Treatment of encrypted javascript files
Until today, I had to treat sites with infected .js files in which the malicious code is inserted at the end of the file and can be easily cleaned by signature. An example program for cleaning .
But virus writers do not stop there, and are developing new ways of infection.
I will describe one of them:
Many systems have backups configured for weekly file storage, respectively, when the antivirus program starts swearing to the site, all files in the backups are also saved with the virus.
In this case, it is necessary to decode the infected file and separate the useful code from the malicious one.
To do this, I replaced window.eval with document.write and output the contents to textarea.
Since there was no mass infection, he cured the site manually.
But virus writers do not stop there, and are developing new ways of infection.
I will describe one of them:
- virus enters ftp to the site
- appends to the end of the code a piece
- obfuscator encrypts the entire file and saves.
- waits 2 weeks or a month and a trojan appears in the iframe.
Many systems have backups configured for weekly file storage, respectively, when the antivirus program starts swearing to the site, all files in the backups are also saved with the virus.
In this case, it is necessary to decode the infected file and separate the useful code from the malicious one.
To do this, I replaced window.eval with document.write and output the contents to textarea.
<html> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> </head> <body> <script> document.write('<textarea>'); function kzLIfOuzteVbhCEe(a)... document.write(kzLIfOuzteVbhCEe("..."); document.write('</textarea>'); </script> </body> </html> Since there was no mass infection, he cured the site manually.
')
Source: https://habr.com/ru/post/145704/
All Articles