Often when performing IR for a compromised website we're presented with some interesting and sometimes challenging obfuscation used by the bad guys to prevent detection.

In some cases the obfuscation is trivial to work through, such as in the case of single layered % encoded string decoded using eval(unescape(%3C...

Other times we see multi layered javascript, or javascript pointing to vbscript pointing to javascript pointing to a binary, which any Windows box will handle trivially, and if vulnerable to the exploits offered will happily download and execute a binary of the attackers choosing.

Today, I've seen something a little different - the bad guys were using an encryption algorithm you probably know as AES (or Rijndael). Which might be scary until you think about it..

Now I can only assume that the attackers either haven't thought this all the way through, or that they are just wanting to break traditional detection methods, because if you want to infect a machine, your code has to run.

In the case of a block of ciphertext, this means the browser will need some way to decrypt the ciphertext - otherwise it won't be able to run anything..

So the short version is that the attackers end up providing us with 3 things:

• The ciphertext
• The algorithm
• The key

All that is then required to analyse this is a text editor, and a javascript engine.

Game over.

We got the binary and ran it through an array of virus scanners with the following results:

     Malware detected by 25 vendors out of 32 - 78.125% detection rate.

An interesting insight into where the attackers are heading, but they've got a ways to go yet.

Cheers,

Macca