The Most Interesting Malware Of Them All

A Look At Two Unique Malware Encoding Techniques

As analysts investigating malware on web hosting platforms, we see a lot of the same thing over and over again. Phishing kits, for example, all look the same after a while: a copy of a legitimate page with a PHP script that sends email or a telegram message to the kit owner. Credit card skimmers, similarly, all look the same after a while. So, it is always refreshing when you come across something uncommon.

Uncommon Math

We are all familiar with math in websites. Whether it is adding tax to a purchase, building a range for a random number generator, incrementing counters, or converting days to seconds, math is used constantly. But, because computers work on groups of ones and zeros (bits), there are other ‘mathematical’ operations that can be performed. These bitwise (or logical) operations can make malicious code appear to be complete nonsense.

Looks like nonsense, right? Thanks to some of the quirks of PHP, however, that is a fully functional, password-protected, remote code execution (RCE) script that uses environment variables to hold the malicious payload.

This works because these bitwise operators turn the characters into strings of ones and zeroes and then, based on the operator, return a new string of ones and zeroes that are a new character.

The common operators are:

• AND (&) - This results in a 1 only if both bits are a 1. Otherwise, it results in a 0.
• OR (|) - This results in a 1 if either bit is a 1, and in a 0 only if both bits are a 0.
• XOR (^) - This results in a 1 only if one bit is a 1 and the other is a 0. If both bits are 1s or 0s, this operator results in a 0.
• LSHIFT (<<) - This moves all the bits to the left, adding zeros in their place. For example, shifting 0010 to the left by one position results in 0100.
• RSHIFT (>>) - This moves all the bits to the right, adding zeros in their place. For example, shifting 0100 to the right by one position results in 0010.

For example, this means that g^W (g XOR W) results in the character 0. The letter g has the ASCII decimal value of 103 which, in binary, is 01100111. The letter W has the ASCII decimal value of 87 which is 01010111 in binary. When the XOR operator is used, the result is 00110000 in binary, which is 48 as a decimal and corresponds to the ASCII character 0.

For more details on these operators and examples of how they are used in malicious scripts, please watch this video:

Hidden In The Spaces Between

As analysts, we also commonly see code embedded in GIFs and PNGs or loaded into the EXIF data of JPEG files. But there is also the technique of hiding the data within the pixel data itself. This technique is called steganography and extends to more than just images.

Simply defined, steganography is broadly hiding a secret message in something that is not secret. The image embedding techniques above are examples of steganography. But there is another, less common, steganographic technique that allows malicious code to be embedded in regular text files. That technique is whitespace encoding.

The first time that I encountered this technique was with the CoreLibrariesHandler malware, in which a large block of spaces and tabs were assigned to a variable and then parsed in groups of eight whitespace characters. These eight characters were then converted to a string of 0s and 1s depending on whether the character was a tab or a space. These are then converted to their ASCII character values and either printed out to the end user, if the malware is browser-based, or executed on the server.

Another variation of this technique that has been seen in the wild was in the form of a large block of whitespace at the end of a CSS file that was parsed by a second script.

However, there is no requirement that the whitespace must be a large block. It is entirely conceivable that the malicious code is replacing the spaces and tabs in a legitimate file, in the right places, so that the original code functions properly but just “looks odd.”

For more details on malicious whitespace, please watch this video:

Conclusion?

Although these “uncommon” threats can be difficult to identify, the good news is that SiteLock has the tools and techniques to find and remove these kinds of malicious files. If you suspect that your website has been infected with these or other kinds of malware, reach out and speak to one of our agents today.

About The Author:

Maarten Broekman has worked as a system administrator and systems engineer for over 25 years, primarily in the shared web-hosting space. One of the main concerns for web-hosting providers is being able to serve their customers’ websites as quickly and efficiently as possible. As a result, anything that detracts from performance needed to be examined closely and this is where his interest in malware and code analysis sprang from. For over a decade, finding, decoding, and removing malware (and automating that process) has been his primary focus.