Malicious Intent: Adventures in JavaScript Obfuscation and Deobfuscation

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Malicious Intent
Adventures in JavaScript Obfuscation and Deobfuscation
Ricky Lawshae / October, 2013

Boring Introductory Things

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3
Who am I?
Security Researcher and Content Developer for TippingPoint
• Write IPS signatures for the known bads by day
• Mess with things to try and uncover the unknown bads by night
Regular Contributor at the Austin Hackers Association monthly meetups
• http://takeonme.org
• #aha on irc.freenode.org
Amateur lock-picker
Texas State University Alumnus (go Bobcats!)

What is (de)obfuscation?
Obfuscation
• Basically, making your code unreadable to humans or undetectable to scanners
• Look at code obfuscation contests for fun examples
– International Obfuscated C Code Contest http://www.ioccc.org/years.html
– Obfuscated Perl Contest http://en.wikipedia.org/wiki/Obfuscated_Perl_Contest
Deobfuscation
• Taking obfuscated code, analyzing it, and making it readable again
• Uncover the true functionality of the code

Why JavaScript?
Popularity
• Redmonk Analytics consistently ranked JavaScript as the 1st or 2nd most popular programming
language over the past two years [http://redmonk.com/sogrady/2013/07/25/language-rankings-6-13/]
• TIOBE Index ranks it at 9th most popular, up from 11th in 2012 and 32nd in 1998
[http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html]
Flexibility
• Entirely platform-independent and interpreted
• New webapp frameworks gaining momentum
– Node.js
– Meteor
– Coffeescript

When is obfuscation needed?
The Light
• Protect your code from copy-paste bandits
• Security through obscurity (NO!)
• Make code smaller
The Dark
• Hide true intentions
• Avoid automated detection
• Buy time

How can you tell the difference?

Basic Obfuscation

String Manipulation
Concatenation
• Take multiple separate strings and join them together
• "He" + "l" + "l" + "o, w" + "o" + "rld!" == “Hello, world!”
unescape()
• Takes a “percent encoded” string of character bytes and converts each byte to its ASCII equivalent
• unescape("%48%65%6c%6c%6f%2c%20%77%6f%72%6c%64%21") == “Hello, world!”
String.fromCharCode()
• Same idea as unescape, but use a list of numbers instead of a percent encoded string
• String.fromCharCode(0x48,0x65,0x6c,0x6c,0x6f,0x2c,0x20,0x77,0x6f,0x72,0x6c,0x64,0x21)
• Can be any format that JavaScript recognizes as a number (decimal, octal, hexadecimal, etc)

Number Manipulation
Base Conversion
• Mixing decimal, hexadecimal, and octal together add confusion
• 10 == 0x0a == 012
Math
• Simple arithmetic operations add complexity and analysis time
• 10 / 2 + 5 – 9 == 1
Functions that return numbers
• Using the return value of a function or property can also buy some time
• " ".length == 5

Whitespace
Adding extraneous spaces and lines
• Can hide things from people who aren’t looking too closely
• JavaScript pretty much ignores all whitespace and comments
– alert /* blah blah blah */ ("Hello, world!");
Removing all whitespace
• Make your code one long line!
• Almost impossible to read through
• A great way to make your code smaller for faster load times

Functions and Variables
Naming
• Calling something “a” or “aflkFGsaf” is a lot less forthright than “counter”
– Single letter function and variable names also make code smaller
– You can also use special characters as names: var ___;
• Misleading names can confuse users
– function countToTen() { return "bacon"; }
Hiding calls
• Store function names in variables
– var blah = alert; blah("Hello, world!");
• Access functions as a member of the parent (more on this later)
– window["alert"]("Hello, world!");

Misdirection and Cruft
if/else statements
• Set up to always evaluate the same way
• One branch contains code that will intentionally never be run
• The other contains the code that is actually used
try/catch statements
• Deliberately trigger an exception before code that again never gets run
• Interrupt execution flow and jump to “catch” statement
• “Catch” contains code that actually gets run
Unused variables
• Pointless variables that have no impact on functionality

Basic Deobfuscation

Retrieve the Code; Don’t Run the Code
wget
• Unix tool that fetches webpages as-is
• Doesn’t have a JavaScript engine
• Has many other useful options for safe browsing
– --max-redirect
– --no-cookies
– --user-agent
Disable JavaScript or use a NoScript-style browser plug-in
• May break some functionality, but most plug-ins allow whitelisting
• Once you figure out what the page is doing, you can turn it back on
• Annoying at first, but worth it in the long run

Browsers and Plug-ins
Firefox
• NoScript. Period.
• JavaScript Deobfuscator plug-in is pretty decent
• Firebug plug-in is also good
Chrome
• Has built-in deobfuscator and debugger in Developer Tools
• Uses an up-to-date webpage blacklist from Google to warn about malicious pages
Internet Explorer
• Don’t.

Tricks to Speed Things Along
eval and document.write
• Common ways to manipulate pages and run obfuscated code
• Just replace with alert or console.log…
• Wrap in textarea tags if you’re feeling fancy
[https://isc.sans.edu/diary/Climb+a+small+mountain.../1917]
Learn a scripting language or two
• Can quickly scan and replace in a source code file
• cat malicious.html | sed 's/eval/alert/g' > safe.html ; echo "BASH SCRIPTING FTW“
jsbeautifier.org and jsfiddle.net
• Online tools for cleaning up and inspecting JavaScript

Basic Demo

Advanced Obfuscation

Language Idiosyncrasies
Bitwise math
• ~ operator is a bitwise NOT (flip all the bits)
– ~N == -(N + 1)
• Combine with negation [-] and you get an increment or decrement
– -~N == N + 1; ~-N == N – 1
Type confusion
• JavaScript is loosely typed…very loosely typed
– [] == "" but typeof [] != typeof ""
– 1 + "2" + 3 - 3 == 120
• Operators can change the type of objects
– typeof [] == object; typeof ![] == boolean; typeof +[] == number

More String Tricks
Strings as numbers
• toString() method can take a base as an argument
– (17795081).toString(36) == "alert"
Strings as arrays of characters
• Each character in a string has an index just like an array
– var chars = "yzsnpaobcutwedrvxfqkmighjl"
– chars[5] + chars[25] + chars[12] + chars[14] + chars[10] == "alert“
LOLWUT?
• (![]+[])[-~+[]]+(![]+[])[-~-~+[]]+(![]+[])[-~-~-~-~+[]]+(!![]+[])[-~+[]]+(!![]+[])[+[]] == "alert"

More Function Tricks
Implicit function calling
• A function can be called by its declaration
• (function (msg) { alert(msg); })("hello");
Getting reference to window
• Just using window is too straightforward for us!
• Use another object that is equivalent to a window object
– this["alert"]("hello"); frames["alert"]("hello"); self["alert"]("hello"); opener["alert"]("hello");
• Use a function that can return the window object
Create a function as a string (or, even better, an obfuscated string)
• (new Function("alert('hello')"))()

Encoding
An algorithm mangles data and it’s only interpreted correctly by a decoding algorithm
• Encoded chunk looks like garbage, and is
• When run as is, it does nothing at best
Decoder block
• Need a way to tell the script how to decode itself
• Increases size of code and adds to likelihood of being recognized
Polymorphism and self-modification
• Polymorphic code is code that rearranges itself every time it’s run
• Self-modifying code is code that evolves and changes
• Not technically encoding, but this is the only place it fit in my slides…

Encoding
XOR (Exclusive OR) encoding
• A bitwise comparison of two things
• Outputs 1 where they differ and 0 where they are equal
• XOR’ing the output with one of the original things will output the other original thing
– A ^ B == C; C ^ B == A
XOR data with a secret key
• Key must be same length as data (output will also be the same length)
• In the case of JavaScript, key could be based on User-Agent string or something similar
– Would only decode properly when loaded in the intended browser
– Could get around inspection engines
– Decoder block will still be a giveaway

Advanced Deobfuscation

Things to Keep in Mind
Look for techniques that repeat
• Only have to figure it out once
• Did I mention scripting languages?
Malicious people are lazy
• Same code reused on multiple sites
• Google is your friend
Trees first, forest later

Advanced Demo

Conclusions
Infinite ways to write JavaScript
• Automated analysis is hard (impossible?)
• Manual analysis is easy(-ish)
Obfuscated doesn’t always mean malicious
NoScript!
Exercise your deobfuscator muscles

References
http://sla.ckers.org/forum/list.php?24 [sla.ckers.org Obfuscation Discussion forum]
https://isc.sans.edu/diaryarchive.html [Internet Storm Center Diary Archive]
https://twitter.com/HeadlessZeke [I never say anything valuable, but I am responsive]
headlesszeke@hp.com

Thank you

Malicious Intent: Adventures in JavaScript Obfuscation and Deobfuscation

Recommended

Recommended

More Related Content

What's hot

What's hot (6)

Similar to Malicious Intent: Adventures in JavaScript Obfuscation and Deobfuscation

Similar to Malicious Intent: Adventures in JavaScript Obfuscation and Deobfuscation (20)

Recently uploaded

Recently uploaded (20)

Malicious Intent: Adventures in JavaScript Obfuscation and Deobfuscation