Irregular Expressions

Jul 20 2012   12:43AM GMT

Side tracked…



Posted by: Dan O'Connor
Tags:
java
java script

I got a funny email today that I started digging in to, so I thought I would share as I have been working on little else since.

It came in as a notice from facebook that someone has posted a picture of me..

Yay! That so exciting, it was caught by the spam filter so it means it must be a really good picture..

There was a few links embedded in to the email but they all when to the same place.

Here is what it was trying to execute.

<script>
try{prototype>
0;
} catch(zxc){e=window["eva"+"l"];
n="89..1125..81..21".split("..");
h=2;
s="";
for(i=0;-623+i<0;i=1+i){
k=i;
s=s+String.fromCharCode(n[k]/(i%(h)+9));
}
if(012===10)e(s);
}</script>

Pardon the terrible parsing job I did and the var n has been cut way down to keep it simple.

The basics of what is going here is that there is something hidden in n (duh) and the surrounding code gets it out and executes it.  The key functions we need to know here are, split and fromCharCode.

Split does exactly what it sounds like it will split the text with a given parser in this case .. so it produces a string free of them.  These are just added as an attempt to hider analysis and detection.

fromCharCode will convert a unicode value in to an ascii character.

Part 2 is going to show what tools to use to get something out of this with minimal effort.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: