SlideShare una empresa de Scribd logo

Automated JavaScript Deobfuscation - PacSec 2007

Stephan Chenette
Stephan Chenette
1 de 35
Descargar para leer sin conexión
Spiffy: Automated JavaScript Deobfuscation Stephan Chenette Alex Rice Principle Security Researcher Sr. Security Researcher
Malcode analysis  Current malcode research is focused on binary analysis.  Multiple tools to assist researchers in analysis.  IDA  OllyDbg  Fact: More delivery of malware is moving to the web.  A new set of skills and tools are required.
What you know… What you need to know…  Malicious binary analysis  Languages: Assembly, C, C++, vb, delphi, etc.  Concepts: PE file format, win32 function usage, unpacking, anti- disassembling tricks, etc.  Tools: IDA, OllyDbg, PEiD, Imprec  Malicious web content analysis  Languages: (D)HTML, VBScript, JavaScript, Perl/Python/Ruby  Concepts: HTTP Protocol, XMLHTTPRequest, Document Object Model (DOM), Browser Security Models, JSON,  Tools: ???
Those Who Forget History Are Doomed to Repeat It  Malcode authors will protect malicious web content the same way they protected malicious binaries.  Signature evasion  Anti-analysis techniques  Pain in the #*&#$! for all researchers!!
Unpacking and anti-debugging  Packing/Protecting/Anti-reversing  Compression, Encryption, CRC protection  Anti-debugging  Virtualization detection  Anti-emulation  XOR stubs
Obfuscation Evolution  String splitting:  “AD” + “ODB.S” + “treAM”  String encoding/escaping:  “%41u0044” + “Ox44%42u002ES” + “t%72eAM”  Closing html tags (e.g. </TEXTAREA>)  Code length dependant obfuscation:  arguments.callee.toString()  Server-side [poly|meta]-morphic obfuscation
Malicious JavaScript
What we actually see…
Our Approach  Emulation: a browser without a browser…  HTML Parser  DOM Implementation  Scripting Engine(s)/Interpreter(s)  Allow the page to decode itself  Don’t render content, just log everything!
HTML Parser  The first step in emulating a browser: HTML.  Retrieve all the content needed by the page: external SCRIPTs, IFRAMEs, etc.  Side effect – basic HTML obfuscation is defeated:  <iframe src=“&#104;&#116;&#116;&#112; &#58;&#47;&#47;%77%77%77%2E%74….
A Little DOM, Please  Modern browsers are dynamic, so our emulator must also be.  Implement Document Object Model  Attempting to detect all instances of an element by simply parsing static HTML is not enough….  createElement(‘IFRAME’);
Coming At You Like A Spider Monkey  Integrate scripting engine(s) with our DOM to execute scripts as they are discovered  Scripts are [mostly] safe for execution  Firefox’s SpiderMonkey JavaScript Engine (MPL/GPL/LGPL)
The Missing Pieces  Implement all of the objects/functions that the browser provides: Native JavaScript Browser Supplied eval() alert() String.fromCharCode() document.write() escape() location.href Math.random() window.status  Few internal tweaks to mimic JScript (IE)  e.g., arguments.callee.toString()
Automated Usage  Integrated with our miners  Lots and lots of tuning … (Dec ’06)  100,000,000+ URLs analyzed every 24 hrs  Even after the initial decoding, string matching is still futile: “AD” + “ODB.S” + “treAM”
New Technique, New Signatures  Detect specific DOM element + attribute combinations 1. New <OBJECT> created 2. <OBJECT>.classid = “BD96C556-65A3….” 3. <OBJECT>.CreateObject(“adodb.stream”)  Can still match “old fashion” signatures *inside* document.write() and eval() calls
24 Hours – 111M URLs 124,232 Infected (0.11%)
Limitations – JavaScript Only?  Other Languages?  Same concepts apply!  VBScript  vbscript.dll under WinE!  Currently working on experimental version  ActionScript  Partially implemented when Adobe open sourced the engine; now part of Mozilla’s Tamarin Project
Limitations – variable is not defined!  Attackers can potentially use intentional errors to prevent code execution  Identical input/output is very important  Easy: document.width  Hard: window.open()  Really hard: XMLHTTPRequest  Centralized verbose error logging!
Limitations – Denial of Service  JS_SetBranchCallback  Look familiar?  Separate thread monitoring execution time
Limitations – User Interaction  Malicious code could potentially rely upon a user’s action before execution begins  We implemented some basic event handling:  body – onload  window – focus  document – onmouse___  Not foolproof!
CaffeineMonkey  Ben Feinstein & Daniel Peck @ SecureWorks  Released Open Source  Excellent tool for manual reverse engineering of obfuscation; needs HTML/DOM!  Promising research that attempts to identify malicious activity based on behavior, not static signatures.  http://secureworks.com/research/tools/caffeinemonkey.html
Other Resources  Tutorials from ISC, excellent starting point  http://handlers.sans.org/dwesemann/decode/  Jose Nazario’s CanSecWest presentation  http://www.cansecwest.com/slides07/csw07-nazario.pdf  Websense Blogs  http://www.websense.com/securitylabs/blog/blog.php?BlogID=86  http://www.websense.com/securitylabs/blog/blog.php?BlogID=98  http://www.websense.com/securitylabs/blog/blog.php?BlogID=142
The End Stephan Chenette Alex Rice Principle Security Researcher Sr .Security Researcher schenette || websense com arice || websense com

Recomendados

Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositoriessnyff
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661snyff
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyMario Heiderich
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 

Recomendados

Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositoriessnyff
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661snyff
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyMario Heiderich
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!Soroush Dalili
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Static analysis for beginners
Static analysis for beginnersStatic analysis for beginners
Static analysis for beginnersAntonio Costa aka Cooler_
 
Abusing Java Remote Interfaces
Abusing Java Remote InterfacesAbusing Java Remote Interfaces
Abusing Java Remote Interfacesjuanvazquezslides
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS DeobfuscationMinded Security
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009Mario Heiderich
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
Let's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionLet's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionJames Haughom Jr
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!Luca Carettoni
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugStefano Di Paola
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
JScrambler Ninja challenge
JScrambler Ninja challengeJScrambler Ninja challenge
JScrambler Ninja challengeAlkemiaLabs
 
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...AuditMark
 

Más contenido relacionado

La actualidad más candente

Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Abusing Java Remote Interfaces
Abusing Java Remote InterfacesAbusing Java Remote Interfaces
Abusing Java Remote Interfacesjuanvazquezslides
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS DeobfuscationMinded Security
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009Mario Heiderich
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
Let's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionLet's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionJames Haughom Jr
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!Luca Carettoni
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugStefano Di Paola
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 

La actualidad más candente (20)

Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
Static analysis for beginners
Static analysis for beginnersStatic analysis for beginners
Static analysis for beginners
 
Abusing Java Remote Interfaces
Abusing Java Remote InterfacesAbusing Java Remote Interfaces
Abusing Java Remote Interfaces
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS Deobfuscation
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
 
Let's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionLet's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and Detection
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World Bug
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
 

Destacado

JScrambler Ninja challenge
JScrambler Ninja challengeJScrambler Ninja challenge
JScrambler Ninja challengeAlkemiaLabs
 
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...AuditMark
 
Ajit-Legiment_Techniques
Ajit-Legiment_TechniquesAjit-Legiment_Techniques
Ajit-Legiment_Techniquesguest66dc5f
 
The (In)Security of Topology Discovery in Software Defined Networks
The (In)Security of Topology Discovery in Software Defined NetworksThe (In)Security of Topology Discovery in Software Defined Networks
The (In)Security of Topology Discovery in Software Defined NetworksTalal Alharbi
 
VMRay intro video
VMRay intro videoVMRay intro video
VMRay intro videoChad Loeven
 
Welcome to the United States: An Acculturation Conversation
Welcome to the United States: An Acculturation ConversationWelcome to the United States: An Acculturation Conversation
Welcome to the United States: An Acculturation ConversationSuzanne M. Sullivan
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & moreMattias Geniar
 
A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...eSAT Journals
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Topics in network security
Topics in network securityTopics in network security
Topics in network securityNasir Bhutta
 
Bsides to 2016-penetration-testing
Bsides to 2016-penetration-testingBsides to 2016-penetration-testing
Bsides to 2016-penetration-testingHaydn Johnson
 
SENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCE
SENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCESENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCE
SENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCESangeetha Sankaramahadev
 
Web attacks using obfuscated script
Web attacks using obfuscated scriptWeb attacks using obfuscated script
Web attacks using obfuscated scriptAmol Kamble
 
On deobfuscation in practice
On deobfuscation in practiceOn deobfuscation in practice
On deobfuscation in practiceDmitry Schelkunov
 
Purple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainPurple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainHaydn Johnson
 
Code obfuscation
Code obfuscationCode obfuscation
Code obfuscationAmol Kamble
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
Syllabus Advanced Exploit Development 22-23 June 2013
Syllabus Advanced Exploit Development 22-23 June 2013Syllabus Advanced Exploit Development 22-23 June 2013
Syllabus Advanced Exploit Development 22-23 June 2013Dan H
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesIBM Security
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 

Destacado (20)

JScrambler Ninja challenge
JScrambler Ninja challengeJScrambler Ninja challenge
JScrambler Ninja challenge
 
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...
Protecting JavaScript source code using obfuscation - OWASP Europe Tour 2013 ...
 
Ajit-Legiment_Techniques
Ajit-Legiment_TechniquesAjit-Legiment_Techniques
Ajit-Legiment_Techniques
 
The (In)Security of Topology Discovery in Software Defined Networks
The (In)Security of Topology Discovery in Software Defined NetworksThe (In)Security of Topology Discovery in Software Defined Networks
The (In)Security of Topology Discovery in Software Defined Networks
 
VMRay intro video
VMRay intro videoVMRay intro video
VMRay intro video
 
Welcome to the United States: An Acculturation Conversation
Welcome to the United States: An Acculturation ConversationWelcome to the United States: An Acculturation Conversation
Welcome to the United States: An Acculturation Conversation
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & more
 
A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Topics in network security
Topics in network securityTopics in network security
Topics in network security
 
Bsides to 2016-penetration-testing
Bsides to 2016-penetration-testingBsides to 2016-penetration-testing
Bsides to 2016-penetration-testing
 
SENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCE
SENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCESENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCE
SENIOR MATERIAL ENGINEER WITH 5 YEARS OF EXPERIENCE
 
Web attacks using obfuscated script
Web attacks using obfuscated scriptWeb attacks using obfuscated script
Web attacks using obfuscated script
 
On deobfuscation in practice
On deobfuscation in practiceOn deobfuscation in practice
On deobfuscation in practice
 
Purple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainPurple teaming Cyber Kill Chain
Purple teaming Cyber Kill Chain
 
Code obfuscation
Code obfuscationCode obfuscation
Code obfuscation
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Syllabus Advanced Exploit Development 22-23 June 2013
Syllabus Advanced Exploit Development 22-23 June 2013Syllabus Advanced Exploit Development 22-23 June 2013
Syllabus Advanced Exploit Development 22-23 June 2013
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion Techniques
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 

Similar a Automated JavaScript Deobfuscation - PacSec 2007

Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedMinded Security
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientAngelo Dell'Aera
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging TechniquesBala Subra
 
Intro to mobile web application development
Intro to mobile web application developmentIntro to mobile web application development
Intro to mobile web application developmentzonathen
 
Medium Trust for Umbraco
Medium Trust for UmbracoMedium Trust for Umbraco
Medium Trust for UmbracoWarren Buckley
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...DevOpsDays Tel Aviv
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyBrian Lyttle
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
MunichJS - 2011-04-06
MunichJS - 2011-04-06MunichJS - 2011-04-06
MunichJS - 2011-04-06Mike West
 
C# Security Testing and Debugging
C# Security Testing and DebuggingC# Security Testing and Debugging
C# Security Testing and DebuggingRich Helton
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfGiorgiRcheulishvili
 
Beyond HTML: Tools for Building Web 2.0 Apps
Beyond HTML: Tools for Building Web 2.0 AppsBeyond HTML: Tools for Building Web 2.0 Apps
Beyond HTML: Tools for Building Web 2.0 AppsMarcos Caceres
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet IntroductionWei Sun
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersPhú Phùng
 

Similar a Automated JavaScript Deobfuscation - PacSec 2007 (20)

Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
Intro to mobile web application development
Intro to mobile web application developmentIntro to mobile web application development
Intro to mobile web application development
 
Medium Trust for Umbraco
Medium Trust for UmbracoMedium Trust for Umbraco
Medium Trust for Umbraco
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp Philly
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
MunichJS - 2011-04-06
MunichJS - 2011-04-06MunichJS - 2011-04-06
MunichJS - 2011-04-06
 
C# Security Testing and Debugging
C# Security Testing and DebuggingC# Security Testing and Debugging
C# Security Testing and Debugging
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.js
 
Beyond HTML: Tools for Building Web 2.0 Apps
Beyond HTML: Tools for Building Web 2.0 AppsBeyond HTML: Tools for Building Web 2.0 Apps
Beyond HTML: Tools for Building Web 2.0 Apps
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet Introduction
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
 

Más de Stephan Chenette

2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Stephan Chenette
 
Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008Stephan Chenette
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008Stephan Chenette
 
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Stephan Chenette
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 

Más de Stephan Chenette (11)

Landing on Jupyter
Landing on JupyterLanding on Jupyter
Landing on Jupyter
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
 
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
Detecting Web Browser Heap Corruption Attacks - Stephan Chenette, Moti Joseph...
 
Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008Web Wreck-utation - CanSecWest 2008
Web Wreck-utation - CanSecWest 2008
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008
 
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 

Automated JavaScript Deobfuscation - PacSec 2007

  • 1. Spiffy: Automated JavaScript Deobfuscation Stephan Chenette Alex Rice Principle Security Researcher Sr. Security Researcher
  • 2. Malcode analysis  Current malcode research is focused on binary analysis.  Multiple tools to assist researchers in analysis.  IDA  OllyDbg  Fact: More delivery of malware is moving to the web.  A new set of skills and tools are required.
  • 3. What you know… What you need to know…  Malicious binary analysis  Languages: Assembly, C, C++, vb, delphi, etc.  Concepts: PE file format, win32 function usage, unpacking, anti- disassembling tricks, etc.  Tools: IDA, OllyDbg, PEiD, Imprec  Malicious web content analysis  Languages: (D)HTML, VBScript, JavaScript, Perl/Python/Ruby  Concepts: HTTP Protocol, XMLHTTPRequest, Document Object Model (DOM), Browser Security Models, JSON,  Tools: ???
  • 4. Those Who Forget History Are Doomed to Repeat It  Malcode authors will protect malicious web content the same way they protected malicious binaries.  Signature evasion  Anti-analysis techniques  Pain in the #*&#$! for all researchers!!
  • 5. Unpacking and anti-debugging  Packing/Protecting/Anti-reversing  Compression, Encryption, CRC protection  Anti-debugging  Virtualization detection  Anti-emulation  XOR stubs
  • 6. Obfuscation Evolution  String splitting:  “AD” + “ODB.S” + “treAM”  String encoding/escaping:  “%41u0044” + “Ox44%42u002ES” + “t%72eAM”  Closing html tags (e.g. </TEXTAREA>)  Code length dependant obfuscation:  arguments.callee.toString()  Server-side [poly|meta]-morphic obfuscation
  • 9. Our Approach  Emulation: a browser without a browser…  HTML Parser  DOM Implementation  Scripting Engine(s)/Interpreter(s)  Allow the page to decode itself  Don’t render content, just log everything!
  • 10. HTML Parser  The first step in emulating a browser: HTML.  Retrieve all the content needed by the page: external SCRIPTs, IFRAMEs, etc.  Side effect – basic HTML obfuscation is defeated:  <iframe src=“&#104;&#116;&#116;&#112; &#58;&#47;&#47;%77%77%77%2E%74….
  • 11. A Little DOM, Please  Modern browsers are dynamic, so our emulator must also be.  Implement Document Object Model  Attempting to detect all instances of an element by simply parsing static HTML is not enough….  createElement(‘IFRAME’);
  • 12. Coming At You Like A Spider Monkey  Integrate scripting engine(s) with our DOM to execute scripts as they are discovered  Scripts are [mostly] safe for execution  Firefox’s SpiderMonkey JavaScript Engine (MPL/GPL/LGPL)
  • 13. The Missing Pieces  Implement all of the objects/functions that the browser provides: Native JavaScript Browser Supplied eval() alert() String.fromCharCode() document.write() escape() location.href Math.random() window.status  Few internal tweaks to mimic JScript (IE)  e.g., arguments.callee.toString()
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26. Automated Usage  Integrated with our miners  Lots and lots of tuning … (Dec ’06)  100,000,000+ URLs analyzed every 24 hrs  Even after the initial decoding, string matching is still futile: “AD” + “ODB.S” + “treAM”
  • 27. New Technique, New Signatures  Detect specific DOM element + attribute combinations 1. New <OBJECT> created 2. <OBJECT>.classid = “BD96C556-65A3….” 3. <OBJECT>.CreateObject(“adodb.stream”)  Can still match “old fashion” signatures *inside* document.write() and eval() calls
  • 28. 24 Hours – 111M URLs 124,232 Infected (0.11%)
  • 29. Limitations – JavaScript Only?  Other Languages?  Same concepts apply!  VBScript  vbscript.dll under WinE!  Currently working on experimental version  ActionScript  Partially implemented when Adobe open sourced the engine; now part of Mozilla’s Tamarin Project
  • 30. Limitations – variable is not defined!  Attackers can potentially use intentional errors to prevent code execution  Identical input/output is very important  Easy: document.width  Hard: window.open()  Really hard: XMLHTTPRequest  Centralized verbose error logging!
  • 31. Limitations – Denial of Service  JS_SetBranchCallback  Look familiar?  Separate thread monitoring execution time
  • 32. Limitations – User Interaction  Malicious code could potentially rely upon a user’s action before execution begins  We implemented some basic event handling:  body – onload  window – focus  document – onmouse___  Not foolproof!
  • 33. CaffeineMonkey  Ben Feinstein & Daniel Peck @ SecureWorks  Released Open Source  Excellent tool for manual reverse engineering of obfuscation; needs HTML/DOM!  Promising research that attempts to identify malicious activity based on behavior, not static signatures.  http://secureworks.com/research/tools/caffeinemonkey.html
  • 34. Other Resources  Tutorials from ISC, excellent starting point  http://handlers.sans.org/dwesemann/decode/  Jose Nazario’s CanSecWest presentation  http://www.cansecwest.com/slides07/csw07-nazario.pdf  Websense Blogs  http://www.websense.com/securitylabs/blog/blog.php?BlogID=86  http://www.websense.com/securitylabs/blog/blog.php?BlogID=98  http://www.websense.com/securitylabs/blog/blog.php?BlogID=142
  • 35. The End Stephan Chenette Alex Rice Principle Security Researcher Sr .Security Researcher schenette || websense com arice || websense com