I came across a suspicious script in the source codes of one site, is it a virus?

H

hck32019-06-19 22:45:46

Malware

hck3, 2019-06-19 22:45:46

Hello, I came across one very suspicious script in the source codes of one site.

var _0x087b=['||x2F|x20|x33|x42|_0x9a4f|x54|hi|x2E|x3A|x74|x31|x52|x37|x4E|x6F|x68|x50|x48|var|x70|x4B|x59|x63|x6C|x67|function|console|x73|x72|x76|x62|x6B|x6D|x6E','split','length','constructor','debugger','toString','replace','\x5cw+','k\x206=[\x22\x5c5\x5cn\x5c3\x5cf\x5c5\x5cd\x5c3\x5c2\x5c2\x5c3\x5cj\x5c7\x5c7\x5ci\x5ca\x5c2\x5c2\x5cf\x5c5\x5cd\x5cc\x5c4\x5c4\x5ce\x5c9\x5c7\x5cm\x5c3\x5c2\x5c2\x5c3\x5ch\x5cb\x5cb\x5cl\x5ct\x5ca\x5c2\x5c2\x5cv\x5cx\x5c9\x5co\x5cg\x5cy\x5c2\x5cz\x5cw\x5cu\x5cc\x5c4\x5c4\x5ce\x22,\x22\x5cp\x5cg\x5cq\x22];r\x208(){s[6[1]](6[0])}8()'];(function(_0x192b1a,_0x488129){var _0xdab9d5=function(_0x2b5cd1){while(--_0x2b5cd1){_0x192b1a['push'](_0x192b1a['shift']());}};_0xdab9d5(++_0x488129);}(_0x087b,0x1f4));var _0xb087=function(_0x36ed48,_0x1ee0d4){_0x36ed48=_0x36ed48-0x0;var _0x51c63a=_0x087b[_0x36ed48];return _0x51c63a;};eval(function(_0x3ad680,_0x5a8e53,_0x2e5f02,_0x3ee14b,_0x569d7d,_0xeaf045){_0x569d7d=function(_0x167664){return _0x167664[_0xb087('0x0')](0x24);};if(!''[_0xb087('0x1')](/^/,String)){while(_0x2e5f02--){_0xeaf045[_0x569d7d(_0x2e5f02)]=_0x3ee14b[_0x2e5f02]||_0x569d7d(_0x2e5f02);}_0x3ee14b=[function(_0x46e106){return _0xeaf045[_0x46e106];}];_0x569d7d=function(){return _0xb087('0x2');};_0x2e5f02=0x1;};while(_0x2e5f02--){if(_0x3ee14b[_0x2e5f02]){_0x3ad680=_0x3ad680[_0xb087('0x1')](new RegExp('\x5cb'+_0x569d7d(_0x2e5f02)+'\x5cb','g'),_0x3ee14b[_0x2e5f02]);}}return _0x3ad680;}(_0xb087('0x3'),0x24,0x24,_0xb087('0x4')[_0xb087('0x5')]('|'),0x0,{}));var _0x2b84d3=function(){function _0x6d83fb(_0x1dbe9f){if((''+_0x1dbe9f/_0x1dbe9f)[_0xb087('0x6')]!==0x1||_0x1dbe9f%0x14===0x0){(function(){}[_0xb087('0x7')](_0xb087('0x8'))());}else{(function(){}[_0xb087('0x7')]('debugger')());}_0x6d83fb(++_0x1dbe9f);}try{_0x6d83fb(0x0);}catch(_0x244abc){}};_0x2b84d3();setInterval(function(){_0x2b84d3();},0xfa0);

The site itself has already accidentally opened. If the script is removed, the site works exactly the same as before. Question: Has my data been leaked to someone?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

D

dollar, 2019-06-19
@hck3

The data didn't merge.
Although theoretically this is possible if a 0day vulnerability was used in the browser itself. But in practice, the chance of this is so small that you should not worry. There are a lot of layers of protection in the browser, so even a buffer overflow won't do much.
It's just obfuscated code. Which means the author just doesn't want you to know what he's doing, but it's not necessarily a virus. See below for what exactly it does. But in general, obfuscation (or at least minification) is found in a lot of places, and on a much larger scale, by kilobytes. This is the norm.
If you want to almost completely eliminate the attack from JS, disable it by default. For example, I use the extension (for chrome) Quick Javascript Switcher. All sites I have without JS and everything works fine. On well-known sites such as Google Yandex, email, everything you need to use is included. Well, if you suddenly need to turn it on (very rarely) - it's done with one click. Although the topic of extensions in itself is interesting from the point of view of information security, but that's another story (and you can always download and use them locally, especially small ones with 30 lines of code).
PS

Unpacking step 1

var arr=[
  '||x2F|x20|x33|x42|_0x9a4f|x54|hi|x2E|x3A|x74|x31|x52|x37|x4E|x6F|x68|x50|x48|var|x70|x4B|x59|x63|x6C|x67|function|console|x73|x72|x76|x62|x6B|x6D|x6E', //0
  'split', //1
  'length', //2
  'constructor', //3
  'debugger', //4
  'toString', //5
  'replace', //6
  '\x5cw+', //7
  'k\x206=[\x22\x5c5\x5cn\x5c3\x5cf\x5c5\x5cd\x5c3\x5c2\x5c2\x5c3\x5cj\x5c7\x5c7\x5ci\x5ca\x5c2\x5c2\x5cf\x5c5\x5cd\x5cc\x5c4\x5c4\x5ce\x5c9\x5c7\x5cm\x5c3\x5c2\x5c2\x5c3\x5ch\x5cb\x5cb\x5cl\x5ct\x5ca\x5c2\x5c2\x5cv\x5cx\x5c9\x5co\x5cg\x5cy\x5c2\x5cz\x5cw\x5cu\x5cc\x5c4\x5c4\x5ce\x22,\x22\x5cp\x5cg\x5cq\x22];r\x208(){s[6[1]](6[0])}8()'
];

(function(arr, b) {
  var d = function(c) {
    while (--c) {
      arr['push'](arr['shift']());
    }
  };
  d(++b);
}(arr, 0x1f4));

var e = function(f) {
  f = f - 0x0;
  var g = arr[f];
  return g;
};

eval(function(h, nn1, i, j, k, m) {
  k = function(n) {
    return n[e('0x0')](0x24);
  };
  if (!'' [e('0x1')](/^/, String)) {
    while (i--) {
      m[k(i)] = j[i] || k(i);
    }
    j = [function(o) {
      return m[o];
    }];
    k = function() {
      return e('0x2');
    };
    i = 0x1;
  };
  while (i--) {
    if (j[i]) {
      h = h[e('0x1')](new RegExp('\x5cb' + k(i) + '\x5cb', 'g'), j[i]);
    }
  }
  return h;
}(e('0x3'), 0x24, 0x24, e('0x4')[e('0x5')]('|'), 0x0, {}));

var p = function() {
  function q(r) {
    if (('' + r / r)[e('0x6')] !== 0x1 || r % 0x14 === 0x0) {
      (function() {} [e('0x7')](e('0x8'))());
    } else {
      (function() {} [e('0x7')]('debugger')());
    }
    q(++r);
  }
  try {
    q(0x0);
  } catch (ee) {}
};
p();
setInterval(function() {
  p();
}, 0xfa0);

Unpacking stage 2

var arr=[
  'toString', //0
  'replace', //1
  '\x5cw+', //2
  'k\x206=[\x22\x5c5\x5cn\x5c3\x5cf\x5c5\x5cd\x5c3\x5c2\x5c2\x5c3\x5cj\x5c7\x5c7\x5ci\x5ca\x5c2\x5c2\x5cf\x5c5\x5cd\x5cc\x5c4\x5c4\x5ce\x5c9\x5c7\x5cm\x5c3\x5c2\x5c2\x5c3\x5ch\x5cb\x5cb\x5cl\x5ct\x5ca\x5c2\x5c2\x5cv\x5cx\x5c9\x5co\x5cg\x5cy\x5c2\x5cz\x5cw\x5cu\x5cc\x5c4\x5c4\x5ce\x22,\x22\x5cp\x5cg\x5cq\x22];r\x208(){s[6[1]](6[0])}8()',
  '||x2F|x20|x33|x42|_0x9a4f|x54|hi|x2E|x3A|x74|x31|x52|x37|x4E|x6F|x68|x50|x48|var|x70|x4B|x59|x63|x6C|x67|function|console|x73|x72|x76|x62|x6B|x6D|x6E', //4
  'split', //5
  'length', //6
  'constructor', //7
  'debugger', //8
];

var e = function(num) { //получить строку с номером num (они перемешаны)
  num = num - 0;
  var g = arr[num];
  return g;
};

function getCode(h, nn1, i, j, k, m) {
  k = function(n) {
    return n.toString(0x24);
  };
  if (!''.replace(/^/, String)) {
    while (i--) {
      m[k(i)] = j[i] || k(i);
    }
    j = [function(o) {
      return m[o];
    }];
    k = function() {
      return '\x5cw+';
    };
    i = 0x1;
  };
  while (i--) {
    if (j[i]) {
      h = h.replace(new RegExp('\x5cb' + k(i) + '\x5cb', 'g'), j[i]);
    }
  }
  return h;
}
var code = getCode(e(3), 36, 36, e(4).split('|'), 0, {});
eval(code);

var p = function() {
  function q(r) {
    if (('' + r / r).length !== 1 || r % 20 === 0) {
      debugger;
    } else {
      debugger;
    }
    q(++r);
  }
  try {
    q(0);
  } catch (ee) {}
};
p();
setInterval(function() {
  p();
}, 4000);

Unpacking step 3

//Суть скрипта
function hi() {
  console['log']('BY NBR // HTTP://NBR1337.TK // https://vk.com/nbr1337')
}
hi();

//плюс защита от дебага (удалена)

Unpacking step 4

console.log('BY NBR // HTTP://NBR1337.TK // https://vk.com/nbr1337');

The conclusion is just the author's signature so that he can prove authorship in court if his code is stolen.