This page is interesting because it uses exploits rather than social engineering to install the malicious code. Below are the details of the exploits / malicious code.
Heavy obfuscation
The JavaScript code is heavily obfuscated. It cannot be de-obfuscated by a simple copy-paste of the code into Malzilla, some of the decoding has to be done by hand.
 |
| Original malicious code |
One common technique, used in this page, to break the JavaScript de-obfuscation tool is to make references to the DOM. On this page, part of the JavaScript code is included in a textarea HTML tag. It is retrieved and executed later with code like this:
eval(document.getElementByTagName('textarea')[0].value);While executing the obfuscated JavaScript code, new HTML elements are added to the page, and used to store values or JavaScript code retrieved again later in the JavaScript code.
 |
| First de-obfuscation pass generated new obfuscated JavaScript code! |
Fortunately, all the JavaScript code is inline. There is no external file, which always make the de-obfuscation harder.
Multiple exploits
Like many malicious pages, several exploits are included on this page:
- 2 malicious Java applets, using different techniques for Internet Explorer and Firefox
- PDF exploit
- Quicktime '_Marshaled_pUnk' Remote Code Execution Vulnerability
- Heap spray attack
- Internet Explorer MDAC exploit
- Internet Explorer "iepeers.dll" exploit
- 3 Flash exploits
 |
| Part of the code for the Java exploit |
This malicious page tries the different exploits until one is successful. Users need to make sure they keep both their browser and their plugins up to date.
-- Julien
Posts
1 comment:
java --> javascript
Post a Comment