spiffy: automated javascript deobfuscationrepository.root-me.org/virologie/en - spiffy: automated...
TRANSCRIPT
![Page 1: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/1.jpg)
Spiffy:AutomatedJavaScript Deobfuscation
Alex RiceSr. Security Researcher
Stephan ChenettePrinciple Security Researcher
![Page 2: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/2.jpg)
Malcode analysis
Current malcode research is focused on binary analysis.
Multiple tools to assist researchers in analysis. IDA OllyDbg
Fact: More delivery of malware is moving to the web.
A new set of skills and tools are required.
![Page 3: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/3.jpg)
What you know…What you need to know… Malicious binary analysis
Languages: Assembly, C, C++, vb, delphi, etc. Concepts: PE file format, win32 function usage, unpacking, anti-
disassembling tricks, etc. Tools: IDA, OllyDbg, PEiD, Imprec
Malicious web content analysis Languages: (D)HTML, VBScript, JavaScript, Perl/Python/Ruby Concepts: HTTP Protocol, XMLHTTPRequest, Document Object
Model (DOM), Browser Security Models, JSON, Tools: ???
![Page 4: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/4.jpg)
Those Who Forget History Are Doomed to Repeat It Malcode authors will protect malicious web content the
same way they protected malicious binaries.
Signature evasion Anti-analysis techniques Pain in the #*&#$! for all researchers!!
![Page 5: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/5.jpg)
Unpacking and anti-debugging
Packing/Protecting/Anti-reversing Compression, Encryption, CRC protection Anti-debugging Virtualization detection Anti-emulation XOR stubs
![Page 6: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/6.jpg)
Obfuscation Evolution
String splitting: “AD” + “ODB.S” + “treAM”
String encoding/escaping: “%41\u0044” + “O\x44%42\u002ES” + “t%72eAM”
Closing html tags (e.g. </TEXTAREA>) Code length dependant obfuscation:
arguments.callee.toString() Server-side [poly|meta]-morphic obfuscation
![Page 7: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/7.jpg)
Malicious JavaScript
![Page 8: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/8.jpg)
What we actually see…
![Page 9: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/9.jpg)
Our Approach
Emulation: a browser without a browser… HTML Parser DOM Implementation Scripting Engine(s)/Interpreter(s)
Allow the page to decode itself Don’t render content, just log everything!
![Page 10: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/10.jpg)
HTML Parser
The first step in emulating a browser: HTML.
Retrieve all the content needed by the page: external SCRIPTs, IFRAMEs, etc.
Side effect – basic HTML obfuscation is defeated: <iframe src=“http
://%77%77%77%2E%74….
![Page 11: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/11.jpg)
A Little DOM, Please
Modern browsers are dynamic, so our emulator must also be.
Implement Document Object Model
Attempting to detect all instances of an element by simply parsing static HTML is not enough…. createElement(‘IFRAME’);
![Page 12: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/12.jpg)
Coming At You Like A Spider Monkey
Integrate scripting engine(s) with our DOM to execute scripts as they are discovered
Scripts are [mostly] safe for execution
Firefox’s SpiderMonkey JavaScript Engine (MPL/GPL/LGPL)
![Page 13: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/13.jpg)
The Missing Pieces
Implement all of the objects/functions that the browser provides:
Few internal tweaks to mimic JScript (IE) e.g., arguments.callee.toString()
Native JavaScript Browser Supplied
eval() alert()
String.fromCharCode() document.write()
escape() location.href
Math.random() window.status
![Page 14: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/14.jpg)
![Page 15: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/15.jpg)
![Page 16: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/16.jpg)
![Page 17: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/17.jpg)
![Page 18: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/18.jpg)
![Page 19: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/19.jpg)
![Page 20: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/20.jpg)
![Page 21: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/21.jpg)
![Page 22: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/22.jpg)
![Page 23: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/23.jpg)
![Page 24: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/24.jpg)
![Page 25: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/25.jpg)
![Page 26: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/26.jpg)
Automated Usage
Integrated with our miners Lots and lots of tuning … (Dec ’06)
100,000,000+ URLs analyzed every 24 hrs
Even after the initial decoding, string matching is still futile: “AD” + “ODB.S” + “treAM”
![Page 27: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/27.jpg)
New Technique, New Signatures
Detect specific DOM element + attribute combinations
1. New <OBJECT> created
2. <OBJECT>.classid = “BD96C556-65A3….”
3. <OBJECT>.CreateObject(“adodb.stream”)
Can still match “old fashion” signatures *inside* document.write() and eval() calls
![Page 28: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/28.jpg)
24 Hours – 111M URLs124,232 Infected (0.11%)
![Page 29: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/29.jpg)
Limitations – JavaScript Only?
Other Languages? Same concepts apply!
VBScript vbscript.dll under WinE! Currently working on experimental version
ActionScript Partially implemented when Adobe open sourced
the engine; now part of Mozilla’s Tamarin Project
![Page 30: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/30.jpg)
Limitations – variable is not defined!
Attackers can potentially use intentional errors to prevent code execution
Identical input/output is very important Easy: document.width Hard: window.open() Really hard: XMLHTTPRequest Centralized verbose error logging!
![Page 31: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/31.jpg)
Limitations – Denial of Service
JS_SetBranchCallback Look familiar?
Separate thread monitoring execution time
![Page 32: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/32.jpg)
Limitations – User Interaction
Malicious code could potentially rely upon a user’s action before execution begins
We implemented some basic event handling: body – onload window – focus document – onmouse___
Not foolproof!
![Page 33: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/33.jpg)
CaffeineMonkey
Ben Feinstein & Daniel Peck @ SecureWorks Released Open Source Excellent tool for manual reverse engineering of
obfuscation; needs HTML/DOM! Promising research that attempts to identify malicious
activity based on behavior, not static signatures. http://secureworks.com/research/tools/caffeinemonkey.html
![Page 34: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/34.jpg)
Other Resources
Tutorials from ISC, excellent starting point http://handlers.sans.org/dwesemann/decode/
Jose Nazario’s CanSecWest presentation http://www.cansecwest.com/slides07/csw07-nazario.pdf
Websense Blogs http://www.websense.com/securitylabs/blog/blog.php?BlogID=86 http://www.websense.com/securitylabs/blog/blog.php?BlogID=98 http://www.websense.com/securitylabs/blog/blog.php?BlogID=142
![Page 35: Spiffy: Automated JavaScript Deobfuscationrepository.root-me.org/Virologie/EN - Spiffy: Automated JavaScript... · Emulation: a browser without a browser ... Native JavaScript Browser](https://reader033.vdocuments.net/reader033/viewer/2022053023/6056c0e8ac6aff6ad23f7b33/html5/thumbnails/35.jpg)
Stephan ChenettePrinciple Security Researcher
schenette || websense com
Alex RiceSr .Security Researcher
arice || websense com
The End