Over the weekend I thought about new ways in which someone can mask malware for the web. Today malware writers use a big chain of iframes and a mixture of code obfucation to hide their malware from webmasters, surfers and malware security researchers. And so I think it's important to investigate new ways of masking malware, because this can give everyone an edge of what is possible. I found two new ways of hiding malware which rely on a flaw and a feature of a browser and server respectively.
Masking Malware inside Internet Explorer 8 beta.
It is possible to hide the source of an application or a piece of malware in
Internet explorer 8 beta by utilizing UTF-16 Big endian encoding. Big Endian
and Little Endian refer to the order in which the bytes are stored in
memory. The Windows architecture was mainly designed for Little Endian, and
so forth some issues arise with software written for Big Endian
architecture, and especially UTF16 Big Endian also called UTF-16BE. When
changing a meta content-type charset to UTF-16, you can successfully hide
malware inside MSIE8B as seen in example 1.
Example 1.
<meta http-equiv="Content-Type" content="text/html; charset=UTF-16" />
However, it is also possible to encode an entire file to UTF-16BE. This has
the same result as setting the charset manually. One way of doing this is
writing a function to encode it into UTF-16BE or use notepad in Windows and
save a document as UTF-16-BE. Another method is use a server-side language
to encode a string to UTF-16 as seen in example 2.
Example 2.
<?php
function utf16($str) {
$utf8 = utf8_encode($str);
if(function_exists('mb_convert_encoding')) {
return mb_convert_encoding($utf8, 'UTF-16', 'UTF-8');
} else {
return $str;
}
}
echo utf16('<iframe
src="http://www.google.com/malware/malwarez.html";></iframe>');
?>
They all work when one wants to hide the source code of a page created for
Internet Explorer. Firefox should render the page as well, but firefox seems
to be UTF-16BE aware when parsing the source back to UTF-8 to display it as
"source-code". Google chrome doesn't render the page in UTF-16LE at all.
Masking stylesheet malware.
As some of you know, XSS is also flavored into CSS which results in a bigger
XSS attack landscape. Problem is, how do you hide a stylesheet? is it
possible at all? the answer is yes. There is a header feature on many
platforms that allow for a Link: reference. This means that it's possible to
link content into a page through a response header. This way, the stylesheet
will not be visible in the source code of a page, and thereby it is possible
to mask a stylesheet for inexperienced security researchers. As far as I
know only Internet explorer seems to deny a stylesheet send through the
response header.
<?php
header("Link: <stylesheet.css>; rel=\"stylesheet\"; title=\"style\"");
?>
Conclusion.
Masking malware can be very important for attackers, for malware security
researchers it can be a real nightmare. Sadly these two ideas aren't the
only one. There are many more ways in masking malware, one thing I did not
discuss due to my limited time window, is the use of OBJECTS. With OBJECTS
it's possible to let OBJECTS perform like iframes, because they can hold
different mime and content types like "text/html" for example that renders
an OBJECT as an iframe. Again, posing another great risk for
internationalization of web standards. Furthermore it is important to always
check the response headers, because what you get sent back doesn't always is
what it says it is.
[Ph4nt0m] <http://www.ph4nt0m.org/>
[Ph4nt0m Security Team]
<http://blog.ph4nt0m.org/> [EMAIL PROTECTED]
Email: [EMAIL PROTECTED]
PingMe:
<http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=hanqin_wu
hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724>
=== V3ry G00d, V3ry Str0ng ===
=== Ultim4te H4cking ===
=== XPLOITZ ! ===
=== #_# ===
#If you brave,there is nothing you cannot achieve.#
--~--~---------~--~----~------------~-------~--~----~
要向邮件组发送邮件,请发到 [email protected]
要退订此邮件,请发邮件至 [EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---
<<inline: image001.gif>>
