Let’s start by taking a look at a Rig EK sample.
Rig EK page:
Rig EK page:
Unlike most EK’s, instead of running plugin detection code first, it instead starts by checking for the presence of Kaspersky and TrendMicro antivirus (AV) programs. If any of the AV driver files are found on the victim’s machine, the exploit execution stops. In order to check for the presence of these driver files, the EK uses the ActiveX object ‘Microsoft.XMLDOM’. The routine labeled ‘df3z’ does the inspection.
|AV driver checking code|
- Function ‘alz’ concatenates a string passed to it and assigns the concatenated string to the ‘ty6’ variable. This is later used by the de-obfuscation routine.
- Element ‘dn3d’with a type of “script” is created.
- Element ‘dn3d’is appended to the ‘document.body’ i.e into the DOM tree for later execution.
The beautified version is shown below:
|Malicious Applet Code|
|Malicious SilverLight Code|
|Malicious Flash Code|
domWalkerAndDeobfuscator at the end of EK:
‘console.log’ output after appending domWalkerAndDeobfuscator:
Malicious Applet code:
Malicious Silverlight code:
Malicious Flash code:
My trick worked and gave me the full de-obfuscated code of the Rig EK sample. This increased my curiosity and tried the same ‘domWalkerAndDeobfuscator’ on the Feista exploit kit sample.
De-obfuscated code obtained from ‘domWalkerAndDeobfuscator’ through console.log for Feista EK:
The Feista EK also contains exploit code for Java, Flash and SilverLight plugins.
Adding a simple DOM walker (crawler) script made the job easy of de-obfuscating DOM based obfuscated EK far easier. I’ve tested the approach with samples of Rig and Fiesta so far and every time was able to get the de-obfuscated code in seconds instead of doing the heavy lifting required for manual analysis.
Conclusion: Previously with older EK’s it was easy to de-obfuscate the code using many online tools and with manual analysis, but due to the introduction of DOM based obfuscation techniques the difficulty has increased. Many tools are failing to de-obfuscate the code for newer EK samples. Fortunately, the approach of walking the DOM solved the issue in seconds.