Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Ghoulies and Ghosties

Published: 2006-10-31
Last Updated: 2006-10-31 21:00:38 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
Ah, scary things are afoot and go bump while you surf the web! Increasingly unfriendly critters are set to leave you the choice between "trick or trick" whenever you open the browser!  One bit that recently caught my eye again is the increasing effort made by Javascript exploit authors to disguise their crud. Take this one:



Now, anyone can tell from looking at this that whoever wrote this code is trying to hide something. Gone are the days when simple substitutions (like: encoded B is an A, encoded C is a B, etc) were used to hide the URLs where the next bit of nefarious code was pulled from. Over the last months, attackers have apparently evolved beyond first grade math, to highly complex :) concoctions involving binary "shift" and "bitwise and" operations. Wow!

Good thing is though, no matter how many turns and twists they take, decoding the mess is still pretty easy. Frequent readers of this diary will know that "amending" such Javascript blobs with a little additional Javascript, like a carefully placed <textarea> or alert() statement, can make the decoded routine easily visible in the browser of your lab system. In this particular case, the part to aim for is the "eval" (underlined in red) - this is where the decoded string gets executed, and we'd prefer to intercept before this happens. Couple seconds later, we have the web server on the lab station hosting a copy of this file, with eval() replaced by alert().



Hmm. Not yet. Yes, we do get the alert pop up, but it is still full of garbage. But wait, we've had this before : arguments.callee.toString() returns the length of the currently executing Javascript function. So by adding one char (changing from eval to alert), the decoding function changes as well. Rather than to make use of the decoding technique listed in the earlier diary (manually add or subtract the number of chars as needed), we opted this time to keep the length of the code constant. This can be done by simply adding a new Javascript function aler(x) {alert(x)}; and then using "aler" instead of "alert" to replace "eval" in the obfuscated code. Same length.

The de-obfuscated URL goes to (dont click!!) js.pceb.cc, which resolves to 85.255.114.158, which is - surprise surprise - the address range of INHoster in Ukraine. Although we are wary of excessive block-lists, we have repeatedly recommended in the past that you block this range (http://isc.sans.org/diary.php?storyid=997):  85.255.112.0 - 85.255.127.0 . Do it now, and next time they dish up a new treat, it wont trick your users.

Happy Halloween!

Caveat: Try and decode such critters only on a lab system. Careful malware analysts tend to reinstall their systems and change their jobs far less frequently than those who think they got it all down phat.
Keywords:
0 comment(s)
Diary Archives