Malware Analysis workflows: dealing with malicious websites

Tags: #<Tag:0x00007f8a17711c88> #<Tag:0x00007f8a17711bc0> #<Tag:0x00007f8a17711af8> #<Tag:0x00007f8a17711a30> #<Tag:0x00007f8a17711968> #<Tag:0x00007f8a177118a0>

These are raw notes about Malware Analysis of malicious websites. I used some of these ideas and tools to do my job.


Dealing with malicious websites

curl

curl --dump-header

CapTipper

NetworkMiner

SmartSniff

http://www.nirsoft.net/utils/smsniff.html

JavaScript de-obfuscation

As a reverse engineer some JavaScript coding is required.

Debugger based JS de-obfuscation

One big encoded var

Often there is one big chunk of obfuscated code in a large var. If that’s the case we can edit the script.

  • at the beginning we set debugger; to prevent the browser from directly executing the malicious JavaScript code
  • then we can use Chrome Dev Tools for Firebug to set a breakpoint, where the variable gets executed. Usually that’s something like eval(arr), or document.write(arr)
  • open Firefox with Firebug
  • load the webpage in the browser, set a breakpoint on eval, inspect the variable
  • Firebug console: console.log(arr), which should reveal the de-obfuscated JS
  • if these variables drop a lot of code you can beautify it with WebStorm or some other JS IDE, add tabs and line breaks etc. I think IE can set break points in the middle of the line. In case you want to limit the reformatting of the code, you should check that out.

Interpreter based JS de-obfuscation

SpiderMonkey can be used to run the JS outside the browser in a standalone and compatible interpreter. But you need to define the HTML DOM objects and methods:

document = ( 
       write:print,
       writlen:print
};

eval = function(input_string) {
      print(input_string);

This also overrides eval to be a print method. Lenny Zeltser has committed a definition file into /usr/local/etc/def.js on REMnux.

js -f /usr/local/etc/def.js -f foo.js > /tmp/trace.txt
d8 -f /usr/local/etc/def.js -f foo.js > /tmp/trace.txt

The de-obfuscated script will the in the trace. Then you can let WebStorm or some other IDE clean this up.

You can also use Microsoft cscript with a definition like this:

document = (
    write: function(input_string) (
        WScript.Echo(input_string);
     }
}

eval = function(input_string) {
        WScript.Echo(input_string);
}

So instead of print use WScript.Echo()

vbscript deobfuscation (Internet Explorer)

The malicious VB scripts usually have a eval line like:

execute (decode(abc))
execute (decode(cde))

So you’d override execute with a function:

Function execute(x)
    WScript.Echo(x)
End Function

Then

cscript  foo.vbs > out.txt