Websense.com / Security Labs / Blogs / Conditionally Malicious

Archived Blog

Conditionally Malicious

06.28.2007 - 10:35 AM
One of our APAC researchers recently came across a potentially malicious URL. The site, hosted in Russia, was serving up a PHP page, which, when downloaded, contained the following code: 
function dc(x)
{
var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,34,17,60,7,48,36,37,
8,35,0,0,0,0,0,0,59,39,30,31,51,13,4,15,2,32,52,61,0,44,50,18,40,6,26,
23,9,42,14,19,54,45,46,0,0,0,0,56,0,24,58,41,28,25,27,29,55,5,20,53,49,
38,43,1,33,21,57,16,11,12,22,3,10,47,62);
 
 for(j=Math.ceil(l/b);j>0;j--)
 {
  r='';
  for(i=Math.min(l,b);i>0;i--,l--)
  {
   w|=(t[x.charCodeAt(p++)-48])<>=8;
    s-=2
   }
   else{s=6}
  }
 
  var str = r;
  alert(str);
  document.write(r)
 }
}
 
dc("tl")

His question was this: how was this JavaScript malicious? The "dc()" decoder function is only receiving a two-character string -- where is the payload?

We downloaded it several more times from the site, and every time we received similar code, except with the "Array" contents and the argument to "dc()" randomized. The argument to the decoder function was a random two-character value once again and when decoded rendered two meaningless bytes of data.

As a matter of protocol, we also sent the URL through our "ThreatSeeker" automated analysis system, the relevant component of which sends its requests using an IE-compatible header.

After running it through and generating some reports, we found that the version of the page downloaded by our system was much larger than the version downloaded with wget. Indeed, the code which it downloaded was similar to the above, but the argument to the "dc()" decoder was several kilobytes in size! In fact, it ended up being a encoded web page, which contained obfuscated versions of the IE WebViewFolderIcon (MS06-057) and ADODB stream (MS06-014) exploits.

This is an example of a site conditionally serving up malicious content depending on what accesses it. If we download the page with a "non-IE" compatible user-agent string, we get a harmless, nonsensical piece of JavaScript code. If we download the page using the IE compatible user-agent string, we get very similar-looking JavaScript code, but it actually contains the first phase in the malicious payload delivery.

While the "conditionally malicious" nature of this example is neither complex nor particularly compelling, it follows the continuing trend of the bad guys attempting to thwart the simplest levels of analysis on their payload. It also emphasizes that the researcher should try multiple avenues of analysis before coming to a conclusion about the site.

Bookmark This Post: