Date: 05 June 2008
Click here for printable version
Often when performing IR for a compromised website we're presented with some interesting and sometimes challenging obfuscation used by the bad guys to prevent detection.
In some cases the obfuscation is trivial to work through, such as in the case of single layered % encoded string decoded using eval(unescape(%3C...
Today, I've seen something a little different - the bad guys were using an encryption algorithm you probably know as AES (or Rijndael). Which might be scary until you think about it..
Now I can only assume that the attackers either haven't thought this all the way through, or that they are just wanting to break traditional detection methods, because if you want to infect a machine, your code has to run.
In the case of a block of ciphertext, this means the browser will need some way to decrypt the ciphertext - otherwise it won't be able to run anything..
So the short version is that the attackers end up providing us with 3 things:
- The ciphertext
- The algorithm
- The key
We got the binary and ran it through an array of virus scanners with the following results:
Malware detected by 25 vendors out of 32 - 78.125% detection rate.
An interesting insight into where the attackers are heading, but they've got a ways to go yet.