Last week Daniel published the diary Run, Forest! If you are using Snort IDS and running some of the Blackhole signatures from Emerging Threats, you most likely noticed they trigger on Blackhole regularly. Using JSDetox, you can finally view the content of these scripts. All you need is a copy of the script and install JSDetox on a Linux system (mine is running on Slackware).

Steps to Decode Java Obfuscated Script

1- Copy the code into the Code Analysis window and select Analyze.

2- The script will then be formatted in the Code Formatted window.

3- Select Execute, then select Show Code and Send to Analyze to show the script in its actual deobfuscated form.

The final result is quite similar to the Wepawet report in Daniel's diary.

[1] http://www.relentless-coding.com/projects/jsdetox
[2] https://isc.sans.edu/diary.html?storyid=13540
[3] http://wepawet.iseclab.org/view.php?hash=e89cfa2fa6a91f90cfeb125c10c1f0f&t=1340389400&type=js
[4] http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-current_events.rules
[5] http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/
 

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu