+ All Categories
Home > Documents > Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated...

Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated...

Date post: 17-Oct-2020
Category:
Upload: others
View: 5 times
Download: 0 times
Share this document with a friend
35
Spiffy: Automated JavaScript Deobfuscation Alex Rice Sr. Security Researcher Stephan Chenette Principle Security Researcher
Transcript
Page 1: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

Spiffy:AutomatedJavaScript Deobfuscation

Alex RiceSr. Security Researcher

Stephan ChenettePrinciple Security Researcher

Page 2: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

Malcode analysis

Current malcode research is focused on binary analysis.

Multiple tools to assist researchers in analysis. IDA OllyDbg

Fact: More delivery of malware is moving to the web.

A new set of skills and tools are required.

Page 3: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

What you know…What you need to know… Malicious binary analysis

Languages: Assembly, C, C++, vb, delphi, etc. Concepts: PE file format, win32 function usage, unpacking, anti-

disassembling tricks, etc. Tools: IDA, OllyDbg, PEiD, Imprec

Malicious web content analysis Languages: (D)HTML, VBScript, JavaScript, Perl/Python/Ruby Concepts: HTTP Protocol, XMLHTTPRequest, Document Object

Model (DOM), Browser Security Models, JSON, Tools: ???

Page 4: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

Those Who Forget History Are Doomed to Repeat It Malcode authors will protect malicious web content the

same way they protected malicious binaries.

Signature evasion Anti-analysis techniques Pain in the #*&#$! for all researchers!!

Page 5: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

Unpacking and anti-debugging

Packing/Protecting/Anti-reversing Compression, Encryption, CRC protection Anti-debugging Virtualization detection Anti-emulation XOR stubs

Page 6: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

Obfuscation Evolution

String splitting: “AD” + “ODB.S” + “treAM”

String encoding/escaping: “%41\u0044” + “O\x44%42\u002ES” + “t%72eAM”

Closing html tags (e.g. </TEXTAREA>) Code length dependant obfuscation:

arguments.callee.toString() Server-side [poly|meta]-morphic obfuscation

Page 7: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

Malicious JavaScript

Page 8: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

What we actually see…

Page 9: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

Our Approach

Emulation: a browser without a browser… HTML Parser DOM Implementation Scripting Engine(s)/Interpreter(s)

Allow the page to decode itself Don’t render content, just log everything!

Page 10: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

HTML Parser

The first step in emulating a browser: HTML.

Retrieve all the content needed by the page: external SCRIPTs, IFRAMEs, etc.

Side effect – basic HTML obfuscation is defeated: <iframe src=“&#104;&#116;&#116;&#112;

&#58;&#47;&#47;%77%77%77%2E%74….

Page 11: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

A Little DOM, Please

Modern browsers are dynamic, so our emulator must also be.

Implement Document Object Model

Attempting to detect all instances of an element by simply parsing static HTML is not enough…. createElement(‘IFRAME’);

Page 12: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

Coming At You Like A Spider Monkey

Integrate scripting engine(s) with our DOM to execute scripts as they are discovered

Scripts are [mostly] safe for execution

Firefox’s SpiderMonkey JavaScript Engine (MPL/GPL/LGPL)

Page 13: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

The Missing Pieces

Implement all of the objects/functions that the browser provides:

Few internal tweaks to mimic JScript (IE) e.g., arguments.callee.toString()

Native JavaScript Browser Supplied

eval() alert()

String.fromCharCode() document.write()

escape() location.href

Math.random() window.status

Page 14: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser
Page 15: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser
Page 16: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser
Page 17: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser
Page 18: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser
Page 19: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser
Page 20: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser
Page 21: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser
Page 22: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser
Page 23: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser
Page 24: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser
Page 25: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser
Page 26: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

Automated Usage

Integrated with our miners Lots and lots of tuning … (Dec ’06)

100,000,000+ URLs analyzed every 24 hrs

Even after the initial decoding, string matching is still futile: “AD” + “ODB.S” + “treAM”

Page 27: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

New Technique, New Signatures

Detect specific DOM element + attribute combinations

1. New <OBJECT> created

2. <OBJECT>.classid = “BD96C556-65A3….”

3. <OBJECT>.CreateObject(“adodb.stream”)

Can still match “old fashion” signatures *inside* document.write() and eval() calls

Page 28: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

24 Hours – 111M URLs124,232 Infected (0.11%)

Page 29: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

Limitations – JavaScript Only?

Other Languages? Same concepts apply!

VBScript vbscript.dll under WinE! Currently working on experimental version

ActionScript Partially implemented when Adobe open sourced

the engine; now part of Mozilla’s Tamarin Project

Page 30: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

Limitations – variable is not defined!

Attackers can potentially use intentional errors to prevent code execution

Identical input/output is very important Easy: document.width Hard: window.open() Really hard: XMLHTTPRequest Centralized verbose error logging!

Page 31: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

Limitations – Denial of Service

JS_SetBranchCallback Look familiar?

Separate thread monitoring execution time

Page 32: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

Limitations – User Interaction

Malicious code could potentially rely upon a user’s action before execution begins

We implemented some basic event handling: body – onload window – focus document – onmouse___

Not foolproof!

Page 33: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

CaffeineMonkey

Ben Feinstein & Daniel Peck @ SecureWorks Released Open Source Excellent tool for manual reverse engineering of

obfuscation; needs HTML/DOM! Promising research that attempts to identify malicious

activity based on behavior, not static signatures. http://secureworks.com/research/tools/caffeinemonkey.html

Page 34: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

Other Resources

Tutorials from ISC, excellent starting point http://handlers.sans.org/dwesemann/decode/

Jose Nazario’s CanSecWest presentation http://www.cansecwest.com/slides07/csw07-nazario.pdf

Websense Blogs http://www.websense.com/securitylabs/blog/blog.php?BlogID=86 http://www.websense.com/securitylabs/blog/blog.php?BlogID=98 http://www.websense.com/securitylabs/blog/blog.php?BlogID=142

Page 35: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser

Stephan ChenettePrinciple Security Researcher

schenette || websense com

Alex RiceSr .Security Researcher

arice || websense com

The End


Recommended