Thanks to the ThreatSeeker Network, we have discovered another interesting case of malicious web Trojan and analyzing experience. Let’s share the experience.
The first step we should fix the malicious code position, in the red pane of following picture. Then we will do deobfuscating work.
From this obfuscation, let me show you some interesting details about the code :
1. Converting the original code into decimal codes which could be analysed by browser in HTML. Then change the decimal codes just obtained into hexadecimal codes.
2. Configuring 10 characters as the step length, insert the random special symbol into the hexadecimal codes step by step, as the code in the red pane of the picture.
3. The hexadecimal codes with special symbols are split into 90 parts, and give every part a name ID as “d0, d1, d2 . d89”, perhaps sometime we see the obfuscation code parts do not in order from 0 to 89, but muddled in disorder.
4. We could see the picture below, the JavaScript common command for deobfuscating, which have been split for avoiding signature match. As “getAttribute” and “parseInt” frequently-used commands also split in a mess.
5. This paragraph of code in the picture up is used for making the obfuscated code into the original code which could be analysed by browser. It could convert the 90 parts obfuscated code and make them into a whole program by ID, follow the order from 0 to 89.
6. The most useful original code is in the picture up, hidden in the IFRAME tag content, and download a .PDF file for exploiting. Perhaps, before the useful program operated, much more paragraph code would do useless operation; or some “identical equation” in the code for deciding statement be “TURE”, as ” if (12==022) ” .
Glad to share the analyzing experience with you.
Leave a reply
