Category: Getting Started


Have you ever seen something like this before?

var1=[Integer];
var2=var1;
if(var1==var2) { document.location=”[Insert URL Here]“; }

I have, and today I finally decided to dig a little deeper. In this article we will cover URLs that are used with this redirecting method, other malicious JavaScript files that have adapted to this method, and test this method with various techniques against the AV industry.

Here is the complete list of the URLs I found that are used as the document.location:

hXtp://ukr.net
hXtp://topsearch10.com/search.php?aid=62756&q=home+jobs
hXtp://popka-super.ru
hXtp://realstarsearch.com/search.php?q=runescape+automine
hXtp://zaebiz.info
hXtp://global-advers.com/soft.php?aid=0153&d=2&product=XPA
hXtp://www.mp3sugar.com/?aff=2081
hXtp://evamendesochka.com/go.php?sid=9
hXtp://catalog--sites.info/sea
hXtp://yahhooo.info/search.php?q=ritalin&tpl=forbot
hXtp://tnij.com/iewt
hXtp://clickcashmoney.com/in.htm?wm=101360
hXtp://www.rarewatches.net
hXtp://web4w3.com/jblob.html
hXtp://мой_сайт.ру
hXtp://www.xakep.ru
hXtp://go.1ps.ru/pr/p.php?223280
hXtp://www.searchfor-avail.com/search.php?aff=18424&q=audrey+bitoni
hXtp://www.vipspace.net/?ref=kuzma2002ru
hXtp://officialmedicines.com/item.php?id=162&aid=2268
hXtp://zonaconsult.ru/index.php?option=com_content&view=article&id=94
hXtp://porta100.narod.ru
hXtp://куда редиректить.ru
hXtp://www.0xy.ru
hXtp://имя домена.ru
hXtp://www.autoshkatulka.ru/index.php
hXtp://www.vsemayki.ru/?ref=11049
hXtp://www.ruclicks.com/in/ys0ik6uu
hXtp://www.links-service.info/search.php?q=Abortion+pill
hXtp://tvoi-dosug.com/in.htm?wm=1001116
hXtp://hotkeysearch.com/go.php?sid=2
hXtp://geforceexlusive.ru:8080/forum/links/column.php

I also found something else rather interesting. There is an “o.js” that uses this method in a more advanced way. Have a look at these two Wepawet results here and here. Notice how they use additional variables whilst using the same concept.

So, let’s make our own redirecting JavaScript! The Wepawet examples are from 2009, so this should have good detection, right?  We will conduct various test to ensure that our results are not flawed. Have a quick look at the list:

  1. The Default Approach
  2. Different Variable Names
  3. Additional Variables
  4. Number Obfuscation
  5. String Obfuscation

Before we move on, for those who would like to do this with me, make sure you have your favorite editor open. I myself use Sublime Text. You can download the samples we will be using from my domain here.

 

The Default Approach – VirusTotal (5/46)

Conditional Redirect Test 1

Well now.. I didn’t expect that myself. Maybe 8-14/46 but 5/46? More so they show the same threat name? I’m speechless considering this was the first test..

 

Different Variable Names – VirusTotal (5/46)

Conditional Redirect Test 2

Ok, so everybody can still detect it. That’s a good thing. How about when we add additional variables?

 

Additional Variables – VirusTotal (0/46)

Conditional Redirect Test 3

And just like that, nobody detects. Seriously, WTF? This kind of simple variable trick passes? In my opinion, more should’ve detected it then the first time, considering it explicitly passes “document” into another variable to be called with with window.

 

Number Obfuscation – VirusTotal (0/46)

Conditional Redirect Test 4

None detect this simple obfuscation method? No, just no… The document.location was left in place and obfuscation was added. I expected more to detect this..

 

String Obfuscation – VirusTotal (0/46)

Conditional Redirect Test 5

Err… how does this miss? ._.

 

We can conclude that the AV industry uses a simple method for checking this kind of exploit. It would look something like this:

When a variable (Var A) is defined,
And another variable (Var B) is set to Var A,
With a conditional between each (Var A and Var B),
And an expression utilizing document.location,
That contains a string (not a variable) with a passed URL,
Then alert and mark as malicious.

Follow the discussion on the avast! forums,

~!Donovan

Advertisements

Searching For Exploit Kits

A unique trick to searching Exploit Kits on Google is to use the following query: “* exploit kit.zip”.

This searches for all websites with the content of (any characters) exploit kit.zip, not case sensitive. This search provides the best results. For a more specific, yet less knowledgeable result, replace the star (*) with the name of the exploit kit you wish to download. For example: “Crimeware exploit kit.zip”.

Keep hunting,
~!Donovan

After you have downloaded the executable payload, whether its shellcode, java, flash, you now have to find more information about it online. Usually if the kind of file is very new, you will not find anything.  However, there might be the occasional blog post or two, so remember to search the files online. Before you jump into searching, there is a specific routine that you must follow..

Use specific searching queries.

  • File Names
  • Hashes (MD5, SHA1, SHA256)
  • Related Websites (Domains, IPs)

If you did not find anything, be the first to analyze it! Check out our list of tools.

From there you have to use the information you found, and the information you researched, to make a summary of the malicious file(s) and what they do. If there are multiple files that act similarly, you should use the keyword variant. For example, MeDoS is planned to use 2 different methods and 5 different obfuscation algorithms. You would classify each as follows..

  • MeDoS[M1-O1]
  • MeDoS[M1-O2]
  • MeDoS[M1-O3]
  • MeDoS[M1-O4]
  • MeDoS[M1-O5]
  • MeDoS[M2-O1]
  • MeDoS[M2-O2]
  • MeDoS[M2-O3]
  • MeDoS[M2-O4]
  • MeDoS[M2-O5]

Once you are finished, report your findings ASAP. Many antiviruses do not detect malware until it is already out and someone is infected.

~!Donovan

List of Tools and Their Use

WEBSITE ANALYSIS

 

Automated Analysis:

Evuln Web Security – XSS & SQL injection tests, iframes, javascript, and search redirects

urlQuery – Domain map, deobfuscated results, site preview, even IDS alerts

Quttera – Friendly UI with detailed reports

Wepawet – Deobfuscated results, network activity, activeX controls, even shellcode

Comodo SiteInspector – Blacklisting, phishing, malicious, suspicious, and download activity

Unmask iFrame – Find all iframes in a given URL

Sucuri SiteCheck – Blacklisting, malware, redirects, outdated software

Zulu zScanner – Host, url, and content checks

Unmask Parasites – Searches for long lines and hidden iframes

 

Website Returns & Responses:

JSunpack – All webpage returns including deobfuscated content

HTML Sniffer – Check the content of a webpage with various requests

Redleg File Viewer – Search URLs for suspicious elements

vURL – Dissect URLs for external links, scripts, and iframes

 

Deobfuscators & Beautifiers:

jsBeautify – Make javascript readable

Unescape Decoder – Decode unescape()

Dean Edwards Unpacker – Decode Dean Edwards’ algorithm

Encode Decode – Deobfuscate Shifted unescape()

Base64 Decoder – Decode Base64

PHP Deobfuscator – Decode common PHP obfuscation functions

 

Blacklists:

CleanMX – Various different queries available with quick-updates

Malware Domain List – A complete list of malicious domains

urlVoid – Check with over 25 different engines

ScanURL – Check with 3 different url scanners

BadMalWeb – Find malicious websites in a virtually unlimited database

Google SafeBrowsing – Check for malicious activity

Webutation – Reputation check

RBL Blacklist – Check with over 25 private blacklists

RBLS Blacklist – Check with over 15 private blacklists

VirusTotal – Check with over 30 different url scanners

 

Latest Exploits:

Emerging Threats – The latest malicous exploits and trends

Malware Analysis Search – A custom google search just for analyst

1337day – database of exploits for security researchers

Intelligent Exploit – joomla, wordpress, and other common software exploits

CXSecurity – latest CVE exploits

Exploit Database – Various exploits, including remote, local, and web categories

CVE Details – Details of CVE exploits

Exploit Search – Search various CVE exploits

OWASP – Exploit algorithms explained and prevention

FILE ANALYSIS

 

Comodo Analysis –  events, mutexes, threads, and more

VirusTotal – Check against 40 different antivirus engines

CWSandbox – Arguably the most specific file analysis

Anubis -Network, file, and registry activities

Bleeping Computer Statups – List of good/bad statup entries

Malwr – Screenshots, process tree, behavioral analysis

Minotaur Analysis – Screenshots, domain information, video analysis

Shellcode 2 Exe – Convert shell to exe

Avast! Online Scan – Scan using avast’s engine

Is This File Safe? – Check if file is blacklisted as malicious

Dr.Web Online Check – Scan using Dr.Web’s engine

VX Vault – Search the file’s MD5 in a top-notch database

Note that the above lists are in order based on how much I find the site useful. Maybe I’ll have enough time to make an application featuring many of these sites’ features. Many of these sites were found by Polonus.

Put these tools to good use,
~!Donovan