Why You Still Receive Phishing Emails And Malware: Mangling The Strings
Why You Still Receive Phishing Emails And Malware: Mangling The Strings
Basically Web browsers are dumber than most pieces of software, and they are easily tricked. They are also fairly robust in handling incorrect code, where they will allow incorrect and badly formed HTML, and try and understand what was meant by it. So, when it comes to security, the malware writers have many tricks up their sleeve, and one of them is to encode strings into a mixture of hex coding (Base 16), unicoding (the 16-bit equivalent of ASCII) and octal coding (Base 8).
So when you view your code and see something like this:
var _={"\137\x6b\u0065\x79\u0053\u0074\x72":(function () { var pI="wxyz0123456789+/=",B="klmnopqrstuv",G="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefg",h="hij"; return G+h+B+pI })(),"\u005f\u0075\164\146\u0038\137\u0065\u006e\u0063\x6f\x64\u0065":function(zt){zt=zt[(String.fromCharCode(0x72,0x65,0x70,108,0141,99,101))](/\r\n/g,(function () { var DS="n",nl="\\"; return nl+DS })());var MF="";var w;for(w=('XROQtltRu'.length-9);w('TFrd'.length*(3*8+6)+7))&&(S<(0x1*1774+274))){MF+=String[((function () { var sD="Code",U="r",T="fromCha"; return T+U+sD })())]your head will spin. But all that is happening here, is that the normal strings we would see in a program (in this case some JavaScript code) is being represented in a way that a normal string matcher would not be able to pick-off, and the human too is not going to be able to interpret it easily.
- “\137\x6b\u0065\x79\u0053\u0074\x72” here which should give _keyStr (\137 is ‘_” in decimal, \x6b is ‘k”, and so on.
- “\u005f\u0075\164\146\u0038\137\u0065\u006e\u0063\x6fd\u0065” here
Thus we can see that the results lead to some JavaScript commands, and is this way the browser and any scanners will not be able to detect them (unless there was some processing of the characters before it was rendered to the browser).
So if we just take a ‘k’, we get:
- Char:’k’
- Decimal: 107
- Binary: 01101011
- Hex: 6b
- Octal: 153
- HTML: k
all of which are valid. There are thus many ways we could represent “_keyStr”.
Also you see something like:
String.fromCharCode(0x72,0x65,0x70,108,0141,99,101))
which is a mixture of hex, octal (beginning with a zero) and decimal.
0x72 - r (hex), 0x65 - e (hex), 0x70 - p (hex), 108 - l (decimal); 0141 - a (octal), 99 - c (decimal), 101 - e (decimal).
which is:
replace
Character arrays
Another little trick is to build strings from the hex/octal/decimal codes for example:
- var e=String.fromCharCode(0x53,0141,0x66,0x61,0x72,105); — gives “safari” Try: here
- var K=String.fromCharCode(0x4c,105,0x6e,117,120); gives “linux” Try: here
- var J=String.fromCharCode(0101,110,0x64,114,111,105,100); gives “Android”. Try: here
- var rM=String.fromCharCode(0127,0151,110,0x64,0x6f,0x77,0x73); gives “Windows”. Try: here
- var v=String.fromCharCode(0116,101,0164,66,0x53,0104); gives “NetBSD” here
- var x=String.fromCharCode(0x4f,112,0x65,0156,66,0x53,0104); gives “OpenBSD” here
- var BK=String.fromCharCode(97,0162,109,108,0x65);
- var Ol=String.fromCharCode(0170,0x38,0x36);
With this, a value which starts with a “0” is an octal value, and if it is just a number, it is the decimal equivalent for the character.
Examples
Here are some other phishing examples:
and: