What does malicious or obfuscated JavaScript code look like?
by bharathi[ Edit ] 2010-11-02 15:18:22
Malicious JavaScript code directly on your pages (rather than being called by reference as described above) is often "obfuscated", "obscured", "encoded" to make it hard to tell what it does. It looks like an undecipherable jumble, like this (this has been greatly shortened and mangled to make it nonfunctional). Code like this is always suspicious and must be investigated:
script language="JavaScript">function nbsp() {var t,o,l,i,j;var s=''; s+='47116101120'; s+='09711409-9111'; s=s+'120340321-1910'; s=s+'71210581101-11112'; s=s+'9062032'; t='';l=s.length;i=0; while(i<(l-1)) {for(j=0;j<3;j++){t+=s.charAt(i);i++;} if((t-nescape(0xBF))>unscape(0x00)) t-=-(uescape(0x0
+unescae(0x30)); doc.rite(String.froCharCode(t));t='';}}nbsp();
Sometimes VBScript is used instead, so the code starts with:
script language="VBScript"
If in doubt about whether a block of code is malicious, take a snippet of it and do a web search on it.
