Jun

16

JavaScripherTution in{j|f}ection

Filed Under security research, technology, websense 

This is a cross-post from my company’s blog that I posted today.

The injection of malicious <script src="malicious.js”> JavaScript tags on a massive scale into everyday popular and reputable Web sites, commonly visited by the casual surfer at home (and at work), has been the trend. Today, as my team and I here at Security Labs made our routine rounds around the block to spy on what the bad guys are up to next, we discovered a somewhat weak but interesting piece of malicious code, whose techniques date back to the early days of encryption - the substitution cipher.

Wikipedia has a good introduction on this topic:

In cryptography, a substitution cipher is a method of encryption by which units of plaintext are substituted with ciphertext according to a regular system; the “units” may be single letters (the most common), pairs of letters, triplets of letters, mixtures of the above, and so forth. The receiver deciphers the text by performing an inverse substitution.

Doing a character for character substitution, using a keyword of “MALCODE“, we get:

Plaintext:  ABCDEFGHIJKLMNOPQRSTUVWXYZ
Ciphertext: MALCODEHIJKFBNGPQRSTUVWXYZ

Using that mapping, we can encrypt a message from a hypothetical botnet master to his/her herd of bots from this:

LAUNCH THE DDOS ATTACK NOW

to this:

FMUNLH THO CCGS MTTMLK NGW

It’s a very trivial algorithm, and extremely weak in terms of the protection it provides (by today’s standards), but it is definitely good enough to conceal the true message from casual prying eyes. This was certainly as good as bulletproof during the days of Julius Caesar (wow, we’ve come a long way!).

Here’s a small screenshot of the malicious JavaScript code:

I’ve modified the code a little to output all the intermediate calculations, so that you can observe how it transforms this:

w|nd^w$l^c#[|^n;'([[*)!!b *snip* $com!|n$cg|]4{*#r#m>[>r;

to this:

window.location='http://b *snip* .com/in.cgi?4&parameter=

Mesmerizing, isn’t it? Kind of like watching the output of a really long make && make install.

With the decoded string, the script redirects the browser to that URL, which then redirects the browser again until the user finally arrives at a fake antivirus scanner Web site. Sadly enough, many computer users in the workplace still fall for such social-engineering tricks.

The XP-flavored window-in-window does look real, although in this particular screenshot, you can see that the color of the fake window (greenish-gold) is different from the color of my actual test machine (blue) - a dead giveaway, although not blindingly obvious to the average Web user to trigger any suspicion.

We’ve been tracking such sites for a long time now, which we appropriately stamp with the label of “Potentially Unwanted Software”.

This malicious code sample is by no means at the forefront of obfuscation techniques that attempt to evade security measures by today’s standards. In fact, it is in my opinion quite weak, as we have seen much more complex methods.

It does however, make me wonder what the bad guys from the profit-driven underground economy will come up with next, in this highly innovative security arms race.

Security Researcher: Jay Liew

Share and Enjoy:These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • digg
  • Reddit
  • YahooMyWeb

Comments

Leave a Reply