Questionable Colors? Or Malicious Code?

Although design is subjective, it’s fair to say that we’ve all seen creative images that looked somewhat questionable and wondered what the designer may have been thinking, particularly color choices. But did you know that there are some color choices that aren’t just bad, they really are out to get you?

In this article, we will explore a malware encoding mechanism that hides the payload in RGB color codes.

Encoding Malware

Why Is Malware Encoded?

Malware authors encode their software for the simple reason that, if they didn’t, people would know that the software is bad and wouldn’t use it. Instead, they encode it to help it evade detection by security tools, but also to mislead people about the true nature of it. Often, they will put comments around it with the ominous phrase, “Reverse engineering is strictly prohibited,” or something like that to scare people off from trying to figure out what it is doing.

In truth, encoding is often detrimental because it increases the size of the malicious payload making it easier to detect. However, some methods, like those described in my article on “interesting” malware, are strange enough they can be overlooked as junk or broken code. In those cases, most people would remove the files just because they don’t look like they work. However, there are encoding mechanisms that are strange and yet look completely benign.

Why You Need A Good Interior (Or Web) Designer

Colors Matter

Every interior designer, along with every marketer and website designer, will tell you that your color choices matter. The colors you choose for your website tell a lot about it and your company, and from that some malware authors pick those specific colors because they use them to harm your site visitors.

How Color Codes Work

We are all familiar with the fact that colors on web pages can be represented in several ways. Sometimes, you just want “red” and so you make sure that your page style sets the “color” to the word “red.” This is great and, if the colors you want to use are some of the 140 defined color names, you can use those.

But sometimes you want a color that is just a little different and doesn’t have a conveniently defined name, what then? Well, then you need to delve into hexadecimal color definitions. These colors come in two flavors:

• Traditional RGB (red, green, blue) definitions like #ffffff which says that the red value is ff (256), the green value is ff (256) and the blue value is ff (256), resulting in white.
• RGBA (red, green, blue, and alpha) definitions which use the same red, green, blue information but also contain an additional two hexadecimal characters with information on the ‘alpha’ or transparency of the color.

You might be thinking “Okay, but why does this matter?” Read on to find out.

It Takes Two To Tango

As noted above, colors can be represented as strings of six or eight hexadecimal characters. Traditionally, these are paired up to represent the red, green, blue, and alpha values between 0 and 255. However, the other thing that is represented by values between 0 and 255 is the ASCII character set. And, when the values are used to represent characters, you can string them together into executable code.

What We Found

Investigation Overview

In an investigation, the Sitelock Malware Research Team found the following JavaScript code in a file along with some additional, already known, malware.

On the surface, this snippet of code looks just like two lists of hexadecimal color codes. And if we look at what these colors would appear as, we can see that they are rather somber.

Depending on what they are used for, these colors could make an interesting set of colors for a website except for the fact that there are just too many of them. Most good websites use, at most, four or five colors, not forty-six. So right there, we have an indication that, if nothing else, this is a highly questionable design choice.

Code Review

If we step into the rest of the code, we can see that there are two functions getting created, “div_pick_colors” and “check_div_styles” along with some additional variable assignments.

The variable assignment is important to understand before we dive into the functions, though. The first thing that happens is that there is an empty array created. Next, the ‘css_colors’ array is processed by the div_pick_colors function into the variable ‘s’. Additionally, the ‘css_indexes’ array is reassigned to the variable ‘c’ for later use. The string that resulted from parsing the ‘div_colors’ array is assigned to the first index of our new array and two counters are initialized before we loop over the ‘css_indexes’ (in the form of the ‘c’ array).

The processing within the loop is straight-forward. It uses the value in the ‘c’ array to determine how long of a substring it needs to extract from the ‘s’ variable, which is then assigned to increasing indices of our ‘ct’ array, before the first index of ‘ct’ is reassigned (uselessly).

If we look at the functions, we can see exactly what the assignments are doing above.

The div_pick_colors function, rather than select colors like its name implies, is the decoding function of the malware. It takes an array of strings as the sole argument and loops (outer ‘for’ loop) over them, assigning each to the ‘c_rgb’ variable. The inner loop then steps through each string, starting at position 1 in the string (skipping over the ‘#’ in each color at position 0) and taking a two-character substring each time. As long as that substring is not ‘00’, div_pick_colors will then convert it from a hexadecimal value to a decimal value (parseInt() with ‘16’ as the second argument) and then subtract 15 from that value before appending it to the variable ‘s’.

After all the colors in the array are processed, the div_pick_colors then returns the entire decoded string.

The check_div_styles function is true to its name, sort of. As the name implies, it does ‘check’ that styles are present in the rendered page. However, it does that by finding tags in the rendered page and creating new elements after them. If it is unable to get, create, or append elements, however, it has a backup mechanism to insert its content and that is using a basic document.write() call with the same content. And lastly, the script sets a half-second delay in case it couldn’t get the initial tag.

Final Analysis

In the end, this piece of malware injects a hidden iframe to another site, but there is nothing to stop an attacker from using this method to install viruses on an end-user’s system or to change where a form submits data to.

Summary

As a website owner, you have enough to worry about between publishing consistent content, ensuring your products are available and keeping your website software up to date. Don’t let your site become infected by malicious colors, contact SiteLock today and talk to a professional about protecting your site.

About The Author

Maarten Broekman has worked as a system administrator and systems engineer for over 25 years, primarily in the shared web-hosting space. One of the main concerns for web-hosting providers is being able to serve their customers’ websites as quickly and efficiently as possible. As a result, anything that detracts from performance needed to be examined closely and this is where his interest in malware and code analysis sprang from. For over a decade, finding, decoding, and removing malware (and automating that process) has been his primary focus.