Obfuscated script (likely malware)
-
What does following script do:
(function() { var b=window,f="chrome",g="jstiming",k="tick";(function(){function d(a){this.t={};this.tick=function(a,d,c){var e=void 0!=c?c:(new Date).getTime();this.t[a]=[e,d];if(void 0==c)try{b.console.timeStamp("CSI/"+a)}catch(h){}};this[k]("start",null,a)}var a;b.performance&&(a=b.performance.timing);var n=a?new d(a.responseStart):new d;b.jstiming={Timer:d,load:n};if(a){var c=a.navigationStart,h=a.responseStart;0<c&&h>=c&&(b[g].srt=h-c)}if(a){var e=b[g].load;0<c&&h>=c&&(e[k]("_wtsrt",void 0,c),e[k]("wtsrt_","_wtsrt",h),e[k]("tbsd_","wtsrt_"))}try{a=null,
b[f]&&b[f].csi&&(a=Math.floor(b[f].csi().pageT),e&&0<c&&(e[k]("_tbnd",void 0,b[f].csi().startE),e[k]("tbnd_","_tbnd",c))),null==a&&b.gtbExternal&&(a=b.gtbExternal.pageT()),null==a&&b.external&&(a=b.external.pageT,e&&0<c&&(e[k]("_tbnd",void 0,b.external.startE),e[k]("tbnd_","_tbnd",c))),a&&(b[g].pt=a)}catch(p){}})();b.tickAboveFold=function(d){var a=0;if(d.offsetParent){do a+=d.offsetTop;while(d=d.offsetParent)}d=a;750>=d&&b[g].load[k]("aft")};var l=!1;function m(){l||(l=!0,b[g].load[k]("firstScrollTime"))}b.addEventListener?b.addEventListener("scroll",m,!1):b.attachEvent("onscroll",m);
})();I found it embedded in a page which looks harmless... [Edit]I guess it is the same type of hack which I experienced 1.5 years agon on my web site, but the hacker added some more obfuscation now. See Analysing an obfuscated malware script[^].[/Edit]
It's not obfuscated, but minified and it looks like a timing function, based on Google's library...
I'm not questioning your powers of observation; I'm merely remarking upon the paradox of asking a masked man who he is. (V)
-
It's not obfuscated, but minified and it looks like a timing function, based on Google's library...
I'm not questioning your powers of observation; I'm merely remarking upon the paradox of asking a masked man who he is. (V)
Thanks for your analysis. I hardly ever use JavaScript, so I rely mainly on context and experience. "minify" and "obfuscate" cause the same impression...
-
What does following script do:
(function() { var b=window,f="chrome",g="jstiming",k="tick";(function(){function d(a){this.t={};this.tick=function(a,d,c){var e=void 0!=c?c:(new Date).getTime();this.t[a]=[e,d];if(void 0==c)try{b.console.timeStamp("CSI/"+a)}catch(h){}};this[k]("start",null,a)}var a;b.performance&&(a=b.performance.timing);var n=a?new d(a.responseStart):new d;b.jstiming={Timer:d,load:n};if(a){var c=a.navigationStart,h=a.responseStart;0<c&&h>=c&&(b[g].srt=h-c)}if(a){var e=b[g].load;0<c&&h>=c&&(e[k]("_wtsrt",void 0,c),e[k]("wtsrt_","_wtsrt",h),e[k]("tbsd_","wtsrt_"))}try{a=null,
b[f]&&b[f].csi&&(a=Math.floor(b[f].csi().pageT),e&&0<c&&(e[k]("_tbnd",void 0,b[f].csi().startE),e[k]("tbnd_","_tbnd",c))),null==a&&b.gtbExternal&&(a=b.gtbExternal.pageT()),null==a&&b.external&&(a=b.external.pageT,e&&0<c&&(e[k]("_tbnd",void 0,b.external.startE),e[k]("tbnd_","_tbnd",c))),a&&(b[g].pt=a)}catch(p){}})();b.tickAboveFold=function(d){var a=0;if(d.offsetParent){do a+=d.offsetTop;while(d=d.offsetParent)}d=a;750>=d&&b[g].load[k]("aft")};var l=!1;function m(){l||(l=!0,b[g].load[k]("firstScrollTime"))}b.addEventListener?b.addEventListener("scroll",m,!1):b.attachEvent("onscroll",m);
})();I found it embedded in a page which looks harmless... [Edit]I guess it is the same type of hack which I experienced 1.5 years agon on my web site, but the hacker added some more obfuscation now. See Analysing an obfuscated malware script[^].[/Edit]
Don't know a lot about Javascript, but there seem to be multiple syntax errors in your script.
-
Don't know a lot about Javascript, but there seem to be multiple syntax errors in your script.
Where?
I'm not questioning your powers of observation; I'm merely remarking upon the paradox of asking a masked man who he is. (V)
-
Where?
I'm not questioning your powers of observation; I'm merely remarking upon the paradox of asking a masked man who he is. (V)
(function() -- Isn't the leading ( a syntax error in Javascript? It is found several times in the script above.
-
(function() -- Isn't the leading ( a syntax error in Javascript? It is found several times in the script above.
It's perfectly normal - it called closure... https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Closures[^]
I'm not questioning your powers of observation; I'm merely remarking upon the paradox of asking a masked man who he is. (V)
-
It's perfectly normal - it called closure... https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Closures[^]
I'm not questioning your powers of observation; I'm merely remarking upon the paradox of asking a masked man who he is. (V)
Ok, found it. I was looking for the CLOSING parenthesis. When I first loaded it into Notepad++ I didn't see it. Thx for the link.
-
Thanks for your analysis. I hardly ever use JavaScript, so I rely mainly on context and experience. "minify" and "obfuscate" cause the same impression...
minifying is just to decrease the size of the script and thus decreasing the time needed for loading it from the server obfuscating the code is done to protect the code to some degree from beeing copied by others. You can't compile javascript into a binary form that prevents doing so (you can't compile any .Net applications in that regard neither) so in those cases obfuscation makes it harder to understand the code. A small sample (consider this as a piece of pseudo code)
function foo() {
// do foo
var counter = 0;
bar(counter);
}
function bar(var myParam) {
// do something with myParam
var somethingElse = myParam;
}and obfuscate it to
function a() {
var b=0;
a(b);
}
function a(var b) {
var c=b;
}you don't really know what those function really do without having the full context of it, thus making it a lot harder to just copy a function out of the script "stealing" someone else's hard work. So nothing shady about those (of course you could assume that malicious scripts will usually be obfuscated and minified to prevent user from easily detect what they are doing)
-
minifying is just to decrease the size of the script and thus decreasing the time needed for loading it from the server obfuscating the code is done to protect the code to some degree from beeing copied by others. You can't compile javascript into a binary form that prevents doing so (you can't compile any .Net applications in that regard neither) so in those cases obfuscation makes it harder to understand the code. A small sample (consider this as a piece of pseudo code)
function foo() {
// do foo
var counter = 0;
bar(counter);
}
function bar(var myParam) {
// do something with myParam
var somethingElse = myParam;
}and obfuscate it to
function a() {
var b=0;
a(b);
}
function a(var b) {
var c=b;
}you don't really know what those function really do without having the full context of it, thus making it a lot harder to just copy a function out of the script "stealing" someone else's hard work. So nothing shady about those (of course you could assume that malicious scripts will usually be obfuscated and minified to prevent user from easily detect what they are doing)
Thanks for this explanation. It was the context (faked entry in a log file) paired with past experience and the unreadability of that script which made me assume malware. Though minifying scripts may be legitimate to decrease the still increasing enormous volumes of JavaScripts sent over the network with still decreasing "payload" of actual content, it makes distinguishing those scripts from intentiously obfuscated malware scripts extremely hard - thus actually causing security issues.
-
What does following script do:
(function() { var b=window,f="chrome",g="jstiming",k="tick";(function(){function d(a){this.t={};this.tick=function(a,d,c){var e=void 0!=c?c:(new Date).getTime();this.t[a]=[e,d];if(void 0==c)try{b.console.timeStamp("CSI/"+a)}catch(h){}};this[k]("start",null,a)}var a;b.performance&&(a=b.performance.timing);var n=a?new d(a.responseStart):new d;b.jstiming={Timer:d,load:n};if(a){var c=a.navigationStart,h=a.responseStart;0<c&&h>=c&&(b[g].srt=h-c)}if(a){var e=b[g].load;0<c&&h>=c&&(e[k]("_wtsrt",void 0,c),e[k]("wtsrt_","_wtsrt",h),e[k]("tbsd_","wtsrt_"))}try{a=null,
b[f]&&b[f].csi&&(a=Math.floor(b[f].csi().pageT),e&&0<c&&(e[k]("_tbnd",void 0,b[f].csi().startE),e[k]("tbnd_","_tbnd",c))),null==a&&b.gtbExternal&&(a=b.gtbExternal.pageT()),null==a&&b.external&&(a=b.external.pageT,e&&0<c&&(e[k]("_tbnd",void 0,b.external.startE),e[k]("tbnd_","_tbnd",c))),a&&(b[g].pt=a)}catch(p){}})();b.tickAboveFold=function(d){var a=0;if(d.offsetParent){do a+=d.offsetTop;while(d=d.offsetParent)}d=a;750>=d&&b[g].load[k]("aft")};var l=!1;function m(){l||(l=!0,b[g].load[k]("firstScrollTime"))}b.addEventListener?b.addEventListener("scroll",m,!1):b.attachEvent("onscroll",m);
})();I found it embedded in a page which looks harmless... [Edit]I guess it is the same type of hack which I experienced 1.5 years agon on my web site, but the hacker added some more obfuscation now. See Analysing an obfuscated malware script[^].[/Edit]
Just for the hell of it, I ran it through the beautifier to get a better look at it. http://jsbeautifier.org/[^]
(function () {
var b = window,
f = "chrome",
g = "jstiming",
k = "tick";
(function () {
function d(a) {
this.t = {};
this.tick = function (a, d, c) {
var e = void 0 != c ? c : (new Date).getTime();
this.t[a] = [e, d];
if (void 0 == c) try {
b.console.timeStamp("CSI/" + a)
} catch (h) {}
};
this[k]("start", null, a)
}
var a;
b.performance && (a = b.performance.timing);
var n = a ? new d(a.responseStart) : new d;
b.jstiming = {
Timer: d,
load: n
};
if (a) {
var c = a.navigationStart,
h = a.responseStart;
0 < c && h >= c && (b[g].srt = h - c)
}
if (a) {
var e = b[g].load;
0 < c && h >= c && (e[k]("_wtsrt", void 0, c), e[k]("wtsrt_", "_wtsrt", h), e[k]("tbsd_", "wtsrt_"))
}
try {
a = null,
b[f] && b[f].csi && (a = Math.floor(b[f].csi().pageT), e && 0 < c && (e[k]("_tbnd", void 0, b[f].csi().startE), e[k]("tbnd_", "_tbnd", c))), null == a && b.gtbExternal && (a = b.gtbExternal.pageT()), null == a && b.external && (a = b.external.pageT, e && 0 < c && (e[k]("_tbnd", void 0, b.external.startE), e[k]("tbnd_", "_tbnd", c))), a && (b[g].pt = a)
} catch (p) {}
})();
b.tickAboveFold = function (d) {
var a = 0;
if (d.offsetParent) {
do a += d.offsetTop; while (d = d.offsetParent)
}
d = a;
750 >= d && b[g].load[k]("aft")
};
var l = !1;function m() { l || (l = !0, b\[g\].load\[k\]("firstScrollTime")) } b.addEventListener ? b.addEventListener("scroll", m, !1) : b.attachEvent("onscroll", m);})();
-
Just for the hell of it, I ran it through the beautifier to get a better look at it. http://jsbeautifier.org/[^]
(function () {
var b = window,
f = "chrome",
g = "jstiming",
k = "tick";
(function () {
function d(a) {
this.t = {};
this.tick = function (a, d, c) {
var e = void 0 != c ? c : (new Date).getTime();
this.t[a] = [e, d];
if (void 0 == c) try {
b.console.timeStamp("CSI/" + a)
} catch (h) {}
};
this[k]("start", null, a)
}
var a;
b.performance && (a = b.performance.timing);
var n = a ? new d(a.responseStart) : new d;
b.jstiming = {
Timer: d,
load: n
};
if (a) {
var c = a.navigationStart,
h = a.responseStart;
0 < c && h >= c && (b[g].srt = h - c)
}
if (a) {
var e = b[g].load;
0 < c && h >= c && (e[k]("_wtsrt", void 0, c), e[k]("wtsrt_", "_wtsrt", h), e[k]("tbsd_", "wtsrt_"))
}
try {
a = null,
b[f] && b[f].csi && (a = Math.floor(b[f].csi().pageT), e && 0 < c && (e[k]("_tbnd", void 0, b[f].csi().startE), e[k]("tbnd_", "_tbnd", c))), null == a && b.gtbExternal && (a = b.gtbExternal.pageT()), null == a && b.external && (a = b.external.pageT, e && 0 < c && (e[k]("_tbnd", void 0, b.external.startE), e[k]("tbnd_", "_tbnd", c))), a && (b[g].pt = a)
} catch (p) {}
})();
b.tickAboveFold = function (d) {
var a = 0;
if (d.offsetParent) {
do a += d.offsetTop; while (d = d.offsetParent)
}
d = a;
750 >= d && b[g].load[k]("aft")
};
var l = !1;function m() { l || (l = !0, b\[g\].load\[k\]("firstScrollTime")) } b.addEventListener ? b.addEventListener("scroll", m, !1) : b.attachEvent("onscroll", m);})();
Thanks for that link.
-
Don't know a lot about Javascript, but there seem to be multiple syntax errors in your script.
malwares suck !! my computer has crashed twice becoz of it !! ask someone like me who knows what de pain is !! CLT20 2014
CLT20 2014 Live
CLT20 2014 live streaming
CLT20 2014 matches
CLT20 2014 Teams
CLT20 2014 Highlights
