Since everyone knows about this, I can finally share my piece.
Once deobfuscated, you can see that the script reveals a call to a single Java applet. You can also see some parameter values that are read in by the applet.
The applet contains two classes. Here we see the main class that includes the 0-day exploit. The other class downloads a binary file, writes it out, and executes it.
Once the second layer was unpeeled, the script changed its value to something entirely different. Here we see another variable get assigned “eval” then it passes that to our variable so it too becomes “eval” but you won’t know that until it deobfuscates the hex code successfully.
Like the versions before it, the script’s deobfuscation function is stored in a variable. When executed, the function reads in this variable (which is its own code), converts each character to decimal then performs some tricky calculations and regular expressions to decrypt the blob of hex. It’s a brilliant technique!
There’s different ways of handling a script like this but when I have time, I like to challenge myself to find a way to pop the result just by using Notepad and a browser. This is one of the more complex scripts I’ve come across and I thought I would deal with this like I would when trying to find a vulnerability in an application.
I came up with two approaches. The first is a totally out-of-the-box approach which I’ll blog about later. The second was to find a place to inject my own code but since I couldn’t modify anything in the main function, I’ll modify the encrypted hex code!
I won’t bore you with stepping through the deobfuscation routine but if you walk through it line by line, you will be able to determine that the first line of deobfuscated text will be:
Perfect! As I mentioned earlier, this variable overwrites the previous value of “Math.tan”. But what if I can do this instead:
Actually I need to keep the length the same so it’s more like this:
So I run Excel and use it like a calculator and recalculate the original hex value from this:
It’s a good thing this was at the beginning of the script! Then I replaced the hex code and ran it.
It worked! Note the very top of the screen, you can see what was done.
File: hi.exe or Flash_update.exe