An interesting technique for hiding JS "virus" codes
Today they dropped a code dropping a regular virus “send an SMS to unlock” to the machine. Background and methods of cleaning outlined force
I tried to pick it up. I took the code, formatted it, started debugging ... Hmm, interesting ... In the code there is a call (after reduction to readable form)
But in var2 - binary data. Wow ... But eval cannot execute binary data !!!
')
I looked at the code ... and it turns out it uses its body to decrypt it and, accordingly, after formatting the code, the body has changed and the result of the decryption too.
So you need to somehow run the unformatted code and at the same time do not catch anything harmful. How? Call debugger; do not insert, do not breakpoint - all in one line ...
Knowing that the script makes eval, you can apply this structure:
After that, successfully catch the eval call and get all the code that the virus was trying to execute ...
UPD1 : Actually, why am I all this? Previously, I have not met such sophisticated designs. Basically, simple eval (base64_decode ('...')) was used; Well, IMHO is an interesting debugging method through redefining eval ...
UPD2 : Attempting to deobfuscate and unpack the primary “virus” - tyts . The source code (before the operation) can be seen on line 22. What was there before is on the next one in the comment. I did not try to run =). The file is detected by heuristic anti-virus analyzers.
UPD3 : Already now, having parsed the code, it is clear that the decoder does not use all of its code for work. He needs only numbers and their position is not important, order is important. The initial “glitch” with binary data turned out because I changed the name of the function to a more humane one. And as you can see there were numbers. That is why it all broke. Adding new non-numbers does not affect the operation of the script.
UPD4 : What did the resulting code do in the end? He defined the browser, installed plugins, and other information interesting for further actions (is Java, the system language (?) Included). Further, in accordance with the received data, a URL was formed to obtain a further script, which, in turn, rendered the exploit most suitable for this configuration to the page. In my environment, it was a Java applet. According to colleagues, the applet downloaded from the link uses this vulnerability. Codes of the "secondary" virus and the applet-expolit itself are available.
UPD5 : In the messages, an extension for FF is reported, which allows you to see all the code defined and executed on the page.
I tried to pick it up. I took the code, formatted it, started debugging ... Hmm, interesting ... In the code there is a call (after reduction to readable form)
window[ 'eval' ](var2);
But in var2 - binary data. Wow ... But eval cannot execute binary data !!!
')
I looked at the code ... and it turns out it uses its body to decrypt it and, accordingly, after formatting the code, the body has changed and the result of the decryption too.
So you need to somehow run the unformatted code and at the same time do not catch anything harmful. How? Call debugger; do not insert, do not breakpoint - all in one line ...
Knowing that the script makes eval, you can apply this structure:
window.eval = function (arg) {
debugger;
}
After that, successfully catch the eval call and get all the code that the virus was trying to execute ...
UPD1 : Actually, why am I all this? Previously, I have not met such sophisticated designs. Basically, simple eval (base64_decode ('...')) was used; Well, IMHO is an interesting debugging method through redefining eval ...
UPD2 : Attempting to deobfuscate and unpack the primary “virus” - tyts . The source code (before the operation) can be seen on line 22. What was there before is on the next one in the comment. I did not try to run =). The file is detected by heuristic anti-virus analyzers.
UPD3 : Already now, having parsed the code, it is clear that the decoder does not use all of its code for work. He needs only numbers and their position is not important, order is important. The initial “glitch” with binary data turned out because I changed the name of the function to a more humane one. And as you can see there were numbers. That is why it all broke. Adding new non-numbers does not affect the operation of the script.
UPD4 : What did the resulting code do in the end? He defined the browser, installed plugins, and other information interesting for further actions (is Java, the system language (?) Included). Further, in accordance with the received data, a URL was formed to obtain a further script, which, in turn, rendered the exploit most suitable for this configuration to the page. In my environment, it was a Java applet. According to colleagues, the applet downloaded from the link uses this vulnerability. Codes of the "secondary" virus and the applet-expolit itself are available.
UPD5 : In the messages, an extension for FF is reported, which allows you to see all the code defined and executed on the page.
Source: https://habr.com/ru/post/83893/
All Articles