Monday, September 17, 2012

Insidious Banking Malware and Proxy-auto Config (PAC) - A Step towards Mal-Proxying

Recently, our team came across an interesting sample of banking malware which exploits the proxy-auto-config (PAC) functionality in the browsers. Let's see what we have:-

What is PAC?
PAC is a technique to implement proxy configurations based on the rules provided in the configuration file. The browser chooses the appropriate proxy server for the configured URLs. PAC is implemented in a sandbox and few JavaScript functions are allowed to be used in the PAC files. For more details about PAC, the excellent resource is here - . PAC uses FindProxyForURL() function to implement this functionality. Have a look at one of the example listed here:

Why malware uses PAC?
The concept is straightforward. On the infected machine, the malware downloads the obfuscated PAC file from the server. This allows the malware authors to force the rules defined in the PAC file on the active browsers. It means the malware can push the browser to choose a proxy server based on the URL rules configured in the PAC file. In simpler terms, if a user tries to open a banking website, the browser connects to the proxy server and the traffic is routed through it.

Let's look into the PAC file used by the banking malware:

The file contained an array of elements in the hexadecimal format. The next step is to see what is hidden behind this. Removing "\x" and applying hexadecimal to ASCII converter, we get the elements as shown below:

So as expected, we get the domains configured in the PAC file. Whenever, a user opens the domain listed above, the browser connects to the given proxy server and routes the web traffic through it. Interesting !. Let's look at the implementation of FindProxyForURL() function.

The above-referenced code uses shExpMatch - which attempts to match hostname or URL to a specified shell expression, and returns true if matched. More details can be found here:

var _0x355ax4=_0x4919[0]
: refers to the first element in the array which is the "PROXY".

if(shExpMatch(_0x355ax3,_0x355ax6)){return _0x355ax4;}
; - you know what it means :) . If the domain is matched then force the browser to connect to the given proxy server. The same process goes for the rest of the provided rules.

This shows that how exactly the malware uses the PAC concept for malicious operations.