Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi


Published on

Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi

  1. 1. Understanding and analyzing obfuscated malicious web scripts
  2. 2. HELLO! I am Vikram Kharvi Student@PESIT Intern@Deloitte-Cyber Risk Malware Analysis,Pen-Testing,Developer. You can find me at 2
  3. 3. All about this session Note •Will not cover intent of exploit. •Will not cover reverse engineering. •We will be interested in what malicious script does and not how it does. Getting started with analysis of malicious script. Common obfuscation techniques used by Malicious script authors. Ways to deobfuscate scripts without wasting much time. Tools that can be used to deobfuscate scripts. Find this slide @ 3
  4. 4. Getting started with analysis of malicious web scripts
  5. 5. MOBILE PROJECT Show and explain your web, app or software projects using these gadget templates. Place your screenshot here 5
  6. 6. Use Virtual Machines or Sandbox before visiting malicious site. 6
  7. 7. ⊗ Always replace eval() with console.log() to understand what is being executed by Javascript. ⊗ Focus on try catch method in javascript. ⊗ Check for Evercookie for persistent data. 7
  8. 8. ⊗ Flag iframes. ⊗ Flag CSS where you find visibility:false; or hidden. ⊗ Check for external links. ⊗ Flag DOM in JS 8
  9. 9. Obfuscation Techniques • Minification • Visual Noise • Function name/keyword substitution • Obscure language features (e.g. JS tuples) • Encoding/Encryption • Multiple levels of obfuscation • JavaScript obfuscation web sites 9
  10. 10. Minification • Remove whitespace from script. • Rename variables and functions with smaller names • • To reformat use beautification tool like js -beautify beautify beautify or website. or website. 10
  11. 11. Visual Noise Increase difficulty of reading code without changing its functionality. •Spurious comments •Dead code •Long names •String splitting •Character substitution (e.g. replace) 11
  12. 12. Removing Visual Noise How to deobfuscate •Manually remove noise. •Write a script. •Extract meaningful code. 12
  13. 13. Character Encoding Encodings •Hex (just hex characters) •Backslash Hex (x<n>) • Ampersand Hex(&H<n>) • Backslash Unicode (u<n>) • Percent Unicode (%u<n>) • Octal (<n>) 13
  14. 14. Deobfuscating Character Encoding • Normalize encoded chars to readable characters. • Didier Stevens tools (,, etc.) • Custom script 14
  15. 15. Deobfuscation Principles • Make the script do work. • Don’t sweat the details. • Beautify the script • Look for anything recognizable. • Peel back the layers. 15
  16. 16. Tools • Analyse Analyse MS Office files. • Analyze PDF files. • Extract base64 and hex encoded strings •js -file/js -ascii(modified SpiderMonkey) Run JavaScript outside browser. 16
  17. 17. • •Strip_xml •Combine_strings • Decode mixed encodings. •js -beautify •Linux tools (grep, sed, awk awk, cut, etc.) More Tools 17
  18. 18. Demo 18
  19. 19. 19Prevention and best practices ● Having a robust anti-virus or full security solution installed on their computers. ● Make sure to update the operating system with the latest security patches. ● Keeping all updates running on computer up-to-date and download updates on a regular basis as they are released to avoid vulnerabilities. ● Making it a habit to run regular full system scans to check for problems and remove them. ● Avoid clicking on links from websites of unknown origins or are embedded in the body of emails, especially in spam e-mails. ● Checking the redirection of links by hovering on top of the links, you can see where the links will redirect from the status bar. ● Installing security plugin opened by web browser, such as automatic blockage of JavaScript execution or force download activities. ● For Web administrators take a note on upgrading all web applications and monitoring them to locate any type of scripts that may have been inserted by third parties.
  20. 20. CREDITS Evan H Dygert Didier Stevens Monnappa K A 20 Thanks
  21. 21. THANKS! Any questions? You can find me at: 21