Browsers are Dumb - The Art of Hiding Things
Introduction
Basically Web browsers are dumber than most pieces of software, and they are easily tricked. They are also fairly robust in handling incorrect code, where they will allow incorrect and badly formed HTML, and try and understand what was meant by it. So, when it comes to security, the malware writers have many tricks up their sleeve, and one of them is to encode strings into a mixture of hex coding (Base 16), unicoding (the 16-bit equivalent of ASCII) and octal coding (Base 8).
So when you view your code and see something like this:
var _={" \137\x6b\u0065\x79\u0053\u0074\x72":(function () { var pI="wxyz0123456789+/=",B="klmnopqrstuv",G="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefg",h="hij"; return G+h+B+pI })()," \u005f\u0075\164\146\u0038\137\u0065\u006e\u0063\x6f\x64\u0065":function(zt){zt=zt[( String.fromCharCode(0x72,0x65,0x70,108,0141,99,101))](/\r\n/g,(function () { var DS="n",nl="\\"; return nl+DS })());var MF="";var w;for(w=('XROQtltRu'.length-9);w('TFrd'.length*(3*8+6)+7))&&(S<(0x1*1774+274))){MF+=String[((function () { var sD="Code",U="r",T="fromCha"; return T+U+sD })())]
your head will spin. But all that is happening here, is that the normal strings we would see in a program (in this case some JavaScript code) is being represented in a way that a normal string matcher would not be able to pick-off, and the human too is not going to be able to interpret it easily.
So I've written a program to decode these, so that you can see them:
- "\137\x6b\u0065\x79\u0053\u0074\x72" https://asecuritysite.com/Coding/num2?sortby=\137\x6b\e\x79\u0053\u0074\x72 which should give _keyStr (\137 is '_" in decimal, \x6b is 'k", and so on.
- \u005f\u0075\164\146\u0038\137\u0065\u006e\u0063\x6fd\u0065 https://asecuritysite.com/Coding/num2?sortby=\u005f\u0075\164\146\u0038\137\u0065\u006e\u0063\x6fd\u0065
Thus we can see that the results lead to some JavaScript commands, and is this way the browser and any scanners will not be able to detect them (unless there was some processing of the characters before it was rendered to the browser).
So if we just take a 'k', we get [Ref]:
- Char:'k'
- Decimal: 107
- Binary: 01101011,
- Hex: 6b
- Octal: 153,
- HTML: k
all of which are valid. There are thus many ways we could represent "_keyStr".
Also you see something like:
String.fromCharCode(0x72,0x65,0x70,108,0141,99,101))
which is a mixture of hex, octal (beginning with a zero) and decimal.
0x72 - r (hex), 0x65 - e (hex), 0x70 - p (hex), 108 - l (decimal); 0141 - a (octal), 99 - c (decimal), 101 - e (decimal).
which is:
replace
Hiding in a character array
Another little trick for the malware writer to go under the Radar is to build strings from the hex/octal/decimal codes for example:
- var e=String.fromCharCode(0x53,0141,0x66,0x61,0x72,105); - gives "safari" Try: here
- var K=String.fromCharCode(0x4c,105,0x6e,117,120); gives "linux" Try: here
- var J=String.fromCharCode(0101,110,0x64,114,111,105,100); gives "Android". Try: here
- var rM=String.fromCharCode(0127,0151,110,0x64,0x6f,0x77,0x73); gives "Windows". Try: here
- var v=String.fromCharCode(0116,101,0164,66,0x53,0104); fives "NetBSD" here
- var x=String.fromCharCode(0x4f,112,0x65,0156,66,0x53,0104);
- var BK=String.fromCharCode(97,0162,109,108,0x65);
- var Ol=String.fromCharCode(0170,0x38,0x36);
So 0x53 is hex coding for 's', 0141 is octal for 'a", 0x66 is hex for 'f' and so on.