Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
malicious web scripts
I am Vikram Kharvi
Student@PESIT Intern@Deloitte-Cyber Risk
You can find me at
All about this session
•Will not cover intent of exploit.
•Will not cover reverse engineering.
•We will be interested in what malicious
script does and not how it does.
Getting started with analysis of malicious
Common obfuscation techniques used by
Malicious script authors.
Ways to deobfuscate scripts without
wasting much time.
Tools that can be used to deobfuscate
Find this slide @ cysinfo.com
Getting started with
analysis of malicious
Show and explain your web, app
or software projects using these
Place your screenshot here
Use Virtual Machines or
Sandbox before visiting
⊗ Always replace eval() with
console.log() to understand what
⊗ Focus on try catch method in
⊗ Check for Evercookie for
⊗ Flag iframes.
⊗ Flag CSS where you find
visibility:false; or hidden.
⊗ Check for external links.
⊗ Flag DOM in JS
• Visual Noise
• Function name/keyword substitution
• Obscure language features (e.g. JS tuples)
• Multiple levels of obfuscation
• Remove whitespace from script.
• Rename variables and functions with smaller names
• To reformat use beautification tool like js -beautify
beautify beautify or website. or website.
Increase difficulty of reading code without changing
•Character substitution (e.g. replace)
Removing Visual Noise
How to deobfuscate
•Manually remove noise.
•Write a script.
•Extract meaningful code.
19Prevention and best practices
● Having a robust anti-virus or full security solution installed on their computers.
● Make sure to update the operating system with the latest security patches.
● Keeping all updates running on computer up-to-date and download updates on a regular basis
as they are released to avoid vulnerabilities.
● Making it a habit to run regular full system scans to check for problems and remove them.
● Avoid clicking on links from websites of unknown origins or are embedded in the body of
emails, especially in spam e-mails.
● Checking the redirection of links by hovering on top of the links, you can see where the links
will redirect from the status bar.
execution or force download activities.
● For Web administrators take a note on upgrading all web applications and monitoring them to
locate any type of scripts that may have been inserted by third parties.
Evan H Dygert
Monnappa K A
You can find me at: