Archive

Archive for the ‘JavaScript’ Category

Gamarue, Nemucod, and JavaScript

May 9th, 2016 No comments

JavaScript is now being used largely to download malware because it’s easy to obfuscate the code and it has a small size. Most recently, one of the most predominant JavaScript malware that has been spreading other malware is Nemucod.

This JavaScript trojan downloads additional malware (such as Win32/Tescrypt and Win32/Crowti – two pervasive ransomware trojans that have been doing the rounds for a few years[1] – and Win32/Fareit) and installs it on a victim’s system through spam email.

Recently, however, we’ve seen another version of Nemucod distributing Gamarue malware to users.

Gamarue, also known as “Andromeda bot”, has been known to arrive through exploit kits, other executable malware downloaders (including Win32/Dofoil and Win32/Beebone), removable drives, and through that old stand-by: spam campaigns.

The shift to a JavaScript-obfuscated downloader might be an attempt by the malware authors to evade the increasing detection capabilities and sophistication in antimalware products.

A quick look into the obfuscated JavaScript code shows us that, aside from the encrypted strings, it uses variables with random names to hide its real code.

Sample of an obfuscated JavaScript code

Figure 1: Obfuscated code

 

The decrypted code is shown in the following image:

Sample of a decrypted JavaScript previously-obfuscated code

Figure 2: De-obfuscated code

 

Nemucod is known to have different hashes for each variant. For this one particular hash, since the detection was written in early April, 2016, it reached in total of 982 distinct machines with 4,192 reports – which indicates the number of Gamarue installations that could have occurred if it was not detected.

Nemucod detection rate

Figure 3:  Nemucod detection rate

 

Gamarue has been observed stealing vital information from your PC. It can also accept commands from a command and control (C&C) server. Depending on the commands received, a malicious hacker can perform various actions on the machine. See our family description of Win32/Gamarue for more information.

 

 

Nemucod impact

Since the start of 2016, Nemucod has risen in prevalence.

Rising Nemucod prevalence trend

Figure 4:  Rising Nemucod prevalence trend shows that it peaked on April

 

For the top 10 countries for Nemucod detections, the US takes a third, followed by Italy and Japan. The spread of infections is quite widespread across the globe.

Nemucod geoloc distribution from January to April 2016

Figure 5: Majority of the Nemucod infections are seen in the United States

Overall, however, it still remains relatively low, especially when compared to Gamarue.

 

Gamarue impact

Unlike Nemucod, Gamarue detections started high and have remained high since late last year. Overall, numbers have dropped a small amount since the start of 2016. Interestingly, there are large troughs during every weekend, with a return to higher numbers on Monday. This can indicate that Gamarue is especially pervasive either in enterprises, or in spam email campaigns.

Gamarue prevalence chart shows steady pattern from January to April 2016

Figure 6: The Gamarue infection trend shows a steady pattern

 

For Gamarue, the top 10 countries see distribution largely through India, Asia, Mexico, and Pakistan.

Gamarue geoloc distribution from January to April 2016

Figure 7: Majority of the Gamarue infection hits third world countries

 

Mitigation and prevention

To help stay protected from Nemucod, Gamarue, and other threats, use Windows Defender for Windows 10, or other up-to-date real-time product as your antimalware scanner.

Use advanced threat and cloud protection

You can boost your protection by using Office 365 Advanced Threat Protection and enabling Microsoft Active Protection Service (MAPS).

Office 365 helps by blocking dangerous email threats; see Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks, for details.

MAPS uses cloud protection to help guard against the latest malware threats. You should check if MAPS is enabled on your PC.

Some additional preventive measures that you or your administrators can proactively do:

 

———————————————————————–

[1] We’ve published a number of blogs about Crowti, including:

It was also featured in the July 2015 version of the Malicious Software Removal Tool (MSRT):

 

Donna Sibangan

MMPC

 

 

TypeScript: an open and interoperable language

October 1st, 2012 No comments

Today Microsoft announced the release of the TypeScript preview, a new open and interoperable language for application scale JavaScript development. The TypeScript compiler is available as open source on CodePlex.

TypeScript is a typed superset of JavaScript that compiles to plain JavaScript. TypeScript starts and ends in JavaScript. You can read more details in Soma’s blog, on the TypeScript site and on CodePlex.

So, how is TypeScript open?

The TypeScript language is made available under the Open Web Foundation’s OWFa 1.0 Specification Agreement, and the community is invited to discuss the language specification. Microsoft’s implementation of the compiler is also available on CodePlex under the Apache 2.0 license. There you can view the roadmap, and over the next few weeks and months you’ll see the TypeScript team continue to develop on CodePlex in the open.

TypeScript builds upon the good work happening in the TC39 committee, which determines the direction of the ECMAScript standard, the formal standard for JavaScript. Microsoft continues to work with the committee to evolve the language and runtime capabilities. Should the community desire the TypeScript team to go even further and submit TypeScript to the standards body, the team is open to that too.

And how is it interoperable?

All JavaScript is TypeScript, such that you can literally copy-and-paste from an existing JavaScript program into a TypeScript file. You can also create TypeScript declare files to annotate the types for existing libraries, enabling great tooling experiences without having to modify the libraries themselves (the TypeScript team has included TypeScript files to declare the types for several popular JavaScript libraries like jQuery, MongoDB, and the DOM). Over the coming weeks, we plan to partner with developer communities that create these libraries to ensure that the TypeScript files that declare the types support the best developer experience.

Because TypeScript produces standards-compliant JavaScript, TypeScript is consistent with Microsoft’s commitment to Same Markup and an interoperable web: the output of the TypeScript compiler runs on any browser, in any host, on any operating system. Further, it already plugs into your existing JavaScript toolchain (minifiers, lint checkers, build systems, command line tools).

Last but not least, you will see on the site that you can develop TypeScript code using the online playground tool or Visual Studio 2012. But this is not it! You can also use Sublime Text, Vim or eMacs as the team has kicked off work on syntax files for these popular editors JavaScript developers love to use. And as the specification is public, anyone can create their own syntax files for other editors as well.

image   image

image   Screenshot - typescript

 

Give your feedback

TypeScript is one foray into making programming languages and tooling even more productive. Pick it up, take it for a spin, and give your feedback. You can contribute by discussing the language specification or filing a bug.

Olivier Bloch
Senior Technical Evangelist
Microsoft Open Technologies, Inc.

Dead code walking

May 24th, 2011 No comments

Recently I had a moment to review a group of PDF exploit files. Many exploits use various tricks to obfuscate embedded JavaScript. I thought I could de-obfuscate the samples by throwing them into a sandbox environment and enjoying the beautified source code, but these samples required a different method to coax the legible code into view.

In these examples, which come from Exploit:Win32/Pdfjsc.NJ (SHA1 45d04db8617a85f5359fb1a33ad867ef3d43eb7f), the files contained JavaScript that was embedded into an XFA form that allowed Adobe Reader to run the code when the file is opened by setting an event handler for field initialization. This trick is not new, but it is relatively easy to extract the malicious JavaScript code, as visible in this snippet:

extracted JavaScript
Image 1 – extracted JavaScript

The embedded code contains many useless variable assignments and arithmetic operations. After reviewing the block of code, nothing interesting was readily identifiable; most of the code resembled the image shown below:

arithmetic assignments
Image 2 – arithmetic assignments

It is quite different than the obfuscation seen before in other samples. By carefully examining the code, several obfuscations that utilize the reverse process of code optimization are identified.  Look at this piece of code:

dead code
Image 3 – dead code

The local variable ‘dv’ is assigned a value and has a ‘minus’ operation. But after that, the variable is never accessed in its life scope, which means these two lines are dead code that can be removed without affecting the result of the program. Besides this, fake conditions are added in many places to make the code more confusing:

meaningless code
Image 4 – other meaningless code

The variable ‘dc’ is constant when compared to the constant value ‘7266’; the code block inside the ‘true’ branch of the ‘If’ statement will never be executed, which makes the whole ‘If’ statement useless. After removing all of this dead code, other interesting things begin to show up and all of the strings are encoded in two ways:

decoding algorithm
decoding algorithm
Image 5 – decoding algorithm

A function named ‘kop’ is used all in several places to decode the strings using an algorithm. The above example will simply set variable ‘g’ to the value ‘substr’. All external functions are used in the following way so that the strings must decode first before knowing what the function is called.

Therefore, this:

before substituting variables

Is equivalent to this:

after substitution of variables

At this point, based on the decoder algorithm found in function ‘kop’, all the decoded strings can be replaced to its original string and then all JavaScript function calls can be revealed. After the de-obfuscation, the code looks clearer. By examining what each function was doing and renaming the variables and strings accordingly, I derived the following copy of the main function:

de-obfuscated main function
Image 8 – de-obfuscated main function

The exploit checks the PDF reader’s version to select exploit shellcode accordingly, then performs a heap spray to try and exploit a vulnerability discussed in CVE-2010-0188. The malformed TIFF data is concatenated as a base64 string and assigned to ‘rawValue’ of XFA field ‘ska’. After the decoding, the TIFF data is shown as following for PDF reader versions between 8.0 to 8.2.1:

TIFF data as viewed in a hex viewer
Image 9 – TIFF data as viewed in a hex viewer

The shellcode simply downloads and executes additional malware from a remote server. At the time of this writing, the malware was detected as TrojanDownloader:Win32/Epldr.A.

We can see that malware authors are taking obfuscation more seriously to try and evade security software. Although this exploit uses complex obfuscation methods to avoid being detected and analyzed (which makes it more advanced than other exploits) the technique used here is not new.

As always, be safe and use up-to-date security software.

 

— Shawn Wang, MMPC

Categories: exploits, JavaScript, PDF exploit, research Tags:

Embedded JavaScript in SWF

March 7th, 2011 Comments off

In a blog published in November titled “Explore the CVE-2010-3654 matryoshka“, we discussed a 0-day Shockwave (SWF) exploit that uses JavaScript to do malicious actions. In this blog, we discuss another advanced way SWF malware is combined with JavaScript only this time, without using a 0-day exploit.

In January we noticed a very large spike in telemetry for a threat named Trojan:SWF/Jaswi.A. Going back to December 2010, we had picked up a few spikes for this issue, one around Christmas, a second after New Year’s, a second after New Year’s and then a third and largest spike the weekend after New Year’s:

Image 1a – Prevalence chart for Trojan:SWF/Jaswi.A

Image 1a – Prevalence chart for Trojan:SWF/Jaswi.A

When we looked deeper into the targets of these attacks, we discovered that they were predominantly reported by computers in South Korea. Since the beginning of this year, 89% of the targets were in South Korea with 75% of them specifically in Seoul. Here’s a chart with a breakdown by unique machines in the months January and February of this year (there has been no activity in March):

Image 1b – Attack attempts by unique machines in the months January and February of 2011

Image 1b – Attack attempts by unique machines in the months January and February of 2011

Interested in the anomaly, I decided to have a look. After spending some time reviewing it, an interesting thing emerged. The malware Trojan:SWF/Jaswi.A is unlike other SWF malware; other SWF malware typically calls “getURL <website address>” within an ACTION tag in order to visit a malicious website link without user consent. For more about this, see the following:
http://blogs.technet.com/b/mmpc/archive/2008/10/31/swf-for-malware-deployment.aspx

Trojan:SWF/Jaswi.A contains an embedded malicious JavaScript that initiates a legal Windows API call to trigger the payload. Although the analysis was only slightly involved, let’s take a simple step by step tour of the malware.

1. SWF with embedded JavaScript

Image 2 – Embedded JavaScript within Trojan:SWF/Jaswi.A

Image 2 – Embedded JavaScript within Trojan:SWF/Jaswi.A

If we convert the JavaScript into Actionscript, it should appear as below:

Image 3 – JavaScript from Image 1 converted to Actionscript illustrating Windows API call

Image 3 – JavaScript from Image 2 converted to Actionscript illustrating Windows API call

From the image above, we can see the legal function ExternalInterface.call() has been made to complete a procedure of initiating JavaScript injection. Well, this is not a new method after all, but only a few SWF malware take advantage of this technique.

2. JavaScript obfuscation
We notice the embedded JavaScript is also simply encrypted by a method “fromCharCode()”. After decryption, the real JavaScript code appears (edited below):

Image 4 – Decrypted JavaScript with black-outs added

Looks familiar? Yes, the Microsoft Internet Explorer vulnerability CVE-2010-0806 has been abused! This particular exploit affects Microsoft Internet Explorer versions 6, 6+SP1 and 7, and could allow a remote attacker to execute arbitrary code.

3. Shellcode
In Image 4 above, you can see Unicode encrypted by the method “unescape()” – this is the malware shellcode body, which includes a simple xor algorithm to avoid the detection. Further into the obfuscation, we finally see the destination, show below:

Image 5 – Destination URL indicating an executable named “uusee.exe”

Image 5 – Destination URL indicating an executable named “uusee.exe”

The file “uusee.exe” from the obfuscated URL shown above is actually a prevalent password stealer in China that Microsoft antimalware technologies detects as PWS:Win32/Lolyda.AU (SHA1: 0bd98a39c2eaa9c523e41cec250623b44f6d3239).

We mentioned the embedded JavaScript technique used in the malicious SWF here because it appears to be a trend and may become a popular method. As always, use caution while surfing the Interwebs and use on-access antimalware protection from a credible scanner (for more information on antimalware software, see http://www.microsoft.com/windows/antivirus-partners/).

 

— Tim Liu, Malware Researcher, MMPC