Javascript deobfuscation
When tracking webspammers, we more often than not come across complex javascripts used to cloak where visitors are sent so search engines won’t get wise. But, stubborn as we are, we like to know where our browser would be sent if we clicked the link, so we try to deobfuscate.
Spammers try to use more and more complex techniques, and sometimes it’s hard to see with the naked eye exactly what they’ve done. I’ve got some “translators” in the Decoding section on the Tracing Tools page. But I’ve been looking for something easier as well. This could be used for quite a lot of those pesky scripts. Here’s the whole story:
SANS story on browsers and javascript deobfuscation
And here’s the portion that’s relevant for us:
Basically, the first of these tricks, calls for substituting document.write with alert. The brackets after that could be empty, or contain something. Just leave the contents as it is. You can make a new html page with that code in it and drop it into your browser. Put it in offline mode if you’re unsure you’ve rendered it safe.
Not all javascripts use document.write, though. Some use windows.replace and other tricks.
The last trick they used should be self explanatory!
August 2nd, 2006 at 2:15 pm
I clicked the link to the whole story and it seems to be bad.
August 2nd, 2006 at 3:29 pm
Thanks Lucia, it got screwed up when WP decided to parse some stuff that I later took out. I didn’t notice that the link got corrupted at the time.
August 3rd, 2006 at 7:12 pm
MSN is making some improvements in this area (I bet Google and Yahoo are as well, just not publicly stated). Simply put, they use Internet Explorer inside a sandbox environment and let it execute the on-page javascript code. Deobfuscation becomes moot at that point.
If you wanna read more about it, check out the Microsoft Research stuff. Everything’s available via their public whitepapers.