Author Topic: Simple but effective obfuscation  (Read 4418 times)

0 Members and 1 Guest are viewing this topic.

April 20, 2010, 05:21:23 am
Read 4418 times

parody

  • Private Forum
  • Jr. Member

  • Offline
  • *

  • 27
Found an exploit in my monitoring today for a customer. The exploit was CVE-2009-1141. The interesting part wasn't the multilayer encoders which malzilla decode fine but the fact that randomly placed in the raw file was NULL bytes. These null bytes stopped jsunpack, wepawet and malzilla from seeing anything.

Simple to fix with loading script into hexeditor, finding a character that wasn't present in the file and replacing 0x00 with 0x40 aka "@" and then using notepad++ remove the @'s and the scripts processed fine.

script is at hxxp://www.hao123.com.wwvv.us /images/css/jg.htm

http://www.virustotal.com/analisis/2a9b390fcb1082124e518aa5f49623451ad431b539ef9574dbdb2c28d3476ea7-1269862032

April 20, 2010, 05:51:20 am
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
One of the reasons I wrote vURL to display the code "as is", rather than try and do anything with it :)

May want to pop a link to your finding, in the Malzilla thread so Bobby can fix it;

http://www.malwaredomainlist.com/forums/index.php?topic=218.0

I'll also drop Marco (Wepawet dev) and Blake (JSUnpack dev) an e-mail with a link to this, so they can fix them too.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

April 21, 2010, 02:50:58 am
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

April 21, 2010, 05:48:37 am
Reply #3

parody

  • Private Forum
  • Jr. Member

  • Offline
  • *

  • 27