Malware Domain List

Malware Related => Malware Analysis => Topic started by: parody on April 20, 2010, 05:21:23 am

Title: Simple but effective obfuscation
Post by: parody on April 20, 2010, 05:21:23 am

Found an exploit in my monitoring today for a customer. The exploit was CVE-2009-1141. The interesting part wasn't the multilayer encoders which malzilla decode fine but the fact that randomly placed in the raw file was NULL bytes. These null bytes stopped jsunpack, wepawet and malzilla from seeing anything.

Simple to fix with loading script into hexeditor, finding a character that wasn't present in the file and replacing 0x00 with 0x40 aka "@" and then using notepad++ remove the @'s and the scripts processed fine.

script is at hxxp://www.hao123.com.wwvv.us /images/css/jg.htm

http://www.virustotal.com/analisis/2a9b390fcb1082124e518aa5f49623451ad431b539ef9574dbdb2c28d3476ea7-1269862032

Title: Re: Simple but effective obfuscation
Post by: MysteryFCM on April 20, 2010, 05:51:20 am

One of the reasons I wrote vURL to display the code "as is", rather than try and do anything with it :)

May want to pop a link to your finding, in the Malzilla thread so Bobby can fix it;

http://www.malwaredomainlist.com/forums/index.php?topic=218.0

I'll also drop Marco (Wepawet dev) and Blake (JSUnpack dev) an e-mail with a link to this, so they can fix them too.

Title: Re: Simple but effective obfuscation
Post by: MysteryFCM on April 21, 2010, 02:50:58 am

JSUnpack has been fixed :)

http://jsunpack.jeek.org/dec/go?report=05ca73ff257bfe300e97d3cc8aa2007cd742e288

Title: Re: Simple but effective obfuscation
Post by: parody on April 21, 2010, 05:48:37 am

Nice! :D