Here is how this is done:
- It retrieves the URL where the malicious script is located.
- It retrieves its own function and adds the string of the URL.
- It computes the CRC of the function plus the URL.
- It decrypts an encrypted code in the script body using the CRC that was computed.
- It executes the decrypted code using the eval() function.
Figure 1. Obfuscated code of JS_VIRTOOL
It uses its function and URL location as a decryption code. In this case, the encrypted code which is the real routine of the malware will not execute if the function is tampered and/or the URL is not correct.
If a malware analyst only has the script file sample without knowing where the file was downloaded from, he will not be able to know the malware’s actual routines since the URL is necessary for the decryption to take place. In addition, if this script is placed on another website aside from the “correct” one, it will not be successfully decrypted.
Currently, we have multiple samples that all use this particular technique, but have different encrypted contents. We suspect that they have the same decrypted data, the only difference being the URL location which will decrypt each sample. We believe that this as a technique which is intended to make it more difficult to track the source and cause of infection. This could potentially increase the time before these malicious scripts are detected and the appropriate solutions are released to users.