Question
I noticed that one of my submission pages with ReCaptcha is pulling this file:
https://stackoverflow.com/questions/23246560
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianhttp://www.google.com/js/th/tCBzJRqneV5tJFCAUdKmLPYTyVH8SN5m5IZzuhnsVzY.js
Of course, being hosted at Google, I want to assume this must be fine. Although the file contents start with this:
/* Anti-spam. Questions? Write to (rot13) guvagvary-dhrfgvbaf@tbbtyr.pbz */
...followed by a very long eval() statement. This is the beginning of it (edit: this is now the entire code block):
(function(){eval('var f=function(a,b,c){if(b=typeof a,"object"==b)if(a){if(a instanceof Array)return"array";if(a instanceof Object)return b;if(c=Object.prototype.toString.call(a),"[object Window]"==c)return"object";if("[object Array]"==c||"number"==typeof a.length&&"undefined"!=typeof a.splice&&"undefined"!=typeof a.propertyIsEnumerable&&!a.propertyIsEnumerable("splice"))return"array";if("[object Function]"==c||"undefined"!=typeof a.call&&"undefined"!=typeof a.propertyIsEnumerable&&!a.propertyIsEnumerable("call"))return"function"}else return"null";else if("function"==b&&"undefined"==typeof a.call)return"object";return b},n=function(a,b,c,d,e){c=a.split("."),d=g,c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(;c.length&&(e=c.shift());)c.length||b===k?d=d[e]?d[e]:d[e]={}:d[e]=b},p=Date.now||function(){return+new Date},r=/&/g,t=/</g,u=/>/g,w=/"/g,x=/\'/g,k=void 0,g=this,z,A="".oa?"".ma():"",E=(/[&<>"\']/.test(A)&&(-1!=A.indexOf("&")&&(A=A.replace(r,"&")),-1!=A.indexOf("<")&&(A=A.replace(t,"<")),-1!=A.indexOf(">")&&(A=A.replace(u,">")),-1!=A.indexOf(\'"\')&&(A=A.replace(w,""")),-1!=A.indexOf("\'")&&(A=A.replace(x,"'"))),new function(){p()},function(a,b,c,d,e,h){try{if(this.j=2048,this.c=[],B(this,this.b,0),B(this,this.l,0),B(this,this.p,0),B(this,this.h,[]),B(this,this.d,[]),B(this,this.H,"object"==typeof window?window:g),B(this,this.I,this),B(this,this.r,0),B(this,this.F,0),B(this,this.G,0),B(this,this.f,C(4)),B(this,this.o,[]),B(this,this.k,{}),this.q=true,a&&","==a[0])this.m=a;else{if(window.atob){for(c=window.atob(a),a=[],e=d=0;e<c.length;e++){for(h=c.charCodeAt(e);255<h;)a[d++]=h&255,h>>=8;a[d++]=h}b=a}else b=null;(this.e=b)&&this.e.length?(this.K=[],this.s()):this.g(this.U)}}catch(l){D(this,l)}}),G=(E.prototype.g=function(a,b,c,d){d=this.a(this.l),a=[a,d>>8&255,d&255],c!=k&&a.push(c),0==this.a(this.h).length&&(this.c[this.h]=k,B(this,this.h,a)),c="",b&&(b.message&&(c+=b.message),b.stack&&(c+=":"+b.stack)),3<this.j&&(c=c.slice(0,this.j-3),this.j-=c.length+3,c=F(c),G(this,this.f,H(c.length,2).concat(c),this.$))},function(a,b,c,d,e,h){for(e=a.a(b),b=b==a.f?function(b,c,d,h){if(c=e.length,d=c-4>>3,e.ba!=d){e.ba=d,d=(d<<3)-4,h=[0,0,0,a.a(a.G)];try{e.aa=I(J(e,d),J(e,d+4),h)}catch(s){throw s;}}e.push(e.aa[c&7]^b)}:function(a){e.push(a)},d&&b(d&255),d=c.length,h=0;h<d;h++)b(c[h])}),K=function(a,b,c,d,e,h,l,q,m){return c=function(a,s,v){for(a=d[e.D],s=a===b,a=a&&a[e.D],v=0;a&&a!=h&&a!=l&&a!=q&&a!=m&&20>v;)v++,a=a[e.D];return c[e.ga+s+!(!a+(v>>2))]},d=function(){return c()},e=E.prototype,h=e.s,l=e.Q,m=e.g,q=E,d[e.J]=e,c[e.fa]=a,a=k,d},L=function(a,b,c){if(b=a.a(a.b),!(b in a.e))throw a.g(a.Y),a.u;return a.t==k&&(a.t=J(a.e,b-4),a.B=k),a.B!=b>>3&&(a.B=b>>3,c=[0,0,0,a.a(a.p)],a.Z=I(a.t,a.B,c)),B(a,a.b,b+1),a.e[b]^a.Z[b%8]},F=function(a,b,c,d,e){for(a=a.replace(/\\r\\n/g,"\\n"),b=[],d=c=0;d<a.length;d++)e=a.charCodeAt(d),128>e?b[c++]=e:(2048>e?b[c++]=e>>6|192:(b[c++]=e>>12|224,b[c++]=e>>6&63|128),b[c++]=e&63|128);return b},B=function(a,b,c){if(b==a.b||b==a.l)a.c[b]?a.c[b].V(c):a.c[b]=M(c);else if(b!=a.d&&b!=a.f&&b!=a.h||!a.c[b])a.c[b]=K(c,a.a);b==a.p&&(a.t=k,B(a,a.b,a.a(a.b)+4))},I=function(a,b,c,d){try{for(d=0;76138654016!=d;)a+=(b<<4^b>>>5)+b^d+c[d&3],d+=2379332938,b+=(a<<4^a>>>5)+a^d+c[d>>>11&3];return[a>>>24,a>>16&255,a>>8&255,a&255,b>>>24,b>>16&255,b>>8&255,b&255]}catch(e){throw e;}},N=function(a,b){return b<=a.ca?b==a.h||b==a.d||b==a.f||b==a.o?a.n:b==a.P||b==a.H||b==a.I||b==a.k?a.v:b==a.w?a.i:4:[1,2,4,a.n,a.v,a.i][b%a.da]},O=(E.prototype.la=function(a,b){b.push(a[0]<<24|a[1]<<16|a[2]<<8|a[3]),b.push(a[4]<<24|a[5]<<16|a[6]<<8|a[7]),b.push(a[8]<<24|a[9]<<16|a[10]<<8|a[11])},function(a,b,c,d){for(b={},b.N=a.a(L(a)),b.O=L(a),c=L(a)-1,d=L(a),b.self=a.a(d),b.C=[];c--;)d=L(a),b.C.push(a.a(d));return b}),Q=(E.prototype.ja=function(a,b,c,d){if(3==a.length){for(c=0;3>c;c++)b[c]+=a[c];for(d=[13,8,13,12,16,5,3,10,15],c=0;9>c;c++)b[3](b,c%3,d[c])}},function(a,b,c,d){return c=a.a(a.b),a.e&&c<a.e.length?(B(a,a.b,a.e.length),P(a,b)):B(a,a.b,b),d=a.s(),B(a,a.b,c),d}),H=(E.prototype.ka=function(a,b,c,d){d=a[(b+2)%3],a[b]=a[b]-a[(b+1)%3]-d^(1==b?d<<c:d>>>c)},function(a,b,c,d){for(d=b-1,c=[];0<=d;d--)c[b-1-d]=a>>8*d&255;return c}),M=function(a,b,c){return b=function(){return c()},b.V=function(b){a=b},c=function(){return a},b},R=function(a,b,c,d){return function(){if(!d||a.q)return B(a,a.P,arguments),B(a,a.k,c),Q(a,b)}},P=(E.prototype.a=function(a,b){if(b=this.c[a],b===k)throw this.g(this.ea,0,a),this.u;return b()},function(a,b){a.K.push(a.c.slice()),a.c[a.b]=k,B(a,a.b,b)}),J=function(a,b){return a[b]<<24|a[b+1]<<16|a[b+2]<<8|a[b+3]},C=function(a,b){for(b=Array(a);a--;)b[a]=255*Math.random()|0;return b},D=function(a,b){a.m=("E:"+b.message+":"+b.stack).slice(0,2048)};z=E.prototype,z.M=[function(){},function(a,b,c,d,e){b=L(a),c=L(a),d=a.a(b),b=N(a,b),e=N(a,c),e==a.i||e==a.n?d=""+d:0<b&&(1==b?d&=255:2==b?d&=65535:4==b&&(d&=4294967295)),B(a,c,d)},function(a,b,c,d,e,h,l,q,m){if(b=L(a),c=N(a,b),0<c){for(d=0;c--;)d=d<<8|L(a);B(a,b,d)}else if(c!=a.v){if(d=L(a)<<8|L(a),c==a.i)if(c="",a.c[a.w]!=k)for(e=a.a(a.w);d--;)h=e[L(a)<<8|L(a)],c+=h;else{for(c=Array(d),e=0;e<d;e++)c[e]=L(a);for(d=c,c=[],h=e=0;e<d.length;)l=d[e++],128>l?c[h++]=String.fromCharCode(l):191<l&&224>l?(q=d[e++],c[h++]=String.fromCharCode((l&31)<<6|q&63)):(q=d[e++],m=d[e++],c[h++]=String.fromCharCode((l&15)<<12|(q&63)<<6|m&63));c=c.join("")}else for(c=Array(d),e=0;e<d;e++)c[e]=L(a);B(a,b,c)}},function(a){L(a)},function(a,b,c,d){b=L(a),c=L(a),d=L(a),c=a.a(c),b=a.a(b),B(a,d,b[c])},function(a,b,c){b=L(a),c=L(a),b=a.a(b),B(a,c,f(b))},function(a,b,c,d,e){b=L(a),c=L(a),d=N(a,b),e=N(a,c),c!=a.h&&(d==a.i&&e==a.i?(a.c[c]==k&&B(a,c,""),B(a,c,a.a(c)+a.a(b))):e==a.n&&(0>d?(b=a.a(b),d==a.i&&(b=F(""+b)),c!=a.d&&c!=a.f&&c!=a.o||G(a,c,H(b.length,2)),G(a,c,b)):0<d&&G(a,c,H(a.a(b),d))))},function(a,b,c){b=L(a),c=L(a),B(a,c,function(a){return eval(a)}(a.a(b)))},function(a,b,c){b=L(a),c=L(a),B(a,c,a.a(c)-a.a(b))},function(a,b){b=O(a),B(a,b.O,b.N.apply(b.self,b.C))},function(a,b,c){b=L(a),c=L(a),B(a,c,a.a(c)%a.a(b))},function(a,b,c,d,e){b=L(a),c=a.a(L(a)),d=a.a(L(a)),e=a.a(L(a)),a.a(b).addEventListener(c,R(a,d,e,true),false)},function(a,b,c,d){b=L(a),c=L(a),d=L(a),a.a(b)[a.a(c)]=a.a(d)},function(){},function(a,b,c){b=L(a),c=L(a),B(a,c,a.a(c)+a.a(b))},function(a,b,c){b=L(a),c=L(a),0!=a.a(b)&&B(a,a.b,a.a(c))},function(a,b,c,d){b=L(a),c=L(a),d=L(a),a.a(b)==a.a(c)&&B(a,d,a.a(d)+1)},function(a,b,c,d){b=L(a),c=L(a),d=L(a),a.a(b)>a.a(c)&&B(a,d,a.a(d)+1)},function(a,b,c,d){b=L(a),c=L(a),d=L(a),B(a,d,a.a(b)<<c)},function(a,b,c,d){b=L(a),c=L(a),d=L(a),B(a,d,a.a(b)|a.a(c))},function(a,b){b=a.a(L(a)),P(a,b)},function(a,b,c,d){if(b=a.K.pop()){for(c=L(a);0<c;c--)d=L(a),b[d]=a.c[d];a.c=b}else B(a,a.b,a.e.length)},function(a,b,c,d){b=L(a),c=L(a),d=L(a),B(a,d,(a.a(b)in a.a(c))+0)},function(a,b,c,d){b=L(a),c=a.a(L(a)),d=a.a(L(a)),B(a,b,R(a,c,d))},function(a,b,c){b=L(a),c=L(a),B(a,c,a.a(c)*a.a(b))},function(a,b,c,d){b=L(a),c=L(a),d=L(a),B(a,d,a.a(b)>>c)},function(a,b,c,d){b=L(a),c=L(a),d=L(a),B(a,d,a.a(b)||a.a(c))},function(a,b,c,d,e){b=O(a),c=b.C,d=b.self,e=b.N;switch(c.length){case 0:c=new d[e];break;case 1:c=new d[e](c[0]);break;case 2:c=new d[e](c[0],c[1]);break;case 3:c=new d[e](c[0],c[1],c[2]);break;case 4:c=new d[e](c[0],c[1],c[2],c[3]);break;default:a.g(a.A);return}B(a,b.O,c)},function(a,b,c,d,e,h){if(b=L(a),c=L(a),d=L(a),e=L(a),b=a.a(b),c=a.a(c),d=a.a(d),a=a.a(e),"object"==f(b)){for(h in e=[],b)e.push(h);b=e}for(h=b.length,e=0;e<h;e+=d)c(b.slice(e,e+d),a)}],z.b=0,z.p=1,z.h=2,z.l=3,z.d=4,z.w=5,z.P=6,z.L=8,z.H=9,z.I=10,z.r=11,z.F=12,z.G=13,z.f=14,z.o=15,z.k=16,z.ca=17,z.R=253,z.$=254,z.S=248,z.T=216,z.da=6,z.i=-1,z.n=-2,z.v=-3,z.U=17,z.W=21,z.A=22,z.ea=30,z.Y=31,z.X=33,z.u={},z.D="caller",z.J="toString",z.ga=34,z.fa=36,E.prototype.ia=function(a){return(a=window.performance)&&a.now?function(){return a.now()|0}:function(){return+new Date}}(),E.prototype.Q=function(a,b,c,d,e,h,l,q,m,y,s){if(this.m)return this.m;try{if(this.q=false,b=this.a(this.d).length,c=this.a(this.f).length,d=this.j,this.c[this.L]&&Q(this,this.a(this.L)),e=this.a(this.h),0<e.length&&G(this,this.d,H(e.length,2).concat(e),this.R),h=this.a(this.F)&255,h-=this.a(this.d).length+4,l=this.a(this.f),4<l.length&&(h-=l.length+3),0<h&&G(this,this.d,H(h,2).concat(C(h)),this.S),4<l.length&&G(this,this.d,H(l.length,2).concat(l),this.T),q=[241].concat(this.a(this.d)),window.btoa?(y=window.btoa(String.fromCharCode.apply(null,q)),m=y=y.replace(/\\+/g,"-").replace(/\\//g,"_").replace(/=/g,"")):m=k,m)m=","+m;else for(m="",e=0;e<q.length;e++)s=q[e][this.J](16),1==s.length&&(s="0"+s),m+=s;this.a(this.d).length=b,this.a(this.f).length=c,this.j=d,this.q=true,a=m}catch(v){D(this,v),a=this.m}return a},E.prototype.s=function(a,b,c,d,e,h){try{for(a=this.e.length,b=2001,c=k,d=0;--b&&(d=this.a(this.b))<a;)try{B(this,this.l,d),e=L(this)%this.M.length,(c=this.M[e])?c(this):this.g(this.W,0,e)}catch(l){l!=this.u&&((h=this.a(this.r))?(B(this,h,l),B(this,this.r,0)):this.g(this.A,l))}b||this.g(this.X)}catch(q){try{this.g(this.A,q)}catch(m){D(this,m)}}return this.a(this.k)},E.prototype.ha=function(a,b){return b=this.Q(),a&&a(b),b};try{window.addEventListener("unload",function(){},false)}catch(S){}n("thintinel.th",E),n("thintinel.th.prototype.exec",E.prototype.ha);')})()
I spent an hour trying to deobfuscate this, but gave up. I then tried Googling for information about this, via words from the first comment line above, and the URL of the .js file, but nothing too relevant came up.
Then I tried other sites that use ReCaptcha and checked if they were pulling something similar. Finding sites that use ReCaptcha isn't as easy as I thought (I'm sure there are many, it's just not an easy search). The few I found did pull a similarly-named file from the google.com/js/th path, but they tended to have far less code in it than mine.
If this is a legitimate part of ReCaptcha, it seems they could do a much better job of not making it look suspicious. There's no indication of what the hell it is or that it even has anything to do with ReCaptcha.
Right now I'm not too worried, as I'm assuming it IS legitimate. I mainly wanted to get this up someplace for others who may have noticed it and gotten worried. If there are no answers I might just answer it myself with a "yeah it's probably fine".
Solution
It creates an object called thintinel, in the global scope, and this object is referenced directly by /recaptcha/api/js/recaptha_ajax.js.
It's almost certainly legitimate and my best guess is that it checks for a traditional, interactive browser rather than a thin bot-controlled client.
OTHER TIPS
Giving the level of obfuscation this code has, and the fact it is binding something to 'unload' event, I'd say it is not good thing.
Usually legit code justifies itself somehow, this code is a mystery..
The code can be read at http://pastebin.com/AQxkh7E0 (new paste, easier to read)
Edit: I created a post on https://reverseengineering.stackexchange.com/questions/4129/suspicios-obfuscated-javascript-file
