Analyzing Malicious JavaScript
2016.10.22AV TOKYO 2016Kazuki Takada
Who am I ?Kazuki TakadaSecureBrain Corporation
Software engineer and Researcher. Originally, programmer of the Embedded Software.
I like Python and drinking modestly.I dislike JavaScript and CUDA programming.
Contents• About Banking malware• About malicious JavaScript
3
Banking malware
4
Banking malware• It is called Banking Trojan.• It falsifies banking credential information and does
fraudulent money transfer.
5
ROVNIX• It started to appear in Japan at end of 2015.• Alias name : Cidox• Rewrites MITB communication content
6
MITB by ROVNIX
7
Malware
BankWeb server
Request of JavaScript from inserted <script>
Malicious JavaScript
<html><head>
<title>Internet Banking</title><script src=“….”>
Manipulation server
RequestOriginal content
Insert <script> to origin content in target URL.
Injection
C&C Server
Victim PC
Command and configurationEx) target URL
Major Banking malware in 2016• ROVNIX
• URLZONE
• VAWTRAK (New)
• URSNIF
8
Other name Shiotob, Beblohbd
Other name Snifula
Other name Gozi
The two malware have something in common.
9
Malicious JavaScript is same
10
CENSORED
Function of malicious JavaScript
11
Malicious JavaScript• It has about 40,000 lines of code.
• It includes jQuery. But it is enormous even without jQuery.
• It has a common base and is customized for each bank site.
• It injects fraudulent web content screens for various security software introduction and information fraud.
• Its usage has been traced back to many countries. For example, Japanese, English, Hangul and Arabic.
12
13
CENSORED
Behind fraudulent web content...
14
Victim PC
Login
Bank Manipulation server
Login credential info.
Login process
Login Screen
Remittance process
Request of Settlement info.
Dum
my screen of
security software
Settlement info
Display some input screen an necessary
Record of the fight
15
Pre-conditionSecureBrain Corporation• To find out what JavaScript manipulates, I traverse
the DOM information after the content has been read
Criminal• Malware will inject <SCRIPT> just after <HEAD>.
Malicious JavaScript is read than anyone else earlier.
• Of course, there are no holds barred.
16
Before hiding• Manipulation by added <DIV>
17
I can find it only when I traverse DOM information.
Round 1• Override of alert
18
It can find by alert.toString. Because it shows content of the function.
Round 2• Override of toString
ex)
19
window.alert.toString = function() {
return “[native code]”;}
It can find alert.toString.toString
20
CENSORED
Round 3• Nest of toString...
21
It can find difference inObject.prototype.toString
Round 4• Override of Object.prototype.toStringResult of Object.prototype.toString is changed freely by following function.
22
It can find the true in
Function.prototype.toString.
Round 5• Of course, Function.prototype.toString is overrided.
23
略
It can find difference of Property by getOwnPropertyDescriptor.
Round 6• Override of getOwnPropertyDescriptor
24
略
We have been chasing in getOwnPropertyDescriptor now.
The fight continues...
25
26
CENSORED
Conclusion• After understanding the specification of JavaScript,
the criminal would keep attacking persistently.
• The specification of JavaScript which can override every object is a double-edged sword.
• The sharing of threat information is too important.
27
28
CENSORED
Thank you!!
29