Normal Java JAR or class format samples can be easily analyzed with Java decompiler tools, such as JAD and JD-GUI. Not so with those obfuscated ones, where decompiling results may be empty or not clear. When this happens, we need to then analyze the JVM (Java Virtual Machine) p-code. Nowadays, more and more Java malware use anti-decompiling techniques to increase the difficulty of analysis. In this blog post, we will analyze a new JAR obfuscated packer that is being used by Java malware, using a sample that we detect as Java/Obfus.CI!tr as an example. Decompiling... [Read More]
by RSS Ruhai Zhang  |  Dec 01, 2014  |  Filed in: Security Research
Mysterious, yet familiar Over the past couple of months, there has been a noticeable increase of heavily obfuscated JavaScript code that embeds malicious iframes. Most of those code were injected into JavaScript files included from compromised websites (instead of the home page), which is supposedly harder to spot by the website's admin. An example of such injected JavaScript code looks like this: Note that the comments around the obfuscated code (/d47c75/ and //d47c75/in this case) around the injected code serves as an injection marker for an... [Read More]
by RSS Patrick Yu  |  Oct 01, 2013  |  Filed in: Security Research