Friday, April 20, 2007 10:42 AM cmosby

Symantec Security Response Weblog: Tales of the \u-nexpected

 

Tales of the \u-nexpected

Microsoft's JScript is a very powerful and flexible language. However, great flexibility leads to a great potential for obfuscation. We have seen many examples of JScript obfuscation in the past, such as string concatenation and dynamic decoding, and will likely see more in the future.

The most recent and a potentially problematic example uses one of the simplest obfuscation methods: Unicode escaping. Normally, Unicode escaping is used to send Unicode characters that might not travel well across networks, such as characters that could be transformed according to the system locale. From a security perspective, Unicode escaping is widely used to deliver executable code in Web exploits.

What was previously unknown to us is that Unicode escapes can be applied to function names, variables, and all kinds of other code. This was demonstrated by the recent virus that we detect as JS.Bicycle. As the virus author noted in a post to a Virus eXchange (VX) site, there are some limitations: statements, operators, braces, parentheses, and numbers cannot be encoded. Although it is still very effective, these exceptions made the first variant easy to detect.

Unfortunately, it seems that the author found a way to "improve" the code. By moving the body of the virus into an "eval()" statement, the entire block—including the "eval" itself—can be replaced by Unicode escapes. Fortunately, we found a way to detect that, too.

A good script tokenizer is obviously necessary for an anti-malware engine, as it's the best way to detect this type of virus. Such an engine can automatically perform decoding (including Unicode escaping) "under the covers," leaving us with a plaintext version of the virus code every time.
Having such an engine is especially important now, as script-based malware in web-based exploits will never go away, and we can really show our skills when we detect complex viruses quickly.

I have no doubt that a variety of obfuscations will be found in the future.

Posted by Peter Ferrie on April 20, 2007 05:00 AM

Source: Symantec Security Response Weblog: Tales of the \u-nexpected

Filed under: ,

Comments

No Comments