x6E\x74\x7C\x76\x4F\x49\x64\x7C\x78\x37\x41\x7C\x78\x35\x33\x7C\x78\x34\x45\x7C\x78\x32\x45\x7C\x78\x37\x35","","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x72\x65\x70\x6C\x61\x63\x65","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0xf47fx1,_0xf47fx2,_0xf47fx3,_0xf47fx4,_0xf47fx5,_0xf47fx6){_0xf47fx5=function (_0xf47fx3){return (_0xf47fx335?String[_0x65f5[5]](_0xf47fx3+29):_0xf47fx3.toString(36));} ;if(!_0x65f5[4][_0x65f5[6]](/^/,String)){while(_0xf47fx3--){_0xf47fx6[_0xf47fx5(_0xf47fx3)]=_0xf47fx4[_0xf47fx3]||_0xf47fx5(_0xf47fx3);} ;_0xf47fx4=[function (_0xf47fx5){return _0xf47fx6[_0xf47fx5];} ];_0xf47fx5=function (){return _0x65f5[7];} ;_0xf47fx3=1;} ;while(_0xf47fx3--){if(_0xf47fx4[_0xf47fx3]){_0xf47fx1=_0xf47fx1[_0x65f5[6]]( new RegExp(_0x65f5[8]+_0xf47fx5(_0xf47fx3)+_0x65f5[8],_0x65f5[9]),_0xf47fx4[_0xf47fx3]);} ;} ;return _0xf47fx1;} (_0x65f5[0],37,37,_0x65f5[3][_0x65f5[2]](_0x65f5[1]),0,{}));For those brave of heart, you can test and execute it directly by putting it in your URL location bar preceded by javascript: as shown below:
The first thing we recognized was the degree of obfuscation of the code. Because Javascript source code must be available for the client’s web browser to interpret, it also has to be made available to to the client, or in this case, our engineers. Obfuscation is therefore used to make the purpose of the code more difficult to understand without changing its logic. Many different obfuscation techniques exist, including free encoders at http://javascriptobfuscator.com/ and
http://www.daftlogic.com/projects-online-javascript-obfuscator.htm. This technique, just like security by obscurity will only delay a motivated individual. In this case, is is possible to completely bypass the obscuration using the following compressor: http://jscompress.com/ and arrive at the following code:
d=document;s=d.createElement('sCrIpt');d.body.appendChild(s);s.src='//p3N.uS/hz';vOId(0);Passing this through proper alpha-case substitution, decoding the URL shortener link and expanding the Javascript, we arrive at the original, unobstructed code for asteroids in your web browser:
var%20s%20=%20document.createElement('script');s.type='text/javascript';document.body.appendChild(s);s.src='http://erkie.github.com/asteroids.min.js';void(0);
The full details of this attack are on github: Hello, want to kill some time? including a bookmarklet that can run on any website. The attack can also be easily modified to demonstrate XSS vulnerabilities so you will never have to see another boring alert(document.cookie) popup box again.
Happy hacking.
