SlideShare a Scribd company logo

Automated JavaScript Deobfuscation - PacSec 2007

Stephan Chenette
Stephan Chenette

This document discusses the need for tools and techniques to analyze malicious web content and JavaScript obfuscation, as more malware is delivered through the web. It describes Websense's approach of emulating a browser without rendering content, to allow pages to decode themselves and log all activity. This includes implementing DOM and JavaScript engines. Their system found over 124,000 infected pages from analyzing 111 million URLs in 24 hours. Limitations and other resources are also outlined.

1 of 35
Downloaded 27 times
Spiffy: Automated JavaScript Deobfuscation Stephan Chenette Alex Rice Principle Security Researcher Sr. Security Researcher
Malcode analysis  Current malcode research is focused on binary analysis.  Multiple tools to assist researchers in analysis.  IDA  OllyDbg  Fact: More delivery of malware is moving to the web.  A new set of skills and tools are required.
What you know… What you need to know…  Malicious binary analysis  Languages: Assembly, C, C++, vb, delphi, etc.  Concepts: PE file format, win32 function usage, unpacking, anti- disassembling tricks, etc.  Tools: IDA, OllyDbg, PEiD, Imprec  Malicious web content analysis  Languages: (D)HTML, VBScript, JavaScript, Perl/Python/Ruby  Concepts: HTTP Protocol, XMLHTTPRequest, Document Object Model (DOM), Browser Security Models, JSON,  Tools: ???
Those Who Forget History Are Doomed to Repeat It  Malcode authors will protect malicious web content the same way they protected malicious binaries.  Signature evasion  Anti-analysis techniques  Pain in the #*&#$! for all researchers!!
Unpacking and anti-debugging  Packing/Protecting/Anti-reversing  Compression, Encryption, CRC protection  Anti-debugging  Virtualization detection  Anti-emulation  XOR stubs
Obfuscation Evolution  String splitting:  “AD” + “ODB.S” + “treAM”  String encoding/escaping:  “%41u0044” + “Ox44%42u002ES” + “t%72eAM”  Closing html tags (e.g. </TEXTAREA>)  Code length dependant obfuscation:  arguments.callee.toString()  Server-side [poly|meta]-morphic obfuscation
Malicious JavaScript
What we actually see…
Our Approach  Emulation: a browser without a browser…  HTML Parser  DOM Implementation  Scripting Engine(s)/Interpreter(s)  Allow the page to decode itself  Don’t render content, just log everything!
HTML Parser  The first step in emulating a browser: HTML.  Retrieve all the content needed by the page: external SCRIPTs, IFRAMEs, etc.  Side effect – basic HTML obfuscation is defeated:  <iframe src=“&#104;&#116;&#116;&#112; &#58;&#47;&#47;%77%77%77%2E%74….
A Little DOM, Please  Modern browsers are dynamic, so our emulator must also be.  Implement Document Object Model  Attempting to detect all instances of an element by simply parsing static HTML is not enough….  createElement(‘IFRAME’);
Coming At You Like A Spider Monkey  Integrate scripting engine(s) with our DOM to execute scripts as they are discovered  Scripts are [mostly] safe for execution  Firefox’s SpiderMonkey JavaScript Engine (MPL/GPL/LGPL)
The Missing Pieces  Implement all of the objects/functions that the browser provides: Native JavaScript Browser Supplied eval() alert() String.fromCharCode() document.write() escape() location.href Math.random() window.status  Few internal tweaks to mimic JScript (IE)  e.g., arguments.callee.toString()
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Automated Usage  Integrated with our miners  Lots and lots of tuning … (Dec ’06)  100,000,000+ URLs analyzed every 24 hrs  Even after the initial decoding, string matching is still futile: “AD” + “ODB.S” + “treAM”
New Technique, New Signatures  Detect specific DOM element + attribute combinations 1. New <OBJECT> created 2. <OBJECT>.classid = “BD96C556-65A3….” 3. <OBJECT>.CreateObject(“adodb.stream”)  Can still match “old fashion” signatures *inside* document.write() and eval() calls
24 Hours – 111M URLs 124,232 Infected (0.11%)
Limitations – JavaScript Only?  Other Languages?  Same concepts apply!  VBScript  vbscript.dll under WinE!  Currently working on experimental version  ActionScript  Partially implemented when Adobe open sourced the engine; now part of Mozilla’s Tamarin Project
Limitations – variable is not defined!  Attackers can potentially use intentional errors to prevent code execution  Identical input/output is very important  Easy: document.width  Hard: window.open()  Really hard: XMLHTTPRequest  Centralized verbose error logging!
Limitations – Denial of Service  JS_SetBranchCallback  Look familiar?  Separate thread monitoring execution time
Limitations – User Interaction  Malicious code could potentially rely upon a user’s action before execution begins  We implemented some basic event handling:  body – onload  window – focus  document – onmouse___  Not foolproof!
CaffeineMonkey  Ben Feinstein & Daniel Peck @ SecureWorks  Released Open Source  Excellent tool for manual reverse engineering of obfuscation; needs HTML/DOM!  Promising research that attempts to identify malicious activity based on behavior, not static signatures.  http://secureworks.com/research/tools/caffeinemonkey.html
Other Resources  Tutorials from ISC, excellent starting point  http://handlers.sans.org/dwesemann/decode/  Jose Nazario’s CanSecWest presentation  http://www.cansecwest.com/slides07/csw07-nazario.pdf  Websense Blogs  http://www.websense.com/securitylabs/blog/blog.php?BlogID=86  http://www.websense.com/securitylabs/blog/blog.php?BlogID=98  http://www.websense.com/securitylabs/blog/blog.php?BlogID=142
The End Stephan Chenette Alex Rice Principle Security Researcher Sr .Security Researcher schenette || websense com arice || websense com
Ad

Recommended

Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositories
snyff
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661
snyff
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
snyff
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
Mario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
Mario Heiderich
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystacks
snyff
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
Mario Heiderich
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
Mario Heiderich
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
snyff
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
snyff
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
beched
 
Static analysis for beginners
Static analysis for beginnersStatic analysis for beginners
Static analysis for beginners
Antonio Costa aka Cooler_
 
Abusing Java Remote Interfaces
Abusing Java Remote InterfacesAbusing Java Remote Interfaces
Abusing Java Remote Interfaces
juanvazquezslides
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS Deobfuscation
Minded Security
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
Mario Heiderich
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
Luca Carettoni
 
Let's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionLet's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and Detection
James Haughom Jr
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!
Luca Carettoni
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World Bug
Stefano Di Paola
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
Mario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
Mario Heiderich
 
JScrambler Ninja challenge
JScrambler Ninja challengeJScrambler Ninja challenge
JScrambler Ninja challenge
AlkemiaLabs
 
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...
AuditMark
 
Ad

More Related Content

What's hot (20)

Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
Mario Heiderich
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
snyff
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
snyff
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
beched
 
Static analysis for beginners
Static analysis for beginnersStatic analysis for beginners
Static analysis for beginners
Antonio Costa aka Cooler_
 
Abusing Java Remote Interfaces
Abusing Java Remote InterfacesAbusing Java Remote Interfaces
Abusing Java Remote Interfaces
juanvazquezslides
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS Deobfuscation
Minded Security
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
Mario Heiderich
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
Luca Carettoni
 
Let's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionLet's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and Detection
James Haughom Jr
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!
Luca Carettoni
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World Bug
Stefano Di Paola
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
Mario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
Mario Heiderich
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
Mario Heiderich
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
snyff
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
snyff
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
beched
 
Static analysis for beginners
Static analysis for beginnersStatic analysis for beginners
Static analysis for beginners
Antonio Costa aka Cooler_
 
Abusing Java Remote Interfaces
Abusing Java Remote InterfacesAbusing Java Remote Interfaces
Abusing Java Remote Interfaces
juanvazquezslides
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS Deobfuscation
Minded Security
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
Mario Heiderich
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
Luca Carettoni
 
Let's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionLet's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and Detection
James Haughom Jr
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!
Luca Carettoni
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World Bug
Stefano Di Paola
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
Mario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
Mario Heiderich
 

Viewers also liked (20)

JScrambler Ninja challenge
JScrambler Ninja challengeJScrambler Ninja challenge
JScrambler Ninja challenge
AlkemiaLabs
 
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...
AuditMark
 
Ajit-Legiment_Techniques
Ajit-Legiment_TechniquesAjit-Legiment_Techniques
Ajit-Legiment_Techniques
guest66dc5f
 
The (In)Security of Topology Discovery in Software Defined Networks
The (In)Security of Topology Discovery in Software Defined NetworksThe (In)Security of Topology Discovery in Software Defined Networks
The (In)Security of Topology Discovery in Software Defined Networks
Talal Alharbi
 
VMRay intro video
VMRay intro videoVMRay intro video
VMRay intro video
Chad Loeven
 
Welcome to the United States: An Acculturation Conversation
Welcome to the United States: An Acculturation ConversationWelcome to the United States: An Acculturation Conversation
Welcome to the United States: An Acculturation Conversation
Suzanne M. Sullivan
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & more
Mattias Geniar
 
A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...
eSAT Journals
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 
Topics in network security
Topics in network securityTopics in network security
Topics in network security
Nasir Bhutta
 
Bsides to 2016-penetration-testing
Bsides to 2016-penetration-testingBsides to 2016-penetration-testing
Bsides to 2016-penetration-testing
Haydn Johnson
 
SENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCE
SENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCESENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCE
SENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCE
Sangeetha Sankaramahadev
 
Web attacks using obfuscated script
Web attacks using obfuscated scriptWeb attacks using obfuscated script
Web attacks using obfuscated script
Amol Kamble
 
On deobfuscation in practice
On deobfuscation in practiceOn deobfuscation in practice
On deobfuscation in practice
Dmitry Schelkunov
 
Purple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainPurple teaming Cyber Kill Chain
Purple teaming Cyber Kill Chain
Haydn Johnson
 
Code obfuscation
Code obfuscationCode obfuscation
Code obfuscation
Amol Kamble
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
Syllabus Advanced Exploit Development 22-23 June 2013
Syllabus Advanced Exploit Development 22-23 June 2013Syllabus Advanced Exploit Development 22-23 June 2013
Syllabus Advanced Exploit Development 22-23 June 2013
Dan H
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion Techniques
IBM Security
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
RomSoft SRL
 
JScrambler Ninja challenge
JScrambler Ninja challengeJScrambler Ninja challenge
JScrambler Ninja challenge
AlkemiaLabs
 
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...
AuditMark
 
Ajit-Legiment_Techniques
Ajit-Legiment_TechniquesAjit-Legiment_Techniques
Ajit-Legiment_Techniques
guest66dc5f
 
The (In)Security of Topology Discovery in Software Defined Networks
The (In)Security of Topology Discovery in Software Defined NetworksThe (In)Security of Topology Discovery in Software Defined Networks
The (In)Security of Topology Discovery in Software Defined Networks
Talal Alharbi
 
VMRay intro video
VMRay intro videoVMRay intro video
VMRay intro video
Chad Loeven
 
Welcome to the United States: An Acculturation Conversation
Welcome to the United States: An Acculturation ConversationWelcome to the United States: An Acculturation Conversation
Welcome to the United States: An Acculturation Conversation
Suzanne M. Sullivan
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & more
Mattias Geniar
 
A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...
eSAT Journals
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 
Topics in network security
Topics in network securityTopics in network security
Topics in network security
Nasir Bhutta
 
Bsides to 2016-penetration-testing
Bsides to 2016-penetration-testingBsides to 2016-penetration-testing
Bsides to 2016-penetration-testing
Haydn Johnson
 
SENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCE
SENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCESENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCE
SENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCE
Sangeetha Sankaramahadev
 
Web attacks using obfuscated script
Web attacks using obfuscated scriptWeb attacks using obfuscated script
Web attacks using obfuscated script
Amol Kamble
 
On deobfuscation in practice
On deobfuscation in practiceOn deobfuscation in practice
On deobfuscation in practice
Dmitry Schelkunov
 
Purple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainPurple teaming Cyber Kill Chain
Purple teaming Cyber Kill Chain
Haydn Johnson
 
Code obfuscation
Code obfuscationCode obfuscation
Code obfuscation
Amol Kamble
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
Syllabus Advanced Exploit Development 22-23 June 2013
Syllabus Advanced Exploit Development 22-23 June 2013Syllabus Advanced Exploit Development 22-23 June 2013
Syllabus Advanced Exploit Development 22-23 June 2013
Dan H
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion Techniques
IBM Security
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
RomSoft SRL
 
Ad

Similar to Automated JavaScript Deobfuscation - PacSec 2007 (20)

Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
Minded Security
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
Angelo Dell'Aera
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
Dilan Warnakulasooriya
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
Bala Subra
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
Bala Subra
 
Intro to mobile web application development
Intro to mobile web application developmentIntro to mobile web application development
Intro to mobile web application development
zonathen
 
Medium Trust for Umbraco
Medium Trust for UmbracoMedium Trust for Umbraco
Medium Trust for Umbraco
Warren Buckley
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
snoopythesecuritydog
 
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
DevOpsDays Tel Aviv
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp Philly
Brian Lyttle
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 
MunichJS - 2011-04-06
MunichJS - 2011-04-06MunichJS - 2011-04-06
MunichJS - 2011-04-06
Mike West
 
C# Security Testing and Debugging
C# Security Testing and DebuggingC# Security Testing and Debugging
C# Security Testing and Debugging
Rich Helton
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
CODE BLUE
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
GiorgiRcheulishvili
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.js
Aaron Rosenberg
 
Beyond HTML: Tools for Building Web 2.0 Apps
Beyond HTML: Tools for Building Web 2.0 AppsBeyond HTML: Tools for Building Web 2.0 Apps
Beyond HTML: Tools for Building Web 2.0 Apps
Marcos Caceres
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet Introduction
Wei Sun
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
Stefano Di Paola
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
Phú Phùng
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
Minded Security
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
Angelo Dell'Aera
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
Dilan Warnakulasooriya
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
Bala Subra
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
Bala Subra
 
Intro to mobile web application development
Intro to mobile web application developmentIntro to mobile web application development
Intro to mobile web application development
zonathen
 
Medium Trust for Umbraco
Medium Trust for UmbracoMedium Trust for Umbraco
Medium Trust for Umbraco
Warren Buckley
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
snoopythesecuritydog
 
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
DevOpsDays Tel Aviv
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp Philly
Brian Lyttle
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 
MunichJS - 2011-04-06
MunichJS - 2011-04-06MunichJS - 2011-04-06
MunichJS - 2011-04-06
Mike West
 
C# Security Testing and Debugging
C# Security Testing and DebuggingC# Security Testing and Debugging
C# Security Testing and Debugging
Rich Helton
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
CODE BLUE
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
GiorgiRcheulishvili
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.js
Aaron Rosenberg
 
Beyond HTML: Tools for Building Web 2.0 Apps
Beyond HTML: Tools for Building Web 2.0 AppsBeyond HTML: Tools for Building Web 2.0 Apps
Beyond HTML: Tools for Building Web 2.0 Apps
Marcos Caceres
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet Introduction
Wei Sun
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
Stefano Di Paola
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
Phú Phùng
 
Ad

More from Stephan Chenette (11)

Landing on Jupyter
Landing on JupyterLanding on Jupyter
Landing on Jupyter
Stephan Chenette
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
Stephan Chenette
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Stephan Chenette
 
Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008
Stephan Chenette
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008
Stephan Chenette
 
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Stephan Chenette
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
Stephan Chenette
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
Stephan Chenette
 
Landing on Jupyter
Landing on JupyterLanding on Jupyter
Landing on Jupyter
Stephan Chenette
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
Stephan Chenette
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Stephan Chenette
 
Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008
Stephan Chenette
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008
Stephan Chenette
 
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Stephan Chenette
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
Stephan Chenette
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
Stephan Chenette
 

Automated JavaScript Deobfuscation - PacSec 2007

  • 1. Spiffy: Automated JavaScript Deobfuscation Stephan Chenette Alex Rice Principle Security Researcher Sr. Security Researcher
  • 2. Malcode analysis  Current malcode research is focused on binary analysis.  Multiple tools to assist researchers in analysis.  IDA  OllyDbg  Fact: More delivery of malware is moving to the web.  A new set of skills and tools are required.
  • 3. What you know… What you need to know…  Malicious binary analysis  Languages: Assembly, C, C++, vb, delphi, etc.  Concepts: PE file format, win32 function usage, unpacking, anti- disassembling tricks, etc.  Tools: IDA, OllyDbg, PEiD, Imprec  Malicious web content analysis  Languages: (D)HTML, VBScript, JavaScript, Perl/Python/Ruby  Concepts: HTTP Protocol, XMLHTTPRequest, Document Object Model (DOM), Browser Security Models, JSON,  Tools: ???
  • 4. Those Who Forget History Are Doomed to Repeat It  Malcode authors will protect malicious web content the same way they protected malicious binaries.  Signature evasion  Anti-analysis techniques  Pain in the #*&#$! for all researchers!!
  • 5. Unpacking and anti-debugging  Packing/Protecting/Anti-reversing  Compression, Encryption, CRC protection  Anti-debugging  Virtualization detection  Anti-emulation  XOR stubs
  • 6. Obfuscation Evolution  String splitting:  “AD” + “ODB.S” + “treAM”  String encoding/escaping:  “%41u0044” + “Ox44%42u002ES” + “t%72eAM”  Closing html tags (e.g. </TEXTAREA>)  Code length dependant obfuscation:  arguments.callee.toString()  Server-side [poly|meta]-morphic obfuscation
  • 9. Our Approach  Emulation: a browser without a browser…  HTML Parser  DOM Implementation  Scripting Engine(s)/Interpreter(s)  Allow the page to decode itself  Don’t render content, just log everything!
  • 10. HTML Parser  The first step in emulating a browser: HTML.  Retrieve all the content needed by the page: external SCRIPTs, IFRAMEs, etc.  Side effect – basic HTML obfuscation is defeated:  <iframe src=“&#104;&#116;&#116;&#112; &#58;&#47;&#47;%77%77%77%2E%74….
  • 11. A Little DOM, Please  Modern browsers are dynamic, so our emulator must also be.  Implement Document Object Model  Attempting to detect all instances of an element by simply parsing static HTML is not enough….  createElement(‘IFRAME’);
  • 12. Coming At You Like A Spider Monkey  Integrate scripting engine(s) with our DOM to execute scripts as they are discovered  Scripts are [mostly] safe for execution  Firefox’s SpiderMonkey JavaScript Engine (MPL/GPL/LGPL)
  • 13. The Missing Pieces  Implement all of the objects/functions that the browser provides: Native JavaScript Browser Supplied eval() alert() String.fromCharCode() document.write() escape() location.href Math.random() window.status  Few internal tweaks to mimic JScript (IE)  e.g., arguments.callee.toString()
  • 26. Automated Usage  Integrated with our miners  Lots and lots of tuning … (Dec ’06)  100,000,000+ URLs analyzed every 24 hrs  Even after the initial decoding, string matching is still futile: “AD” + “ODB.S” + “treAM”
  • 27. New Technique, New Signatures  Detect specific DOM element + attribute combinations 1. New <OBJECT> created 2. <OBJECT>.classid = “BD96C556-65A3….” 3. <OBJECT>.CreateObject(“adodb.stream”)  Can still match “old fashion” signatures *inside* document.write() and eval() calls
  • 28. 24 Hours – 111M URLs 124,232 Infected (0.11%)
  • 29. Limitations – JavaScript Only?  Other Languages?  Same concepts apply!  VBScript  vbscript.dll under WinE!  Currently working on experimental version  ActionScript  Partially implemented when Adobe open sourced the engine; now part of Mozilla’s Tamarin Project
  • 30. Limitations – variable is not defined!  Attackers can potentially use intentional errors to prevent code execution  Identical input/output is very important  Easy: document.width  Hard: window.open()  Really hard: XMLHTTPRequest  Centralized verbose error logging!
  • 31. Limitations – Denial of Service  JS_SetBranchCallback  Look familiar?  Separate thread monitoring execution time
  • 32. Limitations – User Interaction  Malicious code could potentially rely upon a user’s action before execution begins  We implemented some basic event handling:  body – onload  window – focus  document – onmouse___  Not foolproof!
  • 33. CaffeineMonkey  Ben Feinstein & Daniel Peck @ SecureWorks  Released Open Source  Excellent tool for manual reverse engineering of obfuscation; needs HTML/DOM!  Promising research that attempts to identify malicious activity based on behavior, not static signatures.  http://secureworks.com/research/tools/caffeinemonkey.html
  • 34. Other Resources  Tutorials from ISC, excellent starting point  http://handlers.sans.org/dwesemann/decode/  Jose Nazario’s CanSecWest presentation  http://www.cansecwest.com/slides07/csw07-nazario.pdf  Websense Blogs  http://www.websense.com/securitylabs/blog/blog.php?BlogID=86  http://www.websense.com/securitylabs/blog/blog.php?BlogID=98  http://www.websense.com/securitylabs/blog/blog.php?BlogID=142
  • 35. The End Stephan Chenette Alex Rice Principle Security Researcher Sr .Security Researcher schenette || websense com arice || websense com