Sunday, March 17, 2013

[Converter v0.7] Analyzing and Deobfuscating Malicious Scripts



Malicious Java applets have been making news for awhile so I thought I would update Converter to include some new features to help with deobfuscating them.


This is a list of changes made to this version:
+ Replaced Binary-to/from-Text with Binary-to/from-Hex to make it more useful
+ Added Filter > “Keep Hex” to only keep hex characters
+ Added Format > “Mixed Octal to Hex” to convert a mixture of text and octal to hex
+ Added Format > “Sort Text” to sort a string
+ Added Format > “Hex Format – CSV” separates hex values with a comma
+ Added Tools > “String Builder” to keep values between quotes
+ Modified “Dec-to-Hex” and “Dec-to-Octal” to handle negative integers
+ Added “copy output to input” option to Secret Decoder Ring
+ Added ability to import first KB (or all) of data to Key Search/Convert
+ Eliminated extra fields in Key Search/Convert screen
+ Made expression capability in Key Search/Convert and Convert Binary File a little more robust (added Extra > “Expressions Help”)


Here’s a look at some of the features in action…
This applet used binary strings to hide its actions:
2013-03-16_01
Just paste it in and the Binary-to-Hex feature will split on every eight characters and convert them to hex. You can choose the Output Format using the dropdown at the bottom.
2013-03-16_02
Here we see an applet concatenating several variables together before it deobfuscates it:
2013-03-16_03
Using the “String Builder” feature…
2013-03-16_04
Just paste the section in and Converter will concatenate everything between the quotes together. Make sure the beginning and ending quotes are present.
2013-03-16_05
This applet is using a mix of text and octal characters:
2013-03-16_06
The “Mixed Octal to Hex” feature…
2013-03-16_07
Will convert the string (including escaped characters) to hex.
2013-03-16_08
This applet is using an array of positive and negative integers:
2013-03-16_09
Converter now converts decimal to hex properly.
2013-03-16_10
This particular applet takes this concatenated string and deobfuscates it by running through a decoder routine three times:
2013-03-16_11
The Secret Decoder Ring now allows you to copy the output to the input field so you can decode it any number of times without having to manually copy/paste each time.
2013-03-16_12
Finally, you can see the changes made to the Key Search/Convert screen. I tried to make the expressions as flexible as possible.
2013-03-16_13

Download Converter v0.7
Official website: http://www.kahusecurity.com/

No comments:

Post a Comment