![]() In this paper, we propose a novel methodology that can detect obfuscated strings in the malicious web pages. It is difficult to decide whether the sting is obfuscated because the shape of obfuscated strings are changed continuously. JSDetox does not execute the analyzed JavaScript code in the browser, it uses V8 (JS engine of the chrome browser) on the backend - nonetheless it should be executed in an isolated virtual machine.Recently, most of malicious web pages include obfuscated codes in order to circumvent the detection of signature-based detection systems. ![]() ![]() Please see for more samples or watch the screencasts: Var OoF2wUnZ = parseInt(document.getElementById("AU4Ae").innerHTML) It has two main features: static analysis tries to optimize code that is "bloated up", e.g. JSDetox does not try to deobfuscate everything automatically - the main purpose is to support manual analysis. I am the author of JSDetox, thanks to Jurriaan Bremer for mentioning it!Īs already said every obfuscation scheme is different. I'd be interesting in hearing about other tools and techniques for dealing with this kind of code. So I was able to get what I needed and identify the malware that it was trying to drop - but the process was too slow and risky.Īre there better ways to run javascript like this in a secure sandbox to minimize the risks that go with executing it? I don't see any way a tool could be built to generically deobfuscate this kind of code, so I don't see any way around running it (or building one-off tools, which is also time consuming). This was able to get me the value I was looking for, but the process took too long - and if I had missed another eval it's possible that I could have executed what was clearly malicious code. To quickly get the value of a I modified the code to Base64 encode it and output the value, and then opened the HTML file in Chrome on a VM (disconnected from the network): document.write(window.btoa(a)) In this case e had been aliased to eval and a was a string that had been manipulated by the various functions at the beginning of the file (and passed around via a series of misleading assignments). Looking at the code, there were a few methods that were designed to be confusing, and then several KB of strings like this that would eventually be decoded as javascript and executed: 22=" 4kqkk 255ie 35bnh 4mehn 2lh3b 7i29n 6m2jb 7jhln 562ik."Īfter digging around for a few minutes I was able to determine that the bit of code I really carded about was this: try Next I tried running it through jsunpack to see if it could make any sense of it - no luck, it broke the parser. I started with running the URL through VirusTotal, which scored 0/46 - so it was something of interest and not being detected by Anti-Virus software (at least statically). I've seen several variations on this code - there are enough similarities that it's clear that they have the same source, but different enough that the solution to deobfuscate changes each time. I was recently analyzing a web page that contained some highly obfuscated JavaScript - it's clear that the author had went through quite a bit of effort to make it as hard to understand as possible.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |