Archived Blog

An In-Depth Exploit Analysis on Multilayer Obfuscations

02.05.2010 - 12:00 PM

Websense® Security Labs™ ThreatSeeker™ Network discovered a kind of obfuscated injection code within the homepage of a Web site with an Alexa ranking within the top 10,000. The malicious code is appended to the end of the source code with deep obfuscated functions. The complexity of this attack is assessed below. 

 

Upon de-obfuscating the homepage of this popular Web site, we found a hidden iframe link: 

 

There was a random number generated in part of this link. There was also an IP checker on the server side permitting only one-time access by an IP address via each dynamic link.

Below is the HTML source code for the first attempt at accessing the malicious link, triggering a client browser redirect to another malicious site:



When the same IP makes another attempt, the client browser is passed a different redirection, this time to Yahoo: 

 

Here is the payload of the new malicious redirection from the first attempt page: 

 

After de-obfuscating the eval method, the activated function is yet another injected script: 



We appended the correct value to the variable and obtained the payload: 



The codes are still obfuscated, but after further de-obfuscation we obtained the final code: 

 

From the first part of the source code, we found it appended an iframe relating to the MS06-014 exploit. When we got the bottom of the source code, we could see the content of the iframe was appended with an executable file header saving itself to hard disk. The file then launched automatically: 

 

The executable file is uploaded to Virustotal and reported as a Trojan file with low detection rate.

Websense Messaging and Websense Web Security customers are protected against this attack.

Security Researcher: Hermes(Lei) Li
Bookmark This Post: