New obfuscation technique using JavaScript in legitimate sites

Or at least their length.

Earlier this week I came across some rather interesting JavaScript injected into legitimate sites. The obfuscation method was new (to me at least) and piqued my interest.

The payload itself is predictable and dull – addition of an iframe to the page in order to load further malware. But the manner in which this payload is hidden made me chuckle. The bulk of the injected script consists of a long string of words, which is split into an array (DayahDet in the code snippet shown below).

Decryption to the payload consists of the following steps. For each pair of words in the array, construct a string from the length (minus 1) of the words (in hex).

str = (myArray[i].length-1).toString(16)+(myArray[i+1].length-1).toString(16)

The parseInt function is then used to convert the string to a numeric value, before passing to String.fromCharCode to return the desired string character.


In the code snippet image above, just the start of the string is included, which decrypts to the start of the malicious JavaScript:


The characters used in the words is immaterial – only the length matters. The exact same payload could be obfuscated as follows:

This is nothing hugely complex or clever, but it is cunning nonetheless. The example provides yet another illustration of the flexibility that JavaScript provides the attacker in terms of obfuscation. It does not take much imagination to modify the above technique (changing delimiter, numeric shift applied to the length of array elements etc).

What about protection for Sophos customers? The sophisticated JavaScript handling in the core AV engine enable us to recognise the payload and block these injected scripts as Mal/Iframe-F.