Malvertisement Leads to Dragon Pack

Dragon Pack is a new exploit kit that has hit the hacker scene. It sports only a handful of exploits but they are arguably the most successful ones. If nothing else, this pack looks very cool.

Anyway, let's take a step back to the website that kicks off the browser exploitation. If you click on some of the links of the various companies on the website seen below, you'll be saying hello to Dragon Pack. I don't want to call out specific pages since there may be some confusion about whether those companies are spewing malware. Of course, they're not. One of the ad campaigns is infected and Manta is inserting this ad in some of the listings.

Here's a graphic that shows the URL (in bold) and the specific link in the page's HTML source code which leads to the next link in the chain until the final malicious site with Dragon Pack is called.

There were two interesting sites that I took a closer look at. The first was the perconel.com site. You can see the obfuscated Javascript that opens an iframe to the Dragon Pack site.

On the Dragon Pack site itself, you can see one of its exploits. Believe it or not, the obfuscated Javascript is actually similar to the one above. There's a lot of concatenation going on above but the de-obfuscation routine is the same as this one.

Let's walk through de-obfuscating this script. Here is a sample I pulled off from another site earlier but it's also similar. By the way, the first two lines of the Javascript code were in separate external JS files which I included here for the sake of brevity.

This script is straightforward to figure out. The 3rd and 4th lines assign "eval" to the dLnOQO variable.

var NDotmhh0=['n','e','G','j','y','v','E','l','p','K','u','a','z','O','l','l'];
var dLnOQO=NDotmhh0[1]+NDotmhh0[5]+NDotmhh0[11]+NDotmhh0[14];

The other variable assignments sets up "this" and "unescape" so that the last line at the bottom executes the final output. Here's the decoded version of that line:

this.eval(this.unescape(ret));

The final output comes from the obfuscated text assigned to the strochka variable. The algorithm 4/5th of the way down does a look up of each character. If it finds it in desttable up at the very top, then it gets the corresponding character from srctable based on its position. So the first character of "L" of the obfuscated text corresponds to the character "%", "2" corresponds to "6", "p" corresponds to "4", etc.

You'll eventually get a string of hex which is unescaped and eval'd (de-obfuscated code).

This script tries to exploit Java two different ways as well as Acrobat.

If we were to bypass the analysis and just insert a <textarea> tag to the beginning of the script to see the final output, we'll end up with only part of the final code, the Java exploit. Where's the Acrobat exploit?

If we replace the eval line at the bottom with document.write(unescape(ret)). Now you can see both the Java and Acrobat exploits.

But it's still not complete. The best way to deal with this script is to replace the eval line with document.write(ret). We'll end up with hex code.

If we convert this to text then we get all the code which is what you see at the "de-obfuscated code" graphic above.

The lesson here is that if you just use shortcuts without understanding the script, you may come up short and walk away with only half the story.

Posted on: 12/02/2010