Masking Malware.

Over the weekend I thought about new ways in which someone can mask malware for the web. Today malware writers use a big chain of iframes and a mixture of code obfucation to hide their malware from webmasters, surfers and malware security researchers. And so I think it's important to investigate new ways of masking malware, because this can give everyone an edge of what is possible. I found two new ways of hiding malware which rely on a flaw and a feature of a browser and server respectively.

Masking Malware inside Internet Explorer 8 beta.

It is possible to hide the source of an application or a piece of malware in Internet explorer 8 beta by utilizing UTF-16 Big endian encoding. Big Endian and Little Endian refer to the order in which the bytes are stored in memory. The Windows architecture was mainly designed for Little Endian, and so forth some issues arise with software written for Big Endian architecture, and especially UTF16 Big Endian also called UTF-16BE. When changing a meta content-type charset to UTF-16, you can successfully hide malware inside MSIE8B as seen in example 1.

Example 1.

<meta http-equiv="Content-Type" content="text/html; charset=UTF-16" />

However, it is also possible to encode an entire file to UTF-16BE. This has the same result as setting the charset manually. One way of doing this is writing a function to encode it into UTF-16BE or use notepad in Windows and save a document as UTF-16-BE. Another method is use a server-side language to encode a string to UTF-16 as seen in example 2.

Example 2.

<?php

function utf16($str) {

$utf8 = utf8_encode($str);

if(function_exists('mb_convert_encoding')) {

return mb_convert_encoding($utf8, 'UTF-16', 'UTF-8');

} else {

return $str;
}

}

echo utf16('<iframe src="http://www.google.com/malware/malwarez.html"></iframe>');
?>

They all work when one wants to hide the source code of a page created for Internet Explorer. Firefox should render the page as well, but firefox seems to be UTF-16BE aware when parsing the source back to UTF-8 to display it as “source-code”. Google chrome doesn't render the page in UTF-16LE at all.

Masking stylesheet malware.

As some of you know, XSS is also flavored into CSS which results in a bigger XSS attack landscape. Problem is, how do you hide a stylesheet? is it possible at all? the answer is yes. There is a header feature on many platforms that allow for a Link: reference. This means that it's possible to link content into a page through a response header. This way, the stylesheet will not be visible in the source code of a page, and thereby it is possible to mask a stylesheet for inexperienced security researchers. As far as I know only Internet explorer seems to deny a stylesheet sent through the response header.

<?php

header("Link: <stylesheet.css>; rel=\"stylesheet\"; title=\"style\"");

?>

Which is useful in Xsstc Malware, see this test: http://www.tralfamadore.com/test-xsstc.html from Wes Biggs

Conclusion.

Masking malware can be very important for attackers, for malware security researchers it can be a real nightmare. Sadly these two ideas aren't the only one. There are many more ways in masking malware, one thing I did not discuss due to my limited time window, is the use of OBJECTS. With OBJECTS it's possible to let OBJECTS perform like iframes, because they can hold different mime and content types like “text/html” for example that renders an OBJECT as an iframe. Again, posing another great risk for internationalization of web standards. Furthermore it is important to always check the response headers, because what you get sent back doesn't always is what it says it is.
source: OWASP News