Friday, May 29th, 2009
Obfuscation not only discourages casual reverse-engineering of the exploit used and its inner workings, it also makes it more difficult for internet security/virus-scanners to corrently identify and prevent the malware from running. If your code appears to be constructing a very large string with hex-encoded data (ie., attempting a buffer overflow condition with “shellcode” to execute arbitrary commands), then you’re due to get flagged. If on the other hand you have some innocent-looking strings compressed or encrypted so as not to reveal their evil nature at first glance, your dirty work may in fact fly under the radar, undetected.
Scott takes apart the code that has a lot of source looking like:
I suspect if this code did work, it would execute a JS payload or would dynamically fetch (via xmlHttpRequest), decode/decrypt and execute a payload. (A key/passphrase or decoding loop is suggested, given the output above.) On the other hand and in the words of comedian Dennis Miller, “‘Course that’s just my opinion, I could be wrong.”
Want to give someone a bugger of an interview? Take some snippets and ask them to tell you what they do.
Posted by Dion Almaer at 6:04 am
Comment here3.3 rating from 6 votes