Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Michael Du (Threats Analyst)




    In recent years, we noticed that more and more malicious Adobe Flash (.SWF) files are being incorporated into exploit kits like the Magnitude Exploit Kit, the Angler Exploit Kit, and the Sweet Orange Exploit Kit. However, we did some more digging and found out that the number of Flash files isn’t the only thing that has changed: these files use obfuscation techniques than files from two to three years ago.

    Antivirus evasion is the primary goal of obfuscation. SWF files use obfuscation techniques to avoid detection by signatures and by emulation. While there are numerous obfuscation techniques, I will discuss four techniques that are commonly used and found in exploit kits.

    String Replacement

    In this technique, key data may be disguised as strings, which will be processed by the String.substr and String.replace APIs. If the data is numeric, it could be translated from the parseInt function.

    Figure 1. Sample strings

    Figure 1 comes from a sample of the Sweet Orange Exploit Kit. In this screenshot, the data is hidden in strings such as FRE2325D5E0CC4. This particular data is a memory address, used in malware code.

    Special address values could also be hidden in strings that would be processed dynamically. Such a method could be used to evade signature detection by way of checking information in the constant pool. The constant pool saves important information that could be used by Flash Player—which can be used as a detection method.

    Figure 2. Sample strings

    In Figure 2, the value of _loc23_ is 0x9FRE2R9FRE2R9FRE2R9FRE2R. In reality, the value of _loc23_ is actually 0x90909090, which could be used as a NOP instruction in shellcode. The NOP instruction is often just a placeholder but this is often used in heap spraying. Thus, one simple detection technique would be to check for the value 0x90909090. Replacing it with 0x9FRE2R9FRE2R9FRE2R9FRE2R is a way of avoiding detection.

    Read the rest of this entry »

     
    Posted in Exploits, Vulnerabilities |



    In many exploit kits, malicious PDF files are some of the most common threats used to try to infect users with various malicious files. Naturally, security vendors invest in efforts to detect these files properly – and their creators invest in efforts to evade those vendors.

    Using feedback provided by the Smart Protection Network, we examined several commonly used techniques by PDF exploits today. These techniques are described in this blog post. Knowledge about the techniques is used to improve Trend Micro’s ability to detect these exploits.

    Common JavaScript Evasion Techniques

    Most PDF exploits use some form of embedded JavaScript. Because of this, common JavaScript evasion and obfuscation techniques work here as well. For example, string replacements, try-catch exceptions, fromCharCode loops all work in PDF files as well.

    The following code snippet shows some of these techniques in use:

    PDF-evasion-1

    Figure 1. Common JavaScript evasion/obfuscation techniques in use

    This particular exploit targets CVE-2010-0188.

    Encoded Content And Function Name in INFO Object

    This type of obfuscation saves encrypted code into parts of the INFO object (such as, title, subject, producer, etc.)  JavaScript could be used to extract and decode this encrypted malicious code.

    In this sample, the Title/Creator fields in the INFO object are very strange. The creator field is a very long alphanumeric string broken by numerous exclamation points.

    PDF-evasion-2

    Figure 2. Encoded code in INFO object

    Like the previous exploit, this also targets CVE-2010-0188.

    Targeting the JavaScript Runtime

    This particular type of evasion is meant to hide from analysis tools. Running JavaScript in PDF files needs a particular runtime library. This library is part of Adobe Reader, but most analysis tools do not contain it. When the malware finds that some functions are not defined or behaves incorrectly, the malicious code is not decrypted.

    Functions that can be used for this include checking the file size of the file and checking the application’s version.

    In the example below, app.endPriv would be checked, and if it’s not defined correctly no malicious code ends up being run.

    PDF-evasion-3

    Figure 3. Checking for specific function

    Field Attribute and Scope Functions

    Some malware use field attributes in XML Forms Architecture (XFA) to do condition checks. Like the above case, these scope functions are not “implemented” correctly by analysis tools. If certain objects and functions cannot be found (in this case, the ImageFiled1 object and the ZZA function), again, the malicious code will not be run.

    In other cases, attributes such as, width and height may instead be used.

    PDF-evasion-4

    Figure 4. Field attribute and scope function

    Namespace Control

    This year, we saw a new vulnerability (CVE-2013-2729) which was paired with new evasion techniques.

    We saw JavaScript code that worked in different namespaces (controlled by the name attribute). Analysis tools sometimes have difficulty with this. In this particular snippet, we see that there are two different objects – util and spray, andb how functions and variables are used in these two namespaces.

    PDF-evasion-5

    PDF-evasion-6

    PDF-evasion-7

    Figures 5-7. Namespaces and variables used

    Variables Scope Changed in eval Function

    This type of evasion method is based on certain specifics of the PDF JavaScript engine. Consider the following code snippet:

    (function(){var v=”inner”; e=eval; e(“alert(v)”); })();

    The above code functions correctly in Adobe Reader; the “inner” code is executed. With other JavaScript engines, this may not work and and an error will be returned instead. This could prevent analysis of the malicious code.

    Summary

    We believe that among these evasion methods, two –  checking the Javascript runtime and changing the scope of variables – will be used more widely in the future.  These represent the latest attempts at evading detections by cybercriminals.

    Trend Micro’s existing web reputation service detects and blocks the websites that use these techniques. The specific samples noted above are also detected as: TROJ_PIDIEF.ERP, TROJ_PIDIEF.ERQ, TROJ_PIDIEF.SMAL, and TROJ_PIDIEF.SMAP.

     
    Posted in Exploits, Malware | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice