Submit Search
Upload
Malicious Intent: Adventures in JavaScript Obfuscation and Deobfuscation
•
Download as PPTX, PDF
•
1 like
•
325 views
H
HeadlessZeke
Follow
Malicious Intent: Adventures in JavaScript Obfuscation and Deobfuscation
Read less
Read more
Technology
Slideshow view
Report
Share
Slideshow view
Report
Share
1 of 31
Download now
Recommended
Message passing
Message passing
Damien Krotkine
How I Learned to Stop Worrying and Love Legacy Code - Ox:Agile 2018
How I Learned to Stop Worrying and Love Legacy Code - Ox:Agile 2018
Mike Harris
Good practices for PrestaShop code security and optimization
Good practices for PrestaShop code security and optimization
PrestaShop
Top ten-list
Top ten-list
Brian DeShong
Drupal 8: A story of growing up and getting off the island
Drupal 8: A story of growing up and getting off the island
Angela Byron
Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale
Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale
Bishop Fox
Full-Text Search Explained - Philipp Krenn - Codemotion Rome 2017
Full-Text Search Explained - Philipp Krenn - Codemotion Rome 2017
Codemotion
Create responsive websites with Django, REST and AngularJS
Create responsive websites with Django, REST and AngularJS
Hannes Hapke
Recommended
Message passing
Message passing
Damien Krotkine
How I Learned to Stop Worrying and Love Legacy Code - Ox:Agile 2018
How I Learned to Stop Worrying and Love Legacy Code - Ox:Agile 2018
Mike Harris
Good practices for PrestaShop code security and optimization
Good practices for PrestaShop code security and optimization
PrestaShop
Top ten-list
Top ten-list
Brian DeShong
Drupal 8: A story of growing up and getting off the island
Drupal 8: A story of growing up and getting off the island
Angela Byron
Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale
Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale
Bishop Fox
Full-Text Search Explained - Philipp Krenn - Codemotion Rome 2017
Full-Text Search Explained - Philipp Krenn - Codemotion Rome 2017
Codemotion
Create responsive websites with Django, REST and AngularJS
Create responsive websites with Django, REST and AngularJS
Hannes Hapke
Profiling php applications
Profiling php applications
Justin Carmony
Best Practices for Front-End Django Developers
Best Practices for Front-End Django Developers
Christine Cheung
Bollean Search - NageshRao
Bollean Search - NageshRao
Nagesh Rao is Hiring Testing People at AUS
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Michael Pirnat
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
Area41
Blazing Data With Redis (and LEGOS!)
Blazing Data With Redis (and LEGOS!)
Justin Carmony
Lecture7
Lecture7
Majid Taghiloo
Intro to JavaScript
Intro to JavaScript
Dan Phiffer
JavaScript : A trending scripting language
JavaScript : A trending scripting language
AbhayDhupar
Javascript done right - Open Web Camp III
Javascript done right - Open Web Camp III
Dirk Ginader
Leveling Up at JavaScript
Leveling Up at JavaScript
Raymond Camden
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications
Karthik Gaekwad
Philip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Philip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Philip Stehlik
Secure pl-sql-coding
Secure pl-sql-coding
Trần Bình Hậu
Coding for production
Coding for production
jehiah
Hunting Botnets with Zmap
Hunting Botnets with Zmap
HeadlessZeke
Quo vadis, JavaScript? Devday.pl keynote
Quo vadis, JavaScript? Devday.pl keynote
Christian Heilmann
Exploitation and State Machines
Exploitation and State Machines
Michael Scovetta
Going to Mars with Groovy Domain-Specific Languages
Going to Mars with Groovy Domain-Specific Languages
Guillaume Laforge
Buildingsocialanalyticstoolwithmongodb
Buildingsocialanalyticstoolwithmongodb
MongoDB APAC
Rest api design by george reese
Rest api design by george reese
buildacloud
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
More Related Content
What's hot
Profiling php applications
Profiling php applications
Justin Carmony
Best Practices for Front-End Django Developers
Best Practices for Front-End Django Developers
Christine Cheung
Bollean Search - NageshRao
Bollean Search - NageshRao
Nagesh Rao is Hiring Testing People at AUS
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Michael Pirnat
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
Area41
Blazing Data With Redis (and LEGOS!)
Blazing Data With Redis (and LEGOS!)
Justin Carmony
What's hot
(6)
Profiling php applications
Profiling php applications
Best Practices for Front-End Django Developers
Best Practices for Front-End Django Developers
Bollean Search - NageshRao
Bollean Search - NageshRao
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
Blazing Data With Redis (and LEGOS!)
Blazing Data With Redis (and LEGOS!)
Similar to Malicious Intent: Adventures in JavaScript Obfuscation and Deobfuscation
Lecture7
Lecture7
Majid Taghiloo
Intro to JavaScript
Intro to JavaScript
Dan Phiffer
JavaScript : A trending scripting language
JavaScript : A trending scripting language
AbhayDhupar
Javascript done right - Open Web Camp III
Javascript done right - Open Web Camp III
Dirk Ginader
Leveling Up at JavaScript
Leveling Up at JavaScript
Raymond Camden
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications
Karthik Gaekwad
Philip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Philip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Philip Stehlik
Secure pl-sql-coding
Secure pl-sql-coding
Trần Bình Hậu
Coding for production
Coding for production
jehiah
Hunting Botnets with Zmap
Hunting Botnets with Zmap
HeadlessZeke
Quo vadis, JavaScript? Devday.pl keynote
Quo vadis, JavaScript? Devday.pl keynote
Christian Heilmann
Exploitation and State Machines
Exploitation and State Machines
Michael Scovetta
Going to Mars with Groovy Domain-Specific Languages
Going to Mars with Groovy Domain-Specific Languages
Guillaume Laforge
Buildingsocialanalyticstoolwithmongodb
Buildingsocialanalyticstoolwithmongodb
MongoDB APAC
Rest api design by george reese
Rest api design by george reese
buildacloud
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
Security Code Review 101
Security Code Review 101
Paul Ionescu
Java script
Java script
Abhishek Kesharwani
Searching Chinese Patents Presentation at Enterprise Data World
Searching Chinese Patents Presentation at Enterprise Data World
OpenSource Connections
JavaScripts & jQuery
JavaScripts & jQuery
Asanka Indrajith
Similar to Malicious Intent: Adventures in JavaScript Obfuscation and Deobfuscation
(20)
Lecture7
Lecture7
Intro to JavaScript
Intro to JavaScript
JavaScript : A trending scripting language
JavaScript : A trending scripting language
Javascript done right - Open Web Camp III
Javascript done right - Open Web Camp III
Leveling Up at JavaScript
Leveling Up at JavaScript
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications
Philip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Philip Stehlik at TechTalks.ph - Intro to Groovy and Grails
Secure pl-sql-coding
Secure pl-sql-coding
Coding for production
Coding for production
Hunting Botnets with Zmap
Hunting Botnets with Zmap
Quo vadis, JavaScript? Devday.pl keynote
Quo vadis, JavaScript? Devday.pl keynote
Exploitation and State Machines
Exploitation and State Machines
Going to Mars with Groovy Domain-Specific Languages
Going to Mars with Groovy Domain-Specific Languages
Buildingsocialanalyticstoolwithmongodb
Buildingsocialanalyticstoolwithmongodb
Rest api design by george reese
Rest api design by george reese
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Security Code Review 101
Security Code Review 101
Java script
Java script
Searching Chinese Patents Presentation at Enterprise Data World
Searching Chinese Patents Presentation at Enterprise Data World
JavaScripts & jQuery
JavaScripts & jQuery
Recently uploaded
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
johnbeverley2021
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
MadyBayot
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Zilliz
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
Christopher Logan Kennedy
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Zilliz
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Rustici Software
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
The Digital Insurer
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
Zilliz
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
Recently uploaded
(20)
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Malicious Intent: Adventures in JavaScript Obfuscation and Deobfuscation
1.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Malicious Intent Adventures in JavaScript Obfuscation and Deobfuscation Ricky Lawshae / October, 2013
2.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Boring Introductory Things
3.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3 Who am I? Security Researcher and Content Developer for TippingPoint • Write IPS signatures for the known bads by day • Mess with things to try and uncover the unknown bads by night Regular Contributor at the Austin Hackers Association monthly meetups • http://takeonme.org • #aha on irc.freenode.org Amateur lock-picker Texas State University Alumnus (go Bobcats!)
4.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4 What is (de)obfuscation? Obfuscation • Basically, making your code unreadable to humans or undetectable to scanners • Look at code obfuscation contests for fun examples – International Obfuscated C Code Contest http://www.ioccc.org/years.html – Obfuscated Perl Contest http://en.wikipedia.org/wiki/Obfuscated_Perl_Contest Deobfuscation • Taking obfuscated code, analyzing it, and making it readable again • Uncover the true functionality of the code
5.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5 Why JavaScript? Popularity • Redmonk Analytics consistently ranked JavaScript as the 1st or 2nd most popular programming language over the past two years [http://redmonk.com/sogrady/2013/07/25/language-rankings-6-13/] • TIOBE Index ranks it at 9th most popular, up from 11th in 2012 and 32nd in 1998 [http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html] Flexibility • Entirely platform-independent and interpreted • New webapp frameworks gaining momentum – Node.js – Meteor – Coffeescript
6.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6 When is obfuscation needed? The Light • Protect your code from copy-paste bandits • Security through obscurity (NO!) • Make code smaller The Dark • Hide true intentions • Avoid automated detection • Buy time
7.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7 How can you tell the difference?
8.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Basic Obfuscation
9.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9 String Manipulation Concatenation • Take multiple separate strings and join them together • "He" + "l" + "l" + "o, w" + "o" + "rld!" == “Hello, world!” unescape() • Takes a “percent encoded” string of character bytes and converts each byte to its ASCII equivalent • unescape("%48%65%6c%6c%6f%2c%20%77%6f%72%6c%64%21") == “Hello, world!” String.fromCharCode() • Same idea as unescape, but use a list of numbers instead of a percent encoded string • String.fromCharCode(0x48,0x65,0x6c,0x6c,0x6f,0x2c,0x20,0x77,0x6f,0x72,0x6c,0x64,0x21) • Can be any format that JavaScript recognizes as a number (decimal, octal, hexadecimal, etc)
10.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10 Number Manipulation Base Conversion • Mixing decimal, hexadecimal, and octal together add confusion • 10 == 0x0a == 012 Math • Simple arithmetic operations add complexity and analysis time • 10 / 2 + 5 – 9 == 1 Functions that return numbers • Using the return value of a function or property can also buy some time • " ".length == 5
11.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11 Whitespace Adding extraneous spaces and lines • Can hide things from people who aren’t looking too closely • JavaScript pretty much ignores all whitespace and comments – alert /* blah blah blah */ ("Hello, world!"); Removing all whitespace • Make your code one long line! • Almost impossible to read through • A great way to make your code smaller for faster load times
12.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12 Functions and Variables Naming • Calling something “a” or “aflkFGsaf” is a lot less forthright than “counter” – Single letter function and variable names also make code smaller – You can also use special characters as names: var ___; • Misleading names can confuse users – function countToTen() { return "bacon"; } Hiding calls • Store function names in variables – var blah = alert; blah("Hello, world!"); • Access functions as a member of the parent (more on this later) – window["alert"]("Hello, world!");
13.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13 Misdirection and Cruft if/else statements • Set up to always evaluate the same way • One branch contains code that will intentionally never be run • The other contains the code that is actually used try/catch statements • Deliberately trigger an exception before code that again never gets run • Interrupt execution flow and jump to “catch” statement • “Catch” contains code that actually gets run Unused variables • Pointless variables that have no impact on functionality
14.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Basic Deobfuscation
15.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15 Retrieve the Code; Don’t Run the Code wget • Unix tool that fetches webpages as-is • Doesn’t have a JavaScript engine • Has many other useful options for safe browsing – --max-redirect – --no-cookies – --user-agent Disable JavaScript or use a NoScript-style browser plug-in • May break some functionality, but most plug-ins allow whitelisting • Once you figure out what the page is doing, you can turn it back on • Annoying at first, but worth it in the long run
16.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16 Browsers and Plug-ins Firefox • NoScript. Period. • JavaScript Deobfuscator plug-in is pretty decent • Firebug plug-in is also good Chrome • Has built-in deobfuscator and debugger in Developer Tools • Uses an up-to-date webpage blacklist from Google to warn about malicious pages Internet Explorer • Don’t.
17.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17 Tricks to Speed Things Along eval and document.write • Common ways to manipulate pages and run obfuscated code • Just replace with alert or console.log… • Wrap in textarea tags if you’re feeling fancy [https://isc.sans.edu/diary/Climb+a+small+mountain.../1917] Learn a scripting language or two • Can quickly scan and replace in a source code file • cat malicious.html | sed 's/eval/alert/g' > safe.html ; echo "BASH SCRIPTING FTW“ jsbeautifier.org and jsfiddle.net • Online tools for cleaning up and inspecting JavaScript
18.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Basic Demo
19.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Advanced Obfuscation
20.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20 Language Idiosyncrasies Bitwise math • ~ operator is a bitwise NOT (flip all the bits) – ~N == -(N + 1) • Combine with negation [-] and you get an increment or decrement – -~N == N + 1; ~-N == N – 1 Type confusion • JavaScript is loosely typed…very loosely typed – [] == "" but typeof [] != typeof "" – 1 + "2" + 3 - 3 == 120 • Operators can change the type of objects – typeof [] == object; typeof ![] == boolean; typeof +[] == number
21.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21 More String Tricks Strings as numbers • toString() method can take a base as an argument – (17795081).toString(36) == "alert" Strings as arrays of characters • Each character in a string has an index just like an array – var chars = "yzsnpaobcutwedrvxfqkmighjl" – chars[5] + chars[25] + chars[12] + chars[14] + chars[10] == "alert“ LOLWUT? • (![]+[])[-~+[]]+(![]+[])[-~-~+[]]+(![]+[])[-~-~-~-~+[]]+(!![]+[])[-~+[]]+(!![]+[])[+[]] == "alert"
22.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22 More String Tricks Strings as numbers • toString() method can take a base as an argument – (17795081).toString(36) == "alert" Strings as arrays of characters • Each character in a string has an index just like an array – var chars = "yzsnpaobcutwedrvxfqkmighjl" – chars[5] + chars[25] + chars[12] + chars[14] + chars[10] == "alert“ LOLWUT? • (![]+[])[-~+[]]+(![]+[])[-~-~+[]]+(![]+[])[-~-~-~-~+[]]+(!![]+[])[-~+[]]+(!![]+[])[+[]] == "alert"
23.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.23 More Function Tricks Implicit function calling • A function can be called by its declaration • (function (msg) { alert(msg); })("hello"); Getting reference to window • Just using window is too straightforward for us! • Use another object that is equivalent to a window object – this["alert"]("hello"); frames["alert"]("hello"); self["alert"]("hello"); opener["alert"]("hello"); • Use a function that can return the window object Create a function as a string (or, even better, an obfuscated string) • (new Function("alert('hello')"))()
24.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24 Encoding An algorithm mangles data and it’s only interpreted correctly by a decoding algorithm • Encoded chunk looks like garbage, and is • When run as is, it does nothing at best Decoder block • Need a way to tell the script how to decode itself • Increases size of code and adds to likelihood of being recognized Polymorphism and self-modification • Polymorphic code is code that rearranges itself every time it’s run • Self-modifying code is code that evolves and changes • Not technically encoding, but this is the only place it fit in my slides…
25.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25 Encoding XOR (Exclusive OR) encoding • A bitwise comparison of two things • Outputs 1 where they differ and 0 where they are equal • XOR’ing the output with one of the original things will output the other original thing – A ^ B == C; C ^ B == A XOR data with a secret key • Key must be same length as data (output will also be the same length) • In the case of JavaScript, key could be based on User-Agent string or something similar – Would only decode properly when loaded in the intended browser – Could get around inspection engines – Decoder block will still be a giveaway
26.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Advanced Deobfuscation
27.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27 Things to Keep in Mind Look for techniques that repeat • Only have to figure it out once • Did I mention scripting languages? Malicious people are lazy • Same code reused on multiple sites • Google is your friend Trees first, forest later
28.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Advanced Demo
29.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29 Conclusions Infinite ways to write JavaScript • Automated analysis is hard (impossible?) • Manual analysis is easy(-ish) Obfuscated doesn’t always mean malicious NoScript! Exercise your deobfuscator muscles
30.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30 References http://sla.ckers.org/forum/list.php?24 [sla.ckers.org Obfuscation Discussion forum] https://isc.sans.edu/diaryarchive.html [Internet Storm Center Diary Archive] https://twitter.com/HeadlessZeke [I never say anything valuable, but I am responsive] headlesszeke@hp.com
31.
© Copyright 2013
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thank you
Download now