Archive

Posts Tagged ‘malware analysis’

eval is evil!

09/06/2012 Leave a comment

Last week a friend of mine got an email pretending to be from Linked-In.

It looked suspicious so she forwarded it to me for inspection.

 

A quick look at the HTML attachment showed that it contained some very fishy JavaScript.

One notable part of it was a large array of floating point numbers, positive and negative.

 

As some of you might have guessed, this array actually represented some more scrambled JavaScript.

 

Now, I am not a security expert, but I was curious what this thing did. I know there is some tool to test run JavaScript, but I did not remember what it was called, so I just run Python in interactive mode to make a quick loop and unscramble the floating point array.

 

What I found was JavaScript redirecting the browser to a very suspicious looking domain.

Downloading the content of the URL resulted in more JavaScript, this time with a very long sting (over 54000 bytes long!).

 

Again I found the unscrambling function, redone it in Python, and received what was clearly a malware injecting JavaScript that was just over 15 thousand bytes long!

The funny thing was, the malware script was not obfuscated (aside from all whitespace being removed), so I could actually see a function called “getShellcode”.

 

Despite being quite long, it was easy to see that the script used some vulnerability in Flash Player versions 10.0.40 to 10.2.159 to do it’s nasty business.

I have yet to unscramble it’s shellcode payload, so I am not sure what that business is exactly.

 

But, this package is not unique. I am sure there are thousands of variations of it in the wild.

 

Why am I bothering to write about it?

 

Because the main component used to hide the truth about what this malware does is JavaScript eval function.

In fact, it is used twice, both in the first stage JavaScript attached to an email, and in the second stage script that actually tries to inject the malware.

 

Which got me wondering: why the hell did the designers of JavaScript put it there???

 

I know JavaScript is not the only language to have such function.

I know it has some legitimate uses (though I am not sure how many).

And as a developer, the last thing I would want to encourage is reducing a programming language’s power.

 

But seriously, is the huge security risk really worth it?

After all, this is a Browser scripting language, something you might download and run without even being aware you are doing it.

 

Even the name of the function sounds almost “evil” 😛

 

So here is my rant of the day: ban eval from JavaScript.

Who is with me?

Advertisements