It’s not what you write, but the words you use…

Or at least their length.
Earlier this week I came across some rather interesting JavaScript injected into legitimate sites. The obfuscation method was new (to me at least) and piqued my interest.
The payload itself is predictable and dull - addition of an iframe to the page in order to load further malware. But the manner in which this payload is hidden made me chuckle. The bulk of the injected script consists of a long string of words, which is split into an array (DayahDet in the code snippet shown below).

Decryption to the payload consists of the following steps. For each pair of words in the array, construct a string from the length (minus 1) of the words (in hex).
str = (myArray.length-1).toString(16)+(myArray.length-1).toString(16)
The parseInt function is then used to convert the string to a numeric value, before passing to String.fromCharCode to return the desired string character.
String.fromCharCode(parseInt(str,16));
In the code snippet image above, just the start of the string is included, which decrypts to the start of the malicious JavaScript:
document.write(
The characters used in the words is immaterial - only the length matters. The exact same payload could be obfuscated as follows:

This is nothing hugely complex or clever, but it is cunning nonetheless. The (continue reading...)