Malicious files are generated and spread over the wild Internet daily (read: hourly). The goal of the attackers is to use files that are:
- not know by signature-based solutions
- not easy to read for the human eye
Thats why many obfuscation techniques existto lure automated tools and security analysts. In most cases, its just a question of time to decode the obfuscated data. A classic technique is to use the XOR cypher[1]. This is definitively not a new technique(see a previous diary[2] from 2012) but it still heavily used. And many tools can automate the search for XORd string. Viper, the binary analysis and management framework, is a good example. It can scan for XOR padding:5px 10px"> viper tmpnYaBJs xor -a [*] Searching for the following strings: - This Program - GetSystemDirectory - CreateFile - IsBadReadPtr - IsBadWritePtrGetProcAddress - LoadLibrary - WinExec - CreateFileShellExecute - CloseHandle - UrlDownloadToFile - GetTempPath - ReadFile - WriteFile - SetFilePointer - GetProcAddr - VirtualAlloc - http [*] Hold on, this might take a while... [*] Searching XOR [!] Matched: http with key: 0x74 [*] Searching ROT viper tmpnYaBJs padding:5px 10px"> var bcacfdfaebbbfDeck = new ActiveXObject(dbdbfaeefccaee(+L+^%^LK%,LpL(KeL^%z%+%u%u
I took some time to check how the obfuscation was performed. How does it work?
The position of each character is searched in the $data variable and decreased by one. Then the character at this position is returned to build a string of hexcodes. Finally, the hex codes are converted into the final string. Example with the two first characters of the example above:
$data =SYOm7L-3^ojXtMA2Kbk_FN)GB.$1PJgR
- + is located at pos 20, search the character at position 19 (20 - 1): 5
- L is located at pos 5, search the character at position 4 (5 - 1): 7
- 57 is the hex code for W padding:5px 10px">
// Convert a string from hex chars to string.
// In: 575363726970742E7368656C6C
// Out: WScript.shell
var bufferout = i
}
// Convert the obfuscate string by shifting by 1 char
function deobfuscate(string,step){
var data = SYOm7L-3^ojXtMA2Kbk_FN)GB.$1PJgR
var bufferout = i
if (p2 padding:5px 10px">
var s = deobfuscate(%zL(L(Lp^2KNKN^P^z^+Ke^P^+^(Ke^+^KKe^P^p^PKN%u%N%L%NKe%,%0%L padding:5px 10px">
hxxp://185.154.52.101/logo.imgAnd when you understand how to deobfuscate, it padding:5px 10px"> function obfuscate(string,step){ var data = SYOm7L-3^ojXtMA2Kbk_FN)GB.$1PJgR var bufferout = i j if (p2 if (p2==l2) padding:5px 10px"> var foo = obfuscate(https://isc.sans.edu padding:5px 10px"> %zL(L(LpL^^2KNKN%,L^%^KeL^%P%eL^Ke%+%(L+
Of course, the method analyzedhere is a one shot! The number of ways to obfuscate data is unlimited...
[1]https://en.wikipedia.org/wiki/XOR_cipher
[2]https://isc.sans.edu/forums/diary/Decoding+Common+XOR+Obfuscation+in+Malicious+Code/13354Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key© SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Article Link: https://isc.sans.edu/diary/rss/22544