The reason for doing such things is evasion.
You start seeing that in many places:
just use a dumb encryption technique to
bypass any pattern driven detection system,
be it content blocker or attack sniffing.
The evasion works regardless of the smarts to
detect unwanted content.
KR,
-- André
Nicolas Villatte wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I received a blank e-mail with a javascript inserted in the HTML,
> using Outlook 2000.
> I wonder what this code represents and how to decode and understand
> it.
>
> Here follows the source code :
>
> <html>
> <head>
> <title>HardCore</title>
> <meta http-equiv="Content-Type" content="text/html;
> charset=iso-8859-1">
> </head>
>
> <body bgcolor="#FFFFFF">
> <script>
> function Merlin( s ) { var sRet=""; for(j=0; j< s.length; j++ ){ var
> n= s.charCodeAt(j); if (n>=8364) {n = 128;} sRet +=
> String.fromCharCode( n - 3 ); } return( sRet ); }
> var sJsCmds ="" +
> "?kwpoA?khdgA?wlwohAXqwlwohg#Grfxphqw?2wlwohA?phwd#kwws0htxly@%Frqwhqw
> 0W|sh%#frqwhqw@%wh{w2kwpo>#fkduvhw@lvr0;;8<04%A?2khdgA?erg|#ejfroru@%&
> IIIIII%A?wdeoh#erughu@%3%#zlgwk@%:8(%#doljq@%FHQWHU%A##?wuA####?wgA###
> ###?gly#doljq@%FHQWHU%A########?irqw#idfh@%duldo%#vl}h@%05%#froru@%eod
> fn%Akdugfruhvh{#grhv#qrw#vhqg#xqvrolflwhg#########hpdlov1#Rqo|#shrsoh#
> wkdw#kdyh#h{suhvvhg#wkhlu#zloo#wr#uhfhlyh#Kdugfruhvh{#########Pdlo#vkd
> oo#eh#vhqw#rxu#hpdlo#qhzvohwwhuv1#Lq#dq|#fdvh#ri#glyhujhqfh#iurp######
> ###wklv#srolf|/#sohdvh#ohw#xv#nqrz#e|#dwwdfklqj#wklv#phvvdjh1?2irqwA##
> ####?2glyA####?2wgA##?2wuA?2wdeohA?wdeoh#erughu@%3%#zlgwk@%:8(%#doljq@
> %FHQWHU%A##?wuA####?wgA######?gly#doljq@%FHQWHU%A########?eA?irqw#idfh
> @%Duldo%#vl}h@%8%#froru@%&;333;3%AKDUGFRUH#VH[#ZHHNO|?2irqwA?2eA######
> ?2glyA####?2wgA##?2wuA?2wdeohA?wdeoh#erughu@3#zlgwk@6:3#fhoosdgglqj@4#
> fhoovsdflqj@3#doljq@fhqwhuA##?wuA#####?wg#ejfroru@%EODFN%#zlgwk@433(A#
> ######?wdeoh#erughu@3#zlgwk@433(#fhoosdgglqj@8#fhoovsdflqj@3A########?
> wuA###########?wg#ejfroru@%&ffffii%#doljq@OHIW#ydoljq@WRS#zlgwk@433(A#
> ############?s#doljq@%fhqwhu%A###############?fhqwhuA################?
> irqw#idfh@duldo#vl}h@5A#?eAolyh#ihhgv#iurp#zhefdpv#dw#krph?2eA1#######
> ##########Kdugfruhvh{#lv#wkh#eljjhvw#hurwlf#zhefdp#frppxqlw|#lq#wkh#zr
> uog$#################Fxp#vhh#jluov#iurp#doo#ryhu#wkh#zruog1#?eAPDNH#|R
> XU#GUHDPV#EHFRPH#################UHDOLW|11111#OLYH$?2eA#hyhu|#gd|#zh#k
> dyh#qhz#vhqghuv#rqolqh#111fxp#################lqwr#wkh#zruog#ri#?eAOLY
> H#HURWLF$$$$?euA################?2eA?2irqwA###############?2fhqwhuA###
> #########?s#doljq@%FHQWHU%A?euA##############?irqw#vl}h@%7%#idfh@%Yhug
> dqd/#Duldo/#Khoyhwlfd/#vdqv0vhuli%A?eA572:###############IUHH#VH[#VKRZ
> $?2eA?2irqwA?euA############?wdeoh#erughu@3#zlgwk@433(#fhoosdgglqj@8#f
> hoovsdflqj@3A##############?wuA#################?wg#doljq@%fhqwhu%A?lp
> j#vuf@%kwws=22zzz1orolwdo1frp2lpdjhv2ivn491msj%#zlgwk@:;#khljkw@89#dow
> @%%#erughu@%4%A?d#kuhi@%kwws=22zzz1ylvlw0{1qhw2%A?$00?euA?irqw#idfh@du
> ldo#vl}h@05AWhhqv?2dA00A?2dA?2wgA################?wg#doljq@%fhqwhu%A?l
> pj#vuf@%kwws=22zzz1orolwdo1frp2lpdjhv2ivn481msj%#zlgwk@:;#khljkw@89#do
> w@%%#erughu@%4%A?d#kuhi@%kwws=22zzz1ylvlw0{1qhw2%A?$00?euA?irqw#idfh@d
> uldo#vl}h@05AFxpvkrwv?2dA00A?2dA?2wgA################?wg#doljq@%fhqwhu
> %A?lpj#vuf@%kwws=22zzz1orolwdo1frp2lpdjhv2ivn4<1msj%#zlgwk@:;#khljkw@8
> 9#dow@%%#erughu@%4%A?d#kuhi@%kwws=22zzz1ylvlw0{1qhw2%A?$00?euA?irqw#id
> fh@duldo#vl}h@05AEljErrev?2dA00A?2dA?2wgA##############?2wuA##########
> ##?2wdeohA############?wdeoh#erughu@%3%#zlgwk@%:8(%#doljq@%FHQWHU%A###
> ###########?wuA################?wgA##################?irupA###########
> #########?lqsxw#w|sh@%EXWWRQ%#ydoxh@%Folfn#khuh#wr#dffhvv#rxu#vlwh%#rq
> folfn@%zlqgrz1rshq+*kwws=22zzz1orolwdo1frp2vwhdowk2*/#*Vdpsoh*/#*wrroe
> du@qr/orfdwlrq@qr/gluhfwrulhv@qr/vwdwxv@qr/phqxedu@qr/vfurooeduv@|hv/u
> hvl}deoh@qr/frs|klvwru|@qr/ixoovfuhhq*,%#qdph@%EXWWRQ%A###############
> ###?2irupA################?2wgA##############?2wuA############?2wdeohA
> ############?gly#doljq@%FHQWHU%A##############?euA##############?2glyA
> ##########?2wgA########?2wuA######?2wdeohA####?2wgA##?2wuA?2wdeohA?wde
> oh#erughu@%3%#zlgwk@%:8(%#doljq@%FHQWHU%A##?wuA####?wgA######?gly#dolj
> q@%FHQWHU%A########?irqw#idfh@%Duldo%#vl}h@%5%A?irqw#froru@%eodfn%AWkh
> #Kdugfruhvh{#Qhzvohwwhu#########lv#vhqw#wr#vxevfulehuv#rqfh#d#zhhn1#Wr
> #xqvxevfuleh#iurp#wkh#Kdugfruhvh{#########Qhzvohwwhu/)qevs>?euA#######
> #vlpso|#uhso|#?2irqwAzlwk#uhpryh#lq#wkh#phvvdjh?irqw#froru@%eodfn%#vl}
> h@05#idfh@%duldo/#duldo%A1?2irqwA?2irqwA#######?2glyA####?2wgA##?2wuA?
> 2wdeohA?sA)qevs>?2sA?2erg|A?2kwpoA" +
> "";
> var s= Merlin( sJsCmds);
> document.write (s);
> </script>
> </body>
> </html>
>
> Nicolas Villatte
> ______________________________________________________
> IT Manager
>
> Creative Web SPRL
> Rue Kessels straat, 38
> 1030 Brussels
>
> Office Phone: +32 2 2450110
> Office Fax: +32 2 2161628
> Mobile Phone : +32 477 588136
>
> Internet Mail: mailto:nicolas.villatteat_private
> Visit us on the web: http://www.creativeweb.be
> ______________________________________________________
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.3
>
> iQA/AwUBOt/JFYiKIkRfAqJVEQIFywCgkXUJt3zeq5a3gUI3il//5y0ZUpAAoMKq
> 9Qw9Fdl3cul95H+blsqzhOFs
> =v8in
> -----END PGP SIGNATURE-----
--
André Mariën Ubizen
Phone +32 16 28 70 00 http://www.ubizen.com
Fax +32 16 28 71 00 http://www.securitywatch.com
This archive was generated by hypermail 2b30 : Mon Apr 23 2001 - 11:40:56 PDT