« previous 1 2

Reading the coffee grounds

As Malzilla only processes JavaScript, we need another tool for analysing the jjj.jar Java archive: the Jode Java decompiler. It converts the Java byte-code of the archive's Java classes into Java code that can be read by humans. Jode itself was written in Java, which makes it executable on various operating systems. The
Jode stores the archived classes as individual Java source code files. Jode archive (jode-1.x.jar) can simply be stored in a directory and does not require an installation routine. However, the archive's location should be included in the CLASSPATH Java environment variable; the required steps are explained in Jode's program documentation.

To analyse the jjj.jar archive using the exploit code, download it from the server to your hard disk and decompile it using the java jode.decompiler.Main --dest srcdir jjj.jar command. Jode will create three Java
The Java applet is apparently designed to make a server listen on port 4444. source code files and a subdirectory. Finding out how the exploit works and which vulnerability in the browser's Java plug-in is exploited would require more in-depth testing. For the purpose of our example, we were content to find out that the PayloadX.Java file appears to open a backdoor on port 4444.

Substitutes

If you think that running or installing these tools is too much work or too risky, or if you want to quickly investigate a suspicious web page while away from your own computer, you can also use one of the available online services. Malware analyst Blake Hartstein of iDefense offers the jsunpack service, which is based on the jsunpack-ng analytical toolkit he developed.

Jsunpack automatically decodes and analyses the JavaScript code on suspicious web pages. Like Malzilla, jsunpack decodes obfuscated JavaScript code, tries to interpret how it works, provides an assessment of whether a page is infectious and details the nature of the risk. It only requires a URL. However, testing the www.bowwow.co.uk domain we already investigated with Malzilla reveals an interesting difference: Jsunpack first followed an unencrypted link that was apparently incorporated into the page by hackers. At the link destination, the tool proceeded to analyse various segments of encrypted JavaScript code and eventually discovered a PDF exploit. Jsunpack ignores the camouflaged JavaScript code which later appears in the HTML source and was also embedded by hackers. The reasons for having several redirects to PDF exploits on one compromised page remains unclear. Malware specialist Thorsten Holz thinks this could be due to multiple infections caused by several attacks by different hackers.

Jsunpack collates its analytical results in a short report. However, it is not always reliable and reported no suspicious code on several demonstrably compromised pages we tested.

Malware crawlers

Wepawet expects to start with a URL or a stored HTML file. The Wepawet service operated by the University of California's Computer Security Group is far more reliable and can, in attacks on plug-ins such as those for Adobe Flash and Adobe Reader, identify the vulnerability exploited by the attacker. As current studies show that most exploits take advantage of holes in Adobe products, an analysis with Wepawet is likely to have a high success rate. Furthermore, Wepawet also detects numerous exploits by consulting the Anubis and Virus Total online malware scanners.

First things first: wepawet lists the vulnerabilities an exploit is targeting in a web page. Like jsunpack, Wepawet expects a URL, decodes any obfuscated segments of JavaScript code and presents them in an overview. It also lists all relevant script activities such as whether and from where, a script loads further scripts, which ActiveX controls are enabled in Internet Explorer, and which destinations are given in redirects. It automatically follows redirects and continues its analysis at the respective destinations without requiring further URL input.

Those who wish to quickly check the activities on a suspicious page will, therefore, find Wepawet to be a great tool. It offers deep insights into the mechanics of an attack without requiring major familiarisation – and allows users to avoid more involved manual analyses. What applies to virus scanners is also true for these tools: The overall success rate increases with every extra pair of eyes that examines suspicious code. Users are, therefore, well advised to combine the tools, rather than rely on a particular one.

(dab)

« previous 1 2