Submit Search
Upload
Malicious Intent: Adventures in JavaScript Obfuscation and Deobfuscation
•
Download as PPTX, PDF
•
1 like
•
325 views
H
HeadlessZeke
Follow
Malicious Intent: Adventures in JavaScript Obfuscation and Deobfuscation
Read less
Read more
Technology
Report
Share
Report
Share
1 of 31
Download now
Recommended
Message passing
Message passing
Damien Krotkine
How I Learned to Stop Worrying and Love Legacy Code - Ox:Agile 2018
How I Learned to Stop Worrying and Love Legacy Code - Ox:Agile 2018
Mike Harris
Good practices for PrestaShop code security and optimization
Good practices for PrestaShop code security and optimization
PrestaShop
Top ten-list
Top ten-list
Brian DeShong
Drupal 8: A story of growing up and getting off the island
Drupal 8: A story of growing up and getting off the island
Angela Byron
Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale
Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale
Bishop Fox
Full-Text Search Explained - Philipp Krenn - Codemotion Rome 2017
Full-Text Search Explained - Philipp Krenn - Codemotion Rome 2017
Codemotion
Create responsive websites with Django, REST and AngularJS
Create responsive websites with Django, REST and AngularJS
Hannes Hapke
Recommended
Message passing
Message passing
Damien Krotkine
How I Learned to Stop Worrying and Love Legacy Code - Ox:Agile 2018
How I Learned to Stop Worrying and Love Legacy Code - Ox:Agile 2018
Mike Harris
Good practices for PrestaShop code security and optimization
Good practices for PrestaShop code security and optimization
PrestaShop
Top ten-list
Top ten-list
Brian DeShong
Drupal 8: A story of growing up and getting off the island
Drupal 8: A story of growing up and getting off the island
Angela Byron
Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale
Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale
Bishop Fox
Full-Text Search Explained - Philipp Krenn - Codemotion Rome 2017
Full-Text Search Explained - Philipp Krenn - Codemotion Rome 2017
Codemotion
Create responsive websites with Django, REST and AngularJS
Create responsive websites with Django, REST and AngularJS
Hannes Hapke
Profiling php applications
Profiling php applications
Justin Carmony
Best Practices for Front-End Django Developers
Best Practices for Front-End Django Developers
Christine Cheung
Bollean Search - NageshRao
Bollean Search - NageshRao
Nagesh Rao is Hiring Testing People at AUS
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Michael Pirnat
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
Area41
Blazing Data With Redis (and LEGOS!)
Blazing Data With Redis (and LEGOS!)
Justin Carmony
Lecture7
Lecture7
Majid Taghiloo
Intro to JavaScript
Intro to JavaScript
Dan Phiffer
JavaScript : A trending scripting language
JavaScript : A trending scripting language
AbhayDhupar
Javascript done right - Open Web Camp III
Javascript done right - Open Web Camp III
Dirk Ginader
Leveling Up at JavaScript
Leveling Up at JavaScript
Raymond Camden
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications
Karthik Gaekwad
Philip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Philip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Philip Stehlik
Secure pl-sql-coding
Secure pl-sql-coding
Trần Bình Hậu
Coding for production
Coding for production
jehiah
Hunting Botnets with Zmap
Hunting Botnets with Zmap
HeadlessZeke
Quo vadis, JavaScript? Devday.pl keynote
Quo vadis, JavaScript? Devday.pl keynote
Christian Heilmann
Exploitation and State Machines
Exploitation and State Machines
Michael Scovetta
Going to Mars with Groovy Domain-Specific Languages
Going to Mars with Groovy Domain-Specific Languages
Guillaume Laforge
Buildingsocialanalyticstoolwithmongodb
Buildingsocialanalyticstoolwithmongodb
MongoDB APAC
Rest api design by george reese
Rest api design by george reese
buildacloud
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
More Related Content
What's hot
Profiling php applications
Profiling php applications
Justin Carmony
Best Practices for Front-End Django Developers
Best Practices for Front-End Django Developers
Christine Cheung
Bollean Search - NageshRao
Bollean Search - NageshRao
Nagesh Rao is Hiring Testing People at AUS
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Michael Pirnat
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
Area41
Blazing Data With Redis (and LEGOS!)
Blazing Data With Redis (and LEGOS!)
Justin Carmony
What's hot
(6)
Profiling php applications
Profiling php applications
Best Practices for Front-End Django Developers
Best Practices for Front-End Django Developers
Bollean Search - NageshRao
Bollean Search - NageshRao
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
Blazing Data With Redis (and LEGOS!)
Blazing Data With Redis (and LEGOS!)
Similar to Malicious Intent: Adventures in JavaScript Obfuscation and Deobfuscation
Lecture7
Lecture7
Majid Taghiloo
Intro to JavaScript
Intro to JavaScript
Dan Phiffer
JavaScript : A trending scripting language
JavaScript : A trending scripting language
AbhayDhupar
Javascript done right - Open Web Camp III
Javascript done right - Open Web Camp III
Dirk Ginader
Leveling Up at JavaScript
Leveling Up at JavaScript
Raymond Camden
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications
Karthik Gaekwad
Philip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Philip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Philip Stehlik
Secure pl-sql-coding
Secure pl-sql-coding
Trần Bình Hậu
Coding for production
Coding for production
jehiah
Hunting Botnets with Zmap
Hunting Botnets with Zmap
HeadlessZeke
Quo vadis, JavaScript? Devday.pl keynote
Quo vadis, JavaScript? Devday.pl keynote
Christian Heilmann
Exploitation and State Machines
Exploitation and State Machines
Michael Scovetta
Going to Mars with Groovy Domain-Specific Languages
Going to Mars with Groovy Domain-Specific Languages
Guillaume Laforge
Buildingsocialanalyticstoolwithmongodb
Buildingsocialanalyticstoolwithmongodb
MongoDB APAC
Rest api design by george reese
Rest api design by george reese
buildacloud
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
Security Code Review 101
Security Code Review 101
Paul Ionescu
Java script
Java script
Abhishek Kesharwani
Searching Chinese Patents Presentation at Enterprise Data World
Searching Chinese Patents Presentation at Enterprise Data World
OpenSource Connections
JavaScripts & jQuery
JavaScripts & jQuery
Asanka Indrajith
Similar to Malicious Intent: Adventures in JavaScript Obfuscation and Deobfuscation
(20)
Lecture7
Lecture7
Intro to JavaScript
Intro to JavaScript
JavaScript : A trending scripting language
JavaScript : A trending scripting language
Javascript done right - Open Web Camp III
Javascript done right - Open Web Camp III
Leveling Up at JavaScript
Leveling Up at JavaScript
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications
Philip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Philip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Secure pl-sql-coding
Secure pl-sql-coding
Coding for production
Coding for production
Hunting Botnets with Zmap
Hunting Botnets with Zmap
Quo vadis, JavaScript? Devday.pl keynote
Quo vadis, JavaScript? Devday.pl keynote
Exploitation and State Machines
Exploitation and State Machines
Going to Mars with Groovy Domain-Specific Languages
Going to Mars with Groovy Domain-Specific Languages
Buildingsocialanalyticstoolwithmongodb
Buildingsocialanalyticstoolwithmongodb
Rest api design by george reese
Rest api design by george reese
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Security Code Review 101
Security Code Review 101
Java script
Java script
Searching Chinese Patents Presentation at Enterprise Data World
Searching Chinese Patents Presentation at Enterprise Data World
JavaScripts & jQuery
JavaScripts & jQuery
Recently uploaded
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
V3cube
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Results
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
gurkirankumar98700
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Pooja Nehwal
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
Recently uploaded
(20)
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malicious Intent: Adventures in JavaScript Obfuscation and Deobfuscation
1.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Malicious Intent Adventures in JavaScript Obfuscation and Deobfuscation Ricky Lawshae / October, 2013
2.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Boring Introductory Things
3.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3 Who am I? Security Researcher and Content Developer for TippingPoint • Write IPS signatures for the known bads by day • Mess with things to try and uncover the unknown bads by night Regular Contributor at the Austin Hackers Association monthly meetups • http://takeonme.org • #aha on irc.freenode.org Amateur lock-picker Texas State University Alumnus (go Bobcats!)
4.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4 What is (de)obfuscation? Obfuscation • Basically, making your code unreadable to humans or undetectable to scanners • Look at code obfuscation contests for fun examples – International Obfuscated C Code Contest http://www.ioccc.org/years.html – Obfuscated Perl Contest http://en.wikipedia.org/wiki/Obfuscated_Perl_Contest Deobfuscation • Taking obfuscated code, analyzing it, and making it readable again • Uncover the true functionality of the code
5.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5 Why JavaScript? Popularity • Redmonk Analytics consistently ranked JavaScript as the 1st or 2nd most popular programming language over the past two years [http://redmonk.com/sogrady/2013/07/25/language-rankings-6-13/] • TIOBE Index ranks it at 9th most popular, up from 11th in 2012 and 32nd in 1998 [http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html] Flexibility • Entirely platform-independent and interpreted • New webapp frameworks gaining momentum – Node.js – Meteor – Coffeescript
6.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6 When is obfuscation needed? The Light • Protect your code from copy-paste bandits • Security through obscurity (NO!) • Make code smaller The Dark • Hide true intentions • Avoid automated detection • Buy time
7.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7 How can you tell the difference?
8.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Basic Obfuscation
9.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9 String Manipulation Concatenation • Take multiple separate strings and join them together • "He" + "l" + "l" + "o, w" + "o" + "rld!" == “Hello, world!” unescape() • Takes a “percent encoded” string of character bytes and converts each byte to its ASCII equivalent • unescape("%48%65%6c%6c%6f%2c%20%77%6f%72%6c%64%21") == “Hello, world!” String.fromCharCode() • Same idea as unescape, but use a list of numbers instead of a percent encoded string • String.fromCharCode(0x48,0x65,0x6c,0x6c,0x6f,0x2c,0x20,0x77,0x6f,0x72,0x6c,0x64,0x21) • Can be any format that JavaScript recognizes as a number (decimal, octal, hexadecimal, etc)
10.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10 Number Manipulation Base Conversion • Mixing decimal, hexadecimal, and octal together add confusion • 10 == 0x0a == 012 Math • Simple arithmetic operations add complexity and analysis time • 10 / 2 + 5 – 9 == 1 Functions that return numbers • Using the return value of a function or property can also buy some time • " ".length == 5
11.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11 Whitespace Adding extraneous spaces and lines • Can hide things from people who aren’t looking too closely • JavaScript pretty much ignores all whitespace and comments – alert /* blah blah blah */ ("Hello, world!"); Removing all whitespace • Make your code one long line! • Almost impossible to read through • A great way to make your code smaller for faster load times
12.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12 Functions and Variables Naming • Calling something “a” or “aflkFGsaf” is a lot less forthright than “counter” – Single letter function and variable names also make code smaller – You can also use special characters as names: var ___; • Misleading names can confuse users – function countToTen() { return "bacon"; } Hiding calls • Store function names in variables – var blah = alert; blah("Hello, world!"); • Access functions as a member of the parent (more on this later) – window["alert"]("Hello, world!");
13.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13 Misdirection and Cruft if/else statements • Set up to always evaluate the same way • One branch contains code that will intentionally never be run • The other contains the code that is actually used try/catch statements • Deliberately trigger an exception before code that again never gets run • Interrupt execution flow and jump to “catch” statement • “Catch” contains code that actually gets run Unused variables • Pointless variables that have no impact on functionality
14.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Basic Deobfuscation
15.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15 Retrieve the Code; Don’t Run the Code wget • Unix tool that fetches webpages as-is • Doesn’t have a JavaScript engine • Has many other useful options for safe browsing – --max-redirect – --no-cookies – --user-agent Disable JavaScript or use a NoScript-style browser plug-in • May break some functionality, but most plug-ins allow whitelisting • Once you figure out what the page is doing, you can turn it back on • Annoying at first, but worth it in the long run
16.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16 Browsers and Plug-ins Firefox • NoScript. Period. • JavaScript Deobfuscator plug-in is pretty decent • Firebug plug-in is also good Chrome • Has built-in deobfuscator and debugger in Developer Tools • Uses an up-to-date webpage blacklist from Google to warn about malicious pages Internet Explorer • Don’t.
17.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17 Tricks to Speed Things Along eval and document.write • Common ways to manipulate pages and run obfuscated code • Just replace with alert or console.log… • Wrap in textarea tags if you’re feeling fancy [https://isc.sans.edu/diary/Climb+a+small+mountain.../1917] Learn a scripting language or two • Can quickly scan and replace in a source code file • cat malicious.html | sed 's/eval/alert/g' > safe.html ; echo "BASH SCRIPTING FTW“ jsbeautifier.org and jsfiddle.net • Online tools for cleaning up and inspecting JavaScript
18.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Basic Demo
19.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Advanced Obfuscation
20.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20 Language Idiosyncrasies Bitwise math • ~ operator is a bitwise NOT (flip all the bits) – ~N == -(N + 1) • Combine with negation [-] and you get an increment or decrement – -~N == N + 1; ~-N == N – 1 Type confusion • JavaScript is loosely typed…very loosely typed – [] == "" but typeof [] != typeof "" – 1 + "2" + 3 - 3 == 120 • Operators can change the type of objects – typeof [] == object; typeof ![] == boolean; typeof +[] == number
21.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21 More String Tricks Strings as numbers • toString() method can take a base as an argument – (17795081).toString(36) == "alert" Strings as arrays of characters • Each character in a string has an index just like an array – var chars = "yzsnpaobcutwedrvxfqkmighjl" – chars[5] + chars[25] + chars[12] + chars[14] + chars[10] == "alert“ LOLWUT? • (![]+[])[-~+[]]+(![]+[])[-~-~+[]]+(![]+[])[-~-~-~-~+[]]+(!![]+[])[-~+[]]+(!![]+[])[+[]] == "alert"
22.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22 More String Tricks Strings as numbers • toString() method can take a base as an argument – (17795081).toString(36) == "alert" Strings as arrays of characters • Each character in a string has an index just like an array – var chars = "yzsnpaobcutwedrvxfqkmighjl" – chars[5] + chars[25] + chars[12] + chars[14] + chars[10] == "alert“ LOLWUT? • (![]+[])[-~+[]]+(![]+[])[-~-~+[]]+(![]+[])[-~-~-~-~+[]]+(!![]+[])[-~+[]]+(!![]+[])[+[]] == "alert"
23.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.23 More Function Tricks Implicit function calling • A function can be called by its declaration • (function (msg) { alert(msg); })("hello"); Getting reference to window • Just using window is too straightforward for us! • Use another object that is equivalent to a window object – this["alert"]("hello"); frames["alert"]("hello"); self["alert"]("hello"); opener["alert"]("hello"); • Use a function that can return the window object Create a function as a string (or, even better, an obfuscated string) • (new Function("alert('hello')"))()
24.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24 Encoding An algorithm mangles data and it’s only interpreted correctly by a decoding algorithm • Encoded chunk looks like garbage, and is • When run as is, it does nothing at best Decoder block • Need a way to tell the script how to decode itself • Increases size of code and adds to likelihood of being recognized Polymorphism and self-modification • Polymorphic code is code that rearranges itself every time it’s run • Self-modifying code is code that evolves and changes • Not technically encoding, but this is the only place it fit in my slides…
25.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25 Encoding XOR (Exclusive OR) encoding • A bitwise comparison of two things • Outputs 1 where they differ and 0 where they are equal • XOR’ing the output with one of the original things will output the other original thing – A ^ B == C; C ^ B == A XOR data with a secret key • Key must be same length as data (output will also be the same length) • In the case of JavaScript, key could be based on User-Agent string or something similar – Would only decode properly when loaded in the intended browser – Could get around inspection engines – Decoder block will still be a giveaway
26.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Advanced Deobfuscation
27.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27 Things to Keep in Mind Look for techniques that repeat • Only have to figure it out once • Did I mention scripting languages? Malicious people are lazy • Same code reused on multiple sites • Google is your friend Trees first, forest later
28.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Advanced Demo
29.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29 Conclusions Infinite ways to write JavaScript • Automated analysis is hard (impossible?) • Manual analysis is easy(-ish) Obfuscated doesn’t always mean malicious NoScript! Exercise your deobfuscator muscles
30.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30 References http://sla.ckers.org/forum/list.php?24 [sla.ckers.org Obfuscation Discussion forum] https://isc.sans.edu/diaryarchive.html [Internet Storm Center Diary Archive] https://twitter.com/HeadlessZeke [I never say anything valuable, but I am responsive] headlesszeke@hp.com
31.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thank you
Download now