Code obfuscation is not really anything new. Malware authors are always on the lookout for new techniques to allow them to avoid detection by security products. Common exploit toolkits have even begun to use obfuscation to hide the methods they use to install malware on a victim’s Web site. Spammers also employ obfuscation and non-printing characters, such as using the soft-hyphen character, which is displayed as regular hyphen, but this particular character is not examined by most Web browsers, allowing the spammers to bypass URL and email filters.

Recently, Marta Janus, a researcher for Kaspersky Labs, blogged about a different kind of code obfuscation method she came across during an investigation of an e-commerce Web site which had that had been compromised. Janus was analyzing some PHP scripts which run on the e-commerce site to discover exactly how the attackers had been able to dynamically insert malicious links onto the site’s web pages.

During her analysis, she observed that the hackers had used an interesting new obfuscation method to insert the malicious links onto the site’s pages, allowing them to use binary code, which would later be converted to a decimal value and then printed as ASCII characters in the final URL. The attackers hid their work by using a mix of non-printing characters, like tabs and spaces, in order to “write” the name of the malicious URL, which was then inserted as a link, onto the e-commerce site’s pages. Janus further explained that attackers are able to write a URL with spaces and tabs because the function divides the white spaces, which were the result of the non-printing characters, into 8-digit pieces. The values for the SPACES were designated as “0” and the TAB characters were designated as a “1″.

The technique Janus discovered is very similar to a technique demonstrated during DEFCON 16 in Las Vegas around three years ago. The major difference between the method used by the attackers and the technique from the DEFCON presentation is that the attacker’s method worked in conjunction with PHP as opposed to JavaScript. The whitespace method’s advantage over the JavaScript obfuscation techniques is that it does not leave evidence of the usual symptoms of obfuscation like Unicode text, string splitting, or rendering sensitive content.

Tags: , , , ,