UPDATE: Feds aren’t the only ones who are paying attention to the demonstrations at security conferences like Black Hat and DEFCON – the folks who actually don the black hats are, also.
That point was driven home this week by Kaspersky Lab researcher Marta Janus, who blogged about an interesting new code obfuscation technique that she discovered while analyzing a Polish e-commerce Web site that had been compromised. The technique, it turns out, was first demonstrated at DEFCON 16 in 2008.
While analyzing some of the PHP scripts running on the site to try to discover how the attackers were dynamically inserting malicious links into the site’s Web pages, Janus discovered a novel technique the attackers used to hide their work: using a mix of non-printing characters, particularly, spaces and tabs to “write” the name of a malicious URL that was then inserted, as a link, into the e-commerce sites HTML pages. How can you write a URL with spaces and tabs? Easy, Janus explains:
“The function splits this whitespace mix into 8-digit pieces, and then it changes all TAB chars into ‘1’ and all spaces into ‘0’,” she writes. That leaves the hacker with binary code, which is later transformed into decimal values and printed as the final URL using ASCII characters.
Inventive – yes. But probably not by the hacker him- or herself. An almost identical method for doing Javascript obfuscation was demonstrated at DEFCON 16 in Las Vegas almost three years ago by Kolisar and is still available online at the defcon.org Web site (PDF). According to that presentation, the whitespace method had a number of advantages over other approaches to javascript obfuscation. For one, it didn’t rely on many of the telltale signs of obfuscation that Web security vendors can now search for – things like string splitting or rendering sensitive content using escaped ASCII or unicode text.
Still, there are differences that show the hackers improving on the DEFCON presentation. For one,the method was applied to PHP, rather than JavaScript. The hackers in the Polish Web site case also got around a key limitation of Kolisar’s method: requiring the decryption of the text to happen in the Web document. “In case of “whitespace malware”
it’s all implemented in PHP file, so it runs on server side, and user is not
able to track it in the source code,” Janus wrote.
Code obfuscation has become a mainstay of modern malware, as malware authors look for novel ways to prevent researchers and security products from detecting their wares. Common hacking tools like the Phoenix Exploit Kit have started using obfuscation to hide their methods for installing on victim Web sites. Spammers, also, use obfuscation and non-printing characters to try to slip their appeals pass filters. Researchers recently found evidence of spammers using the soft-hyphen character, which is displayed like a normal hyphen, but not rendered by most Web browsers, to obfuscate URLs and fool filtering products.
Janus said she’s not convinced the DEFCON presentation was the source used by the Polish hackers, though.
“I think it’s possible, that the malware writer discovered
this technique independently, although – as Kolisar’s presentation is
publicly available since 2008 – the idea could be stolen from him as well,” she wrote.
Whatever the case, the technique is new to the malware coding world.