High-bit ASCII obfuscation

Artikel
10/01/2006

Here’s another new obfuscation technique I’ve seen in use on malicious web sites recently. Check out the following HTML:

<html><meta http-equiv=content-type content='text/html; charset=us-ascii'></head><body>¼óãòéðô¾áìåòô¨¢Ôèéó éó óïíå ïâæõóãáôåä óãòéðô¡¢©»¼¯óãòéðô¾</body></html>

Those funny characters are actually standard ASCII characters with the high-bit of each byte set. If the high-bit ASCII managed to get posted properly to this blog without getting mangled, you should be able to drop the obfuscated HTML into a file on a web server and observe that browsing to the file results in execution of the following script:

Here’s some quick and dirty C# code that will clear the high-bit of each input byte:

       int char1;
       Char c1;
       FileStream fs = new FileStream( [file path] , FileMode.Open);
       BinaryReader r = new BinaryReader(fs);

r.BaseStream.Seek(0, SeekOrigin.Begin);

       while (r.BaseStream.Position < r.BaseStream.Length)
       {
           char1 = r.ReadByte();
           char1 = char1 - 0x80;
           c1 = (Char)char1;
           Console.Write(c1);
       }

Drop this code into a console app and you’ll have a nice de-obfuscator.

This interesting behavior of US-ASCII in IE was noted by Kurt Huwig on BugTraq a few months ago.

Comments

Anonymous
July 04, 2008
Actually I do not think that the code given clears the high bit: instead it flips it. This can be seen with the input bytes 0x41, 0x42, 0xC1, 0xC2 which produce the resulting bytes: 0xC1, 0xC2, 0x41, 0x42. I proposes the code below instead. byte byte1; const byte sevenBits = 0x7F; FileStream fs = new FileStream([file path], FileMode.Open); BinaryReader r = new BinaryReader(fs); r.BaseStream.Seek(0, SeekOrigin.Begin); while (r.BaseStream.Position < r.BaseStream.Length) { byte1 = r.ReadByte(); byte1 = (byte) (byte1 & sevenBits); Console.Write(byte1); }

Del via

High-bit ASCII obfuscation

Comments

Yderligere ressourcer