Friday, March 18, 2011

Heavy obfuscation used by Fake Antivirus websites

Just a few days back, I published a post discussing the popularity of fake antivirus websites in 2011. As I mentioned in the blog, attackers are continually creating new domains and websites promoting their fake software using various obfuscation techniques to hide their code from detection by IDS, IPS, antivirus etc. We have since encountered a number of malicious websites hosted on the same IP address. The main pages of the websites are heavily obfuscated. The structure of obfuscated JavaScript remains the same, throughout, but all variables are random. This likely means that the attacker has created, or is using a tool to handle the code obfuscation. Here are screenshots of the JavaScript code from two different websites:


Looking at the above images, you can see that the structure of code remains the same and only the variable names are randomized. Even the source of the page contains only a body tag and the malicious JavaScript. When this page loads, it starts creating animations that deliver security warnings to scare the victim. Here is one example:


As I mentioned in the earlier blog post, these are fake security attempting to coerce the victim into downloading fake antivirus software that will download additional malware onto the system. The code for doing these animations and initiating the download of malicious binaries is hidden inside the malicious script. Let’s decode the main script. The malicious JavaScript code has two functions defined and three lines of code to decode the content. Here is how they look:


The variable “euqbvulz” is passed in the first iteration to the decoding function “ikcmfynlzk()”. The decoded content is then stored in a variable called “wfuaydtmd”. The “wfuaydtmd” variable is again passed to in a second iteration to a second function called “fiyctdv()” with a “document.write()” function call. So the code will go through two iterations of the decoding. Let’s decode this code using Malzilla.

Malzilla successfully decoded the contents. But the decoded results contain another three heavily obfuscated JavaScript snippets and some HTML code. Let’s decode them one by one. Here is first one:

The first malicious JavaScript snippet decodes to the HTML “title” tag, which will be displayed as the title of the webpage, claiming it is a legitimate Windows security website. This means the HTML code displaying warnings and animation is hidden in the remaining malicious scripts. Here is second one:

The above script code will load the animated images with message “Initializing virus Protection System…”. Here is the third one:

If you look at the above image, you will notice some strings related to security, which suggests that this JavaScript code actually loads the animation. The first variable is declared as “strategy” so the strategy used by the attacker is to load the variable with JavaScript code in a CSS format. Here are some of the screenshots of that CSS code:



So, the code displaying the security warnings and messages are obfuscated multiple times by the attacker. You will notice the strings used by the attacker are displayed in warning images mentioned in the first few images. Due to the heavy obfuscation used, the detection rate remains very poor for legitimate antivirus vendors when scanning this HTML file.

Umesh

6 comments:

Anonymous said...

Using virustotal is not a good way to determine how effective AV is at detecting scripts. Many AV systems do runtime scanning as the primary detection means of blocking encoded scripts.

JCC said...

I am interested to know what other tools you used to de-obfuscate the js & what tools you can you use to detect this sort of fake-av. thanks!!

Umesh Wanve said...

@ JCC,

I used Malzilla for decoding stuff. We have our signatures in place to detect such Fake AV's.

Jon said...

Jon said...

Umesh,

My question is similar to JCC's, how do you all initially find this traffic. Do people submit it to you, or do you have your own access to large amounts of user web traffic? Just curious.

Awesome write-ups by the way

- Jon

Umesh Wanve said...

@ Jon,
We're a SaaS provider with millions of end users accessing the web via our cloud and we continually analyze the data.