CGISecurity Logo

Raising the bar: dynamic JavaScript obfuscation

"Couple of days ago one of our readers, Daniel Kluge, pointed us to a
web page with some heavily obfuscated JavaScript code. The operation
was typical and consisted of a compromised site that had an obfuscated
iframe which pointed to the final web site serving various exploits.

The obfuscation of the iframe was relatively simple but the second stage was more heavily obfuscated with some
things we’ve never seen before.

After downloading the JavaScript file it was obvious that all function and variable names are complete random.
Further to that, the deobfuscation function used the well known arguments.callee.toString() trick in order to
prevent modification of the code (so you just can’t replace the final document.write() call to something else
as this will break the deobfuscation function body – attempts such as this one typically throw the function
into an endless loop)." – SANS

Story Link: http://isc.dshield.org/diary.html?storyid=3219