My next class:

Deobfuscating VBScript

Published: 2007-09-03. Last Updated: 2007-09-03 00:24:22 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)

Couple of days ago Maarten wrote a nice diary about an iframe tage pointing to a “benign” VBScript that was planted on a relatively high profile web site in Belgium (the original diary is here: http://isc.sans.org/diary.html?storyid=3324).

I’ve been thinking about writing a diary about how to deobfuscate VBScript for quite some time and recently even received couple of e-mails about this (since we covered JavaScript deobfuscation pretty thoroughly here I would say), so here we go ..

The main problem with VBScript is that you basically have to run it on Windows – there aren’t any stand alone VBScript interpreters for Linux (as far as I know – if you know of one please let us know through our contact form).

As we have to work with malicious VBScript programs on Windows platforms this means also that we have to be extra careful – we are actually using the platform that the original exploit was written for (virtual machines come to help here – you don’t want to infect your main host accidentally). As an analyst, you now have the following options

  • Use Windows Script Host which can execute VBScript from the command line (the wscript command).
  • Use Microsoft Script Debugger from Internet Explorer.
  • Use Microsoft Script Editor from Internet Explorer

I will explain methods 1) and 3) here and leave 2) for a future diary (or as an exercise to you, if you find this whole diary interesting). The example malicious VB Script is almost the same as the one Maarten analyzed (and which one is pretty popular. The screenshot below shows the important part where the decoded content is executed with the execute(decode(cde)) call (the program first calls the decode() function and then executes its output):

Obfuscated VBScript

Windows Script Host

Wscript is an interpreter that comes with Windows and that can easily execute VB Script programs. When deobfuscating VB Script programs with wscript, almost same rules apply as when using Spider Monkey with JavaScript. As we typically want to see what will happen when the current layer is deobfuscated, the most important part of the deobfuscation process is to change the execute() calls to Wscript’s equivalent of print, wscript.echo, so the final two lines will look like this:

Wscript.echo (decode(abc))
Wscript.echo (decode(cde))

You will also have to strip all non-VB Script content (similarly as you have to strip out all non-JavaScript content when running a script through Spider Monkey) and change the extension to .vbs, so wscript will know how to execute this. After this is done, you can just start the script with:

wscript sina.vbs

And the output will look like this:

Wscript

This is pretty much self explanatory … Let’s see the other method.

Using Microsoft Script Editor

Microsoft Script Editor is a powerful utility that comes with Microsoft Office so in order to install it you have to have a Microsoft Office license (I will cover the free Microsoft Script Debugger in a future diary – there is a reason I picked this one, as you will see in a future diary as well). Microsoft Script Editor will not be installed with Office by default, so you’ll have to add it (it’s under Office Tools and is called Microsoft Script Editor (HTML Source Editing)).

It is easy to check if it’s installed correctly since we have to configure Internet Explorer to use it as well. So first start Internet Explorer and go to Tools -> Internet Options -> Advanced and deselect Disable Script debugging (Internet Explorer). Now restart Internet Explorer and if everything is fine under View you should have an option called Script Debugger:

IE options

If you click on Open, Internet Explorer will allow you to choose between available debuggers, if you have more of them.

Now that we have our environment ready, let’s prepare the malicious VB Script. A nice thing when debugging programs like this is that we don’t have to strip out any HTML tags since Internet Explorer will parse that properly for us. There is one thing I like to do in advance, though. While you can tell Internet Explorer to break the script at the next statement, I prefer to do this manually by adding the statement “stop”. This is similar to a breakpoint, so the result will look like this:

<Script language="VBScript">
stop
abc = "006F006E002000650072….. [rest of the code]

Now we basically execute the file from Internet Explorer (double click it, but do this in an isolated virtual machine) and Internet Explorer will immediately ask us which debugger we want to use. Select Microsoft Script Editor and you will end up debugging the file:

Microsoft Script Editor

You can now use all debugging features you want, set breakpoints and see what’s going on. Microsoft Script Editor is an extremely powerful tool, so if you often have to analyze malicious JavaScript/VBScript files you should get familiar with it. Next time I will show you how you can use Microsoft Script Editor to defeat a very complex obfuscation method with only two clicks.

I have to stress out, once again, how important it is to do this in an isolated virtual machine since you will be executing the malicious code.

--

Bojan

Keywords:
0 comment(s)
My next class:

Comments


Diary Archives