The Friend
Does anyone have a friend that regularly still sends you crap via email that usually includes a link or some pics? We are all IT security professionals here and know the preachers drill on this topic. Really, we do not like wasting our time on the junk that is sent to us. Delete, Delete, Delete.
BUT, we are also human. We are the weakest link! So, today that one friend sends something over to us. This friend has a great knack for sending water cooler stuff that can warrant a look see. This friend always plants the seed of curiosity. Today, we check our email and there it is, in our inbox. Our guard is down and the flower of curiosity is opening up. In an instant, we click...wait...No. Damn!.
The page loads...
Now. We Need To Know
Did we just infect our system?
We need to know. It is time to act fast. Get to a shell and pull that page down with a text browser ala wget or curl. It is possible for this page to disappear quickly. This sample was sent in by a reader who acted fast. By the time I got around to verifying some things on this sample, the below pasted code was gone.
There are many diaries posted about javascript obfuscation over the years. The two that rise to the top are from Tom Liston [1] and Daniel Wesemann [2] . If your interested in understanding this process further by diving in deeper, I recommend those diaries as required reading.
The Lazy Liston
I deployed a mixture of Toms method and Daniels lazy method. (see diaries mentioned above for more info)
I stripped the HTML, reformatted the Javascript, and added some useful lines for debugging. The image is highlighted with red showing my additions, blue showing unnecessary HTML, and black showing the javascript code that gets debugged.
I used jsc to help me out with the prepared script above. jsc is a command line utility that allows you to run javascript interactively. I inserted a debug and a couple of readline statements to assist. The readline allows me to pause the script to view the output. Pressing enter continues it.
Below is a snapshot of the jsc run of script.js. I pasted and circled the obfuscated strings and the decoded pieces. Note the url listed matches the browser shot up above.
In summary, my diagnosis of the original email and sample with the clickable link, is it is only a spoofed email and intended to be spam. I humbly encourage all to offer any feedback to counter my assessment or offer any added value to it. Many thanks to Lode V. for sending it in!
[1] https://isc.sans.edu/diary.html?storyid=1917
[2] https://isc.sans.edu/diary.html?storyid=2268
-Kevin
--
ISC Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.