Join 3,375 readers in helping fund MetaFilter (Hide)


Can you decode this Javascript spam?
April 4, 2012 10:31 AM   Subscribe

Help me decode this obfuscated javascript spam document I accidentally ran in my browser

The code is in this pastebin. I basically want to know if anything nefarious happened when I ran it. The only output was the "Loading..." text. Searching Google for the document title or various portions of the code didn't bring anything up.
posted by coffee and minarets to Computers & Internet (10 answers total) 1 user marked this as a favorite
 
Patebin is acting wonky at the moment, but I found a js de-obfuscator here that might be worth a run.
posted by jquinby at 10:36 AM on April 4, 2012


pastebin is not loading at the moment, but you'll need to specify your browser and OS before anyone can answer this anyway, so go ahead and get that out of the way.
posted by ook at 10:36 AM on April 4, 2012


Yeah, Pastebin is down.
posted by Foci for Analysis at 10:37 AM on April 4, 2012


Well, I hope pasting that javascript didn't crash Pastebin 8p

Here's a copy on PasteAll (seems to have trouble wrapping the long lines tho...)
posted by coffee and minarets at 10:44 AM on April 4, 2012


OK, pastebin's back. Permalink to the de-obfuscated file.
posted by jquinby at 10:45 AM on April 4, 2012


Not an expert but it looks like at least part of that script attempts to download at least one (and maybe more than one) trojan'ed PDF - see the 'decoded files' section . The utility also caught an error (around line 50), so maybe that's why it didn't ever complete?
posted by jquinby at 10:50 AM on April 4, 2012


Looks like an exploit pack to me. I wonder if you'll get any hits if you submit the original .js to VirusTotal?
posted by samsara at 11:43 AM on April 4, 2012


Actually, wasn't hard to scan with the copy you provided. here are the results. It might be a 0-day or very recent exploit as it's not being picked up by many scanners yet, but might get more accurately classified in the next few days.
posted by samsara at 11:47 AM on April 4, 2012


Now 10/41 scanners are picking up on it instead of the original 4/41. Microsoft is identifying it as Trojan:JS/PhoexRef.C with a creation date as of yesterday. Even though it did not appear to do anything, you might want to run your system through the gauntlet of malware scanners to ensure you haven't picked up something bad like Zbot or TDSS. (TDSSKiller should do a decent job picking up on these...Malwarebytes might also be worth a run). It's important to keep in mind these 0-day exploits are designed to get around virus scanners, so running as a non-administrator account by default really takes the power of exploits like these. Good luck!
posted by samsara at 8:28 AM on April 5, 2012


oops...really takes the power *out* of (or wind out of their sails)
posted by samsara at 8:29 AM on April 5, 2012


« Older Looking for an email client or...   |  I'm trying to read Duncan's es... Newer »
This thread is closed to new comments.