UPDATE: Feds aren’t the only ones who are paying attention to the demonstrations at security conferences like Black Hat and DEFCON – the folks who actually don the black hats are, also.
That point was driven home this week by Kaspersky Lab researcher Marta Janus, who blogged about an interesting new code obfuscation technique that she discovered while analyzing a Polish e-commerce Web site that had been compromised. The technique, it turns out, was first demonstrated at DEFCON 16 in 2008.
While analyzing some of the PHP scripts running on the site to try to discover how the attackers were dynamically inserting malicious links into the site’s Web pages, Janus discovered a novel technique the attackers used to hide their work: using a mix of non-printing characters, particularly, spaces and tabs to “write” the name of a malicious URL that was then inserted, as a link, into the e-commerce sites HTML pages. How can you write a URL with spaces and tabs? Easy, Janus explains:
“The function splits this whitespace mix into 8-digit pieces, and then it changes all TAB chars into ‘1’ and all spaces into ‘0’,” she writes. That leaves the hacker with binary code, which is later transformed into decimal values and printed as the final URL using ASCII characters.
it’s all implemented in PHP file, so it runs on server side, and user is not
able to track it in the source code,” Janus wrote.
Code obfuscation has become a mainstay of modern malware, as malware authors look for novel ways to prevent researchers and security products from detecting their wares. Common hacking tools like the Phoenix Exploit Kit have started using obfuscation to hide their methods for installing on victim Web sites. Spammers, also, use obfuscation and non-printing characters to try to slip their appeals pass filters. Researchers recently found evidence of spammers using the soft-hyphen character, which is displayed like a normal hyphen, but not rendered by most Web browsers, to obfuscate URLs and fool filtering products.
Janus said she’s not convinced the DEFCON presentation was the source used by the Polish hackers, though.
“I think it’s possible, that the malware writer discovered
this technique independently, although – as Kolisar’s presentation is
publicly available since 2008 – the idea could be stolen from him as well,” she wrote.
Whatever the case, the technique is new to the malware coding world.