Hello,
I am not going to show you a new exploit, but a cool and interesting way to obfuscate a known exploit in order to break detections.
Today my friend Mila provided to me the following sample (md5: eeb80aa4f0575a7d595ec9d636cc1b2e) that I am going to analyze. This sample is contained in a HTML page. By taking a look at the page source you will notice the following:
As you can see, there are a large number of ‘z’, to be precise we have 9237 occurrences of ‘z’. Let’s proceed with the analysis, in the same HTML page we can find the “deobfuZcation” function:
It is replacing all the occurrances of the ‘z’ with ”. Now you could say: “Where is the interesting part ?”. Please follow me, and let’s take a look at the following deobfuscated code:
I have underlined in red the interesting part. As you can see, it is exploiting the Java Deployment Toolkit vulnerability, more details can be found here: VU#886582.
By browsing the source code, you can also see some comments:
Did you got the awesome part of that small history?
The deobfuscated code contains 3616 chars and not one occurrence of ‘z’. The obfuscator used was very cool ( I have to admit that :] ), it computed the ASCII char that was not occurring in the given code in order to fill up the code with a huge number of occurences of a such char.
I hope you have enjoyed the reading(z) ;]
cool, just use some more letters and it would be even harder to do some statistical analysis to detect the obfuscation
Link | September 14th, 2010 at 1:00 am
This sample belongs to the Siberia exploit pack. Thanks to my friend SysAdMini of MalwareDomainList for the additional info.
Link | September 14th, 2010 at 9:53 pm