Custom Base64 Decoder

There’s another new exploit pack making its round. Seems to be quite pervasive as I’m seeing its redirect code on many compromised sites. Here’s the redirection script:

And this is the main script of the exploit pack that awaits your browser:

First, let’s pretty this thing up:

Looking at the code, it concatenates “eval” from “e” + the body tag + variable containing “l”. Then it converts the gibberish at the bottom using a custom Base64-type decoder routine then calls eval. We can get the deobfuscated value to pop by replacing the eval call with “alert”. Since this is done after it gets decoded, we don’t need to go through the decoder routine.

And then you get this:

This is a compressed script so we can replace “eval” with “alert” once more. Then we get this:

This calls up another webpage with a malicious PDF file. If the PC doesn’t have the right version installed then it shoots out another obfuscated Javascript that leads to a Java exploit.

But I wanted to go back to the custom Base64 decoder it’s using. A reader sent in a request to add a new feature to the Converter tool I released earlier. That feature was to give the user the ability to use their own custom alphabet. Normally the Base64 alphabet looks like this:


But you can see the custom alphabet the author of the script used:

I quickly wrote a program that can encode and decode using custom alphabets. If I paste the values from the script over to the program, we can obtain the same results when I did the manual deobfuscation:

I’ll add this feature to the Converter tool when I have time during the holidays but here’s a tool that you can use in the meantime. Special thanks to “TF” for making the request and giving me the idea!

MD5: D8DCE3E2DBC451EA8E3A9B9567B90A3B
Note: I’ve packed this with UPX to keep the file size down but anti-virus may falsely trigger.

This entry was posted in Exploit Packs, Malscript, Tools and tagged , , . Bookmark the permalink.

3 Responses to Custom Base64 Decoder

  1. Eddie says:

    Great write-up as usual. Thanks!

  2. I suggest adding a facebook like button for the blog!

  3. jason says:

    I found other samples on pastebin and ran them through virustotal, Microsoft appears to identify them as new blackhole variants, but i haven’t been able to find any confirmation of that

Leave a Reply