Can you decode this Javascript spam?
April 4, 2012 10:31 AM Subscribe
Help me decode this obfuscated javascript spam document I accidentally ran in my browser
The code is in this pastebin. I basically want to know if anything nefarious happened when I ran it. The only output was the "Loading..." text. Searching Google for the document title or various portions of the code didn't bring anything up.
The code is in this pastebin. I basically want to know if anything nefarious happened when I ran it. The only output was the "Loading..." text. Searching Google for the document title or various portions of the code didn't bring anything up.
pastebin is not loading at the moment, but you'll need to specify your browser and OS before anyone can answer this anyway, so go ahead and get that out of the way.
posted by ook at 10:36 AM on April 4, 2012
posted by ook at 10:36 AM on April 4, 2012
Yeah, Pastebin is down.
posted by Foci for Analysis at 10:37 AM on April 4, 2012
posted by Foci for Analysis at 10:37 AM on April 4, 2012
Response by poster: Well, I hope pasting that javascript didn't crash Pastebin 8p
Here's a copy on PasteAll (seems to have trouble wrapping the long lines tho...)
posted by coffee and minarets at 10:44 AM on April 4, 2012
Here's a copy on PasteAll (seems to have trouble wrapping the long lines tho...)
posted by coffee and minarets at 10:44 AM on April 4, 2012
Best answer: OK, pastebin's back. Permalink to the de-obfuscated file.
posted by jquinby at 10:45 AM on April 4, 2012
posted by jquinby at 10:45 AM on April 4, 2012
Not an expert but it looks like at least part of that script attempts to download at least one (and maybe more than one) trojan'ed PDF - see the 'decoded files' section . The utility also caught an error (around line 50), so maybe that's why it didn't ever complete?
posted by jquinby at 10:50 AM on April 4, 2012
posted by jquinby at 10:50 AM on April 4, 2012
Looks like an exploit pack to me. I wonder if you'll get any hits if you submit the original .js to VirusTotal?
posted by samsara at 11:43 AM on April 4, 2012
posted by samsara at 11:43 AM on April 4, 2012
Best answer: Actually, wasn't hard to scan with the copy you provided. here are the results. It might be a 0-day or very recent exploit as it's not being picked up by many scanners yet, but might get more accurately classified in the next few days.
posted by samsara at 11:47 AM on April 4, 2012
posted by samsara at 11:47 AM on April 4, 2012
Now 10/41 scanners are picking up on it instead of the original 4/41. Microsoft is identifying it as Trojan:JS/PhoexRef.C with a creation date as of yesterday. Even though it did not appear to do anything, you might want to run your system through the gauntlet of malware scanners to ensure you haven't picked up something bad like Zbot or TDSS. (TDSSKiller should do a decent job picking up on these...Malwarebytes might also be worth a run). It's important to keep in mind these 0-day exploits are designed to get around virus scanners, so running as a non-administrator account by default really takes the power of exploits like these. Good luck!
posted by samsara at 8:28 AM on April 5, 2012
posted by samsara at 8:28 AM on April 5, 2012
oops...really takes the power *out* of (or wind out of their sails)
posted by samsara at 8:29 AM on April 5, 2012
posted by samsara at 8:29 AM on April 5, 2012
« Older Help me populate a spreadsheet by scraping an RSS... | meaning of the bumper stickers Newer »
This thread is closed to new comments.
posted by jquinby at 10:36 AM on April 4, 2012