Analysis of an Obfuscated iFrame

Introduction

Obfuscated attacks against iFrames are wildly out of control in the IT world today. Legitimate enterprise websites and personal websites alike are unknowingly hosting these attacks. The attacks simply redirect users to a third party website hosting an exploit and more often than not pieces of malware. I have been given uncomfirmed reports that malware writers earn $1.50 for every system they deliver this malware to, which means that people are more than willing to deliver the attacks. In this research report we will look at a piece of obfuscated javascript in order to understand how attackers are hiding their activities on legitimate websites.

Below is a real iframe attack found on an exploited website.

Simple Analysis

It is rare that attack will be found in such readable form. In fact it is usually all put onto a single line, I simply broke it out into a more readable format. In some cases it is easy to find this code because it is by far the longest line in page. Regardless, below is the simple flow of this code works.

1. Initialize variables k1, k2, t1,t2, and h.

2. Deobfuscate k1 and k2

3. Write h to the user

Resulting deobfuscated code (*note that the frame is set to be virtually invisible 1×1 pixel)

Indepth Analysis

Variable Initalization

Let’s take a look at what’s happening here. First we have two hideous and large javascript string variables called “k1″ and “k2″ These variables contain obfuscated strings (I know tough to believe). Next we have two integer variables t1 and t2. Both variables are initialized to zero, these are dumb variables are meant to fuel the while loops later on in the code. Finally we have a string variable “h” which is initialized to NULL. h is basically the end variable that combines “behgczzazbzc” with the decoded k1 and k2 variables this provides the actual attack.

While Loops

The while Loops are relatively unimportant as they are merely deobfuscating the k1 and k2 variables and adding the deobfuscated information to the h string. In order to do this the attacker is using two predefined functions, the “String.FromCharCode()” function and the charCodeAt() attribute of the k1 string.

String.FromCharCode() is a function that returns the characters that correspond to the ISO-Latin-1 numerical position passed to the function. E.G. String.FromCharCode(65) = A

A reference sheet for ISO-Latin-1 characters and their numeric position can be viewed here.

In order to get the proper position to insert into the String.FromCharCode() the attack code first converts the current ISO-Latin-1 character into it’s corresponding position. This is done by using the string attribute charCodeAt() function. The while loops add a small amount of complication to this action by shifting the ISO-Latin-1 character position by -3 and -2.

Adding To the String

In the attack code (between the while loops), there is a simple addition to the string that adds the domain to the actual attack. There is no way to determine this is the domain until after the code is deobfuscated. The reason this is segmented in the code is because the attacker can quickly change the domain of the attack while preserving the overall attack extension.

Putting it All Together

The attack code finishes up by writing the document to the victim with the document.write() function. This is important to recognize because by the time the variable k1 reaches this function, it is deobfuscated. Therefore, an analyst can simply change this function to be none malicious in order to see what is actually obfuscated in the code. For example instead of document.write() one could use document.alert()

Detecting/Defending Against These Attacks

Anti-virus/Anti-malware

Some anti-virus and anti-malware solutions flag and stop these attacks from affecting end-users. Unfortunately however, research points to the fact that very few are actually capable of detecting these attacks.? I rolled this attack up into an HTML file and submitted it to virus total where 41 anti-virus/anti-malware scanners assessed the file. Of those 41 scanners, only three detected there was an issue.

Browser Protection Software:

  • Trusteer Browser Protection Software
  • Kace Browser Protection Software
  • HP/Symantec/Mozilla Browser Sandboxing Software
  • Various Virtual Browser Sandboxing Solutions

Content Filtering Technology

Content filtering technology could help in two ways, first it could detect the issue on the page to begin with and proactively categorize the page to preven tthe victim from accessing the attack code. Second, if the attack code is delivered to the victim the content filtering system could still prevent the victim from actually accessing the malicious website hosting the exploit and malware.

Example Content Filtering System Software:

  • BlueCoat WebFilter
  • WebSense WebFilter
  • ScanSafe WebFilter/Malware Scanner
  • Many many other

IPS Technology

Intrusion Prevention Systems can be used to block the exploit from getting to the victim. Unfortunately, in many cases the actual prevention is often based on the exploit and not the vulnerability. This means that the exploit can be altered to bypass the IPS fairly easily by altering the signature and/or behavior of the attack. Of course finely tuned and sophisticated IPS’ have less issues with this.

Example IPS:

  • Sourcefire SNORT
  • IBM Internet Security Systems Proventia
  • McAfee Network Security Platform (formerly Intrushield IPS)
  • TippingPoint Digital Vacine
  • Many many others

Comments are closed.