Small write-up for decoding these scripts manually.
Desc here: https://www.microsoft.com/security/port ... /Swabfex.P
Originally received by a friend via spam last week.
The script is ending by using eval(), if you use firefox as browser, you can replace this function by console.log and get the output by using the web developer console (in Tools)
All you need is to create a new file, like test.htm and put inside the script tags.
You should end with an output like eval(function... and with p,a,c,k,e,d
It's the packer of Deans, copy the console output (right click on the js script inside the console > copy)
Next, download js-beautify, it's an handy tool when it's about dirty javascripts, and all you need is to launch index.html
copy/past the hostile code on js-beautify, don't forget to remove the timestamp at the beginning of the code that the web developer console added.
When done click "Beautify JavaScript or HTML"
It should output something with var _escape ='...
Once again here, copy the code and make a new file, test2.htm, same procedure with <script> hostile code here </script>
Replace document.write by console.log, and voila !
otherwise i suppose tools like jsdetox or malzilla can do that too.
Related threads: tools recommendation, javascript and rsa
Desc here: https://www.microsoft.com/security/port ... /Swabfex.P
Originally received by a friend via spam last week.
The script is ending by using eval(), if you use firefox as browser, you can replace this function by console.log and get the output by using the web developer console (in Tools)
All you need is to create a new file, like test.htm and put inside the script tags.
Code: Select all
So, patch eval() by console.log, fire the web developer browser console and drag and drop your created htm into firefox.<script>
Your JS here
</script>You should end with an output like eval(function... and with p,a,c,k,e,d
It's the packer of Deans, copy the console output (right click on the js script inside the console > copy)
Next, download js-beautify, it's an handy tool when it's about dirty javascripts, and all you need is to launch index.html
copy/past the hostile code on js-beautify, don't forget to remove the timestamp at the beginning of the code that the web developer console added.
When done click "Beautify JavaScript or HTML"
It should output something with var _escape ='...
Once again here, copy the code and make a new file, test2.htm, same procedure with <script> hostile code here </script>
Replace document.write by console.log, and voila !
otherwise i suppose tools like jsdetox or malzilla can do that too.
Related threads: tools recommendation, javascript and rsa
Attachments
infected
(2.1 KiB) Downloaded 75 times
(2.1 KiB) Downloaded 75 times
