As we saw in a previous blog post, malicious, obfuscated JavaScript is being injected into legitimate webpages. Attackers not only use simple obfuscation techniques, but also leverage rather complex approaches to hide their malicious code. In another recent blog, we saw how attackers have used publicly available Base64 encoding techniques to hide their malicious code. This is often done to evade Antivirus detection. Recently, we discovered yet another heavy obfuscation technique. Automated deobfuscation tools/services such as Webpawet and Malzilla were challenged by this particular sample. Here is the malicious code prior to being deobfuscated.

As can be seen, Malzilla was unable to manually analyze the code.

It was clear that this code would require manual analysis. I saw some eval() functions being used in the script at the bottom. I tried to replace eval() with alert(), document.write(), etc. In order to help with debugging, but I didn’t achieve what I was looking for. Now, it’s the time to do step by step analysis of the code in order to gain a deeper understanding of the logic. Let’s now start reading the code step by step. First, we break the script and format the code so that it is readable. Below are the screenshots of the part 1 of the script:

There are plenty of random variables defined initially and then one array is defined as “var sYvxoe19wg=new Array(); “. Now for each variable, the characters are being XOR'd with random numbers and then the variables are concatenated in the array defined earlier.

for (var aRjNtT8j=0;aRjNtT8j

{

iSOi16qif48Q1[aRjNtT8j]=iSOi16qif48Q1[aRjNtT8j]^25;

};

sYvxoe19wg=sYvxoe19wg.concat(iSOi16qif48Q1);

This means the array will complete after XOR’ing 21 variables and concatenating them in the array. This array should be passed to some function to parse this. Let’s open second part of the script,

Now we are a little closer to decoding this script. We have the final array and we then call one function with the array as an argument. First, add “alert(sYvxoe19wg)” to the array before calling the function to see if we get the final array() and copy it using Ctrl + C from the message box. Here is what it looks like:

Now we have the final array. Copy and paste this to a text file as it will be required later. A closer analysis of these 3 functions tells us that all these functions are being used to decode strings like “eval”, “fromCharCode” and “String.fromCharCode”. Simple array substitution is used to decode these strings. I have added comments for all these functions in the image below:

We have almost completed decoding this script. The array is passed to a JavaScript function called “String.fromCharCode()”. Let’s see the output of this by using a simple alert message and the array(). Open a test html file and paste these lines along with the array variables which we saved earlier.

This code delivers yet another obfuscated script. Here is the screenshot of the message box,

Copy this script and open up Malzilla, which can now handle the remainder of the decoding.

The whole heavily obfuscated script decodes to one “object” tag pointing to another malicious URL. From the type of object, it is clear that it is requesting a PDF file, which is presumably malicious. Now, let’s run the original exploit code in the controlled environment and see the packet capture.

The above figure shows that the malicious script running successfully and requesting another malicious URL which replies with a single malicious PDF file. We will not going into additional details of the PDF analysis. The downloaded PDF file was again obfuscated and targeted a couple of Adobe PDF vulnerabilities.

1) this.media.newPlayer– CVE-2009-4324

2) util.printf() – CVE-2008-2992

3) Collab.collectEmailInfo() -CVE-2007-5659

4) Collab.getIcon() - CVE-2009-0927

This is another example of how attackers are using multiple, complex obfuscation techniques in their attacks. Due to this heavily obfuscation, the Virustotal result is only 5% for this malicious JavaScript.

Take Care.

Umesh