Making Wacky Redirect Scripts – Part III

This post is the third and final entry of redirect scripts I wrote to test my Javascript Analyzer program.

1. We all know about how to convert IP addresses to decimal. This script has the decimal value of Google’s IP address in the variable “a” but it’s mixed up. All I did was extract the numbers I need and concatenated them into the final decimal value then eval’d it.

2. Similar to the above, I take the decimal value of Google’s IP address but then I convert it to binary. The variable “img5” actually contains the binary value. Just ignore the flowers and toes and you’ll see that the equal sign are the zeros and the other characters are ones. Ahh, do you get it now?

And the parseInt function converts the binary value back to decimal.

3. This script takes the ASCII values of printable characters and makes it into a two-dimensional array. The last chunk of code merely locates the x and y coordinates and pulls in the character to form the redirect.

4. All I did here was convert the redirect code to a higher bit value using the bitwise exclusive OR and then converting it back down.

5. In this script, the alphabet is put into a multi-dimensional array. It’s actually an array inside another array. The variable “a” holds the domain name which is eval’d and executed.

6. The decimals that you see in the following is the redirect code but offset by a value of five. What the code does is decrement the decimal values, convert it to text, then tries to eval it. If it errors then it repeats the function. It keeps doing it until the eval is valid which performs the redirect.

There doesn’t seem to be a straightforward way to reset variables and reuse them in Javascript. If anyone knows how, please let me know.

7. There are certain Javascript keywords that make it look suspicious, such as document.write and eval. Obfuscating these keywords is common among malicious scripts. In this technique, I enumerate Javascript elements found in “this” and call out the ones I want to use by finding those that match a certain letter or length. By doing this, you don’t see suspicious keywords but it performs the redirect action I want.

The final script reads: this.document.write(this.location.href=”http://google.com”);

8. This last one uses a weird technique that I take no credit for. It relies on using arrays to extract letters from built-in Javascript functions. I left in some hints in here for you but it’s possible to produce a script that uses no alphanumeric characters. This one really hurts my brain.

This entry was posted in Malscript and tagged , , . Bookmark the permalink.