I wanted to see how it worked.
Here is a sample line of the code:
mGdujq[‘euvLaulm'[VvIf](/[muzLc]/g, EWgUi)] \
Now what’s going on here?
Well, plain as day in the source I see a couple very important lines that will help decode this. The lines are:
var EWgUi = ”;
var mGdujq = this;
var VvIf = ” + ‘replace’;
Armed with this information the line decodes easily before our eyes to
What’s left to decode is the use of shorthand regular expressions. For example let’s look at this piece of code
‘euvLaulm’ is just a regular old string. You can call the string’s replace function in many different ways such as:
var str = ‘euvLaulm’; str.replace();
The regex /[muzLc]/g simply matches any character within the square brackets. The full line of code calls for every match to be replaced with ” (an empty string) or in other words, to delete those characters from the string.
The result is the string ‘eval’.
Or in code more readable to my own eyes:
this.eval( ltY( this.unnescape( IuO )));
Near the end of the code all these strings are concatenated and a series of replace operations are performed to replace all the non-hex characters with ‘%<hex character>’. The result is a string of URL escape sequences (a percent symbol followed by 2 hex characters). This string is stored in the variable IuO.
The URL escaped data is then unescaped to create an array of bytes (aka, a string, except the bytes aren’t all printable characters, so I can’t call it a string). This data is passed to the ltY function which performs a ( <byte> XOR 13 ) operation on each byte of data. The result is a string of HTML that creates a hidden iframe to some porn referral page and a META refresh that redirects the user to a male supplements web site after 4 seconds.
That was fun. A little sleuthing and puzzle solving. But what is there to take away from all this?
Also curious was the large amount of superfluous statements in the code. Variables would be created without initialization. They they’d be initialized to an empty string. Then they’d be set to their real value. Three statements to perform an operation that could be done in one. I imagine this, along with the use of random upper and lowercase letters used as variables AND data make the code more difficult to parse by hand (or by eye). But a few minutes and a bit of perseverance will overcome that. However that shows these types of scams are designed with the user who tries to perform a cursory inspection of the underlying code in mind.
And it’s nice to see what kinds of tricks spammers have up their sleeves.