Archive for October 2010

jjencode, a new way to obfuscate Javascript

Extraexploit blog reported lately a new wave of infected websites (using joomla CMS) with Javascript code that looks like this :

$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$]
,_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$
$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$
:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_
[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$
_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_
[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.
$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(!
[]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"(\\\"\\"
+$.__$+$.__$+$.___+$.$$$_+(![]+"")[$._$_]+(![]+"")[$._$_]+
$._$+", \\"+$.__$+$.__$+$._$_+$.$_$_+"\\"+$.__$+$.$$_+$.$$_+$.$_$_
+"\\"+$.__$+$._$_+$._$$+$.$$__+"\\"+$.__$+$.$$_+$._$_+"\\"
+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$$_+$.___+$.__+"\\\"
)"+"\"")())();


It turns out that this new method of obfuscation is actually not totally new, the method is called jjencode and it is available on http://utf-8.jp/public/jjencode.html.

If you ever run onto an obfuscated code like that one, you can use the above website to decode it, (careful with the eval part though), and if you wanted the plain Javascript code you can wrap the encoded code within the following call:
document.write("<textarea>"+ encoded_code +"</textarea>");

Posted in , |

Swedish Greys - a WordPress theme from Nordic Themepark. Converted by LiteThemes.com.