14 DAY TRIAL // Security researchers from antivirus vendor Trend Micro announce that a newly discovered web malware sample uses a code obfuscation technique that generates a different encryption key for every infected page. Decrypting the code without knowing the original URL is impossible.
Trend Micro detects this malware as JS_VIRTOOL and warns that it "uses certain Javascript techniques so that encrypted code may not be decrypted and analyzed by a malware analyst." The reason for this statement is that security researchers receive samples through various different channels and analyze them offline inside controlled environments.
With JS_VIRTOOL, this would be impossible to do without knowing the URL from where a particular sample was extracted. The malware retrieves the URL where it is located and adds it to its own function. It then proceeds to calculating a CRC of this entire string and uses it to encrypt the function.
"In this case, the encrypted code which is the real routine of the malware will not execute if the function is tampered and/or the URL is not correct," Jonathan San Jose, threat analyst at Trend, explains. "Currently, we have multiple samples that all use this particular technique, but have different encrypted contents. We suspect that they have the same decrypted data, the only difference being the URL location which will decrypt each sample," he notes.
Web malware has been a particularly prevalent type of threat in recent times. Several mass injection attacks that affected hundreds of thousands of websites have been reported this year alone. Such was the case of Gumblar, Beladen, or Nine-Ball, which made use of compromised FTP accounts, instead of web vulnerabilities like cross-site scripting or SQL injection.
Development of new obfuscation techniques such as this one, which potentially make investigating complex attacks and tracking their origin a lot harder, are worrying for security researchers. Prevx, a UK-based antivirus vendor, has just recently discovered a dump site containing stolen FTP credentials for more than 68,000 websites, including some very high-profile ones.
