malicious intent: adventures in javascript obfuscation and deobfuscation
TRANSCRIPT
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Malicious IntentAdventures in JavaScript Obfuscation and DeobfuscationRicky Lawshae / October, 2013
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Boring Introductory Things
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3
Who am I?
Security Researcher and Content Developer for TippingPoint• Write IPS signatures for the known bads by day• Mess with things to try and uncover the unknown bads by night
Regular Contributor at the Austin Hackers Association monthly meetups• http://takeonme.org• #aha on irc.freenode.org
Amateur lock-picker
Texas State University Alumnus (go Bobcats!)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
What is (de)obfuscation?
Obfuscation• Basically, making your code unreadable to humans or undetectable to scanners• Look at code obfuscation contests for fun examples
– International Obfuscated C Code Contest http://www.ioccc.org/years.html– Obfuscated Perl Contest http://en.wikipedia.org/wiki/Obfuscated_Perl_Contest
Deobfuscation• Taking obfuscated code, analyzing it, and making it readable again• Uncover the true functionality of the code
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5
Why JavaScript?
Popularity• Redmonk Analytics consistently ranked JavaScript as the 1st or 2nd most popular
programming language over the past two years [http://redmonk.com/sogrady/2013/07/25/language-rankings-6-13/]
• TIOBE Index ranks it at 9th most popular, up from 11th in 2012 and 32nd in 1998 [http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html]
Flexibility• Entirely platform-independent and interpreted• New webapp frameworks gaining momentum
– Node.js– Meteor– Coffeescript
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6
When is obfuscation needed?
The Light• Protect your code from copy-paste bandits• Security through obscurity (NO!)• Make code smaller
The Dark• Hide true intentions• Avoid automated detection• Buy time
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7
How can you tell the difference?
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Basic Obfuscation
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9
String Manipulation
Concatenation• Take multiple separate strings and join them together• "He" + "l" + "l" + "o, w" + "o" + "rld!" == “Hello, world!”
unescape()• Takes a “percent encoded” string of character bytes and converts each byte to its ASCII
equivalent• unescape("%48%65%6c%6c%6f%2c%20%77%6f%72%6c%64%21") == “Hello, world!”
String.fromCharCode()• Same idea as unescape, but use a list of numbers instead of a percent encoded string• String.fromCharCode(0x48,0x65,0x6c,0x6c,0x6f,0x2c,0x20,0x77,0x6f,0x72,0x6c,0x64,0
x21)• Can be any format that JavaScript recognizes as a number (decimal, octal, hexadecimal,
etc)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10
Number Manipulation
Base Conversion• Mixing decimal, hexadecimal, and octal together add confusion• 10 == 0x0a == 012
Math• Simple arithmetic operations add complexity and analysis time• 10 / 2 + 5 – 9 == 1
Functions that return numbers• Using the return value of a function or property can also buy some time• " ".length == 5
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11
Whitespace
Adding extraneous spaces and lines• Can hide things from people who aren’t looking too closely• JavaScript pretty much ignores all whitespace and comments
– alert /* blah blah blah */ ("Hello, world!");
Removing all whitespace• Make your code one long line!• Almost impossible to read through• A great way to make your code smaller for faster load times
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12
Functions and Variables
Naming• Calling something “a” or “aflkFGsaf” is a lot less forthright than “counter”
– Single letter function and variable names also make code smaller– You can also use special characters as names: var ___;
• Misleading names can confuse users– function countToTen() { return "bacon"; }
Hiding calls• Store function names in variables
– var blah = alert; blah("Hello, world!"); • Access functions as a member of the parent (more on this later)
– window["alert"]("Hello, world!");
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13
Misdirection and Cruft
if/else statements• Set up to always evaluate the same way• One branch contains code that will intentionally never be run• The other contains the code that is actually used
try/catch statements• Deliberately trigger an exception before code that again never gets run• Interrupt execution flow and jump to “catch” statement• “Catch” contains code that actually gets run
Unused variables• Pointless variables that have no impact on functionality
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Basic Deobfuscation
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15
Retrieve the Code; Don’t Run the Code
wget• Unix tool that fetches webpages as-is• Doesn’t have a JavaScript engine• Has many other useful options for safe browsing
– --max-redirect– --no-cookies– --user-agent
Disable JavaScript or use a NoScript-style browser plug-in• May break some functionality, but most plug-ins allow whitelisting• Once you figure out what the page is doing, you can turn it back on• Annoying at first, but worth it in the long run
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16
Browsers and Plug-ins
Firefox• NoScript. Period.• JavaScript Deobfuscator plug-in is pretty decent• Firebug plug-in is also good
Chrome• Has built-in deobfuscator and debugger in Developer Tools• Uses an up-to-date webpage blacklist from Google to warn about malicious pages
Internet Explorer• Don’t.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17
Tricks to Speed Things Along
eval and document.write• Common ways to manipulate pages and run obfuscated code• Just replace with alert or console.log…• Wrap in textarea tags if you’re feeling fancy [https://isc.sans.edu/diary/
Climb+a+small+mountain.../1917]
Learn a scripting language or two• Can quickly scan and replace in a source code file• cat malicious.html | sed 's/eval/alert/g' > safe.html ; echo "BASH SCRIPTING FTW“
jsbeautifier.org and jsfiddle.net• Online tools for cleaning up and inspecting JavaScript
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Basic Demo
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Advanced Obfuscation
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20
Language Idiosyncrasies
Bitwise math• ~ operator is a bitwise NOT (flip all the bits)
– ~N == -(N + 1)• Combine with negation [-] and you get an increment or decrement
– -~N == N + 1; ~-N == N – 1
Type confusion• JavaScript is loosely typed…very loosely typed
– [] == "" but typeof [] != typeof ""– 1 + "2" + 3 - 3 == 120
• Operators can change the type of objects– typeof [] == object; typeof ![] == boolean; typeof +[] == number
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21
More String Tricks
Strings as numbers• toString() method can take a base as an argument
– (17795081).toString(36) == "alert"
Strings as arrays of characters• Each character in a string has an index just like an array
– var chars = "yzsnpaobcutwedrvxfqkmighjl"– chars[5] + chars[25] + chars[12] + chars[14] + chars[10] == "alert“
LOLWUT?• (![]+[])[-~+[]]+(![]+[])[-~-~+[]]+(![]+[])[-~-~-~-~+[]]+(!![]+[])[-~+[]]+(!![]+[])[+[]]
== "alert"
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22
More String Tricks
Strings as numbers• toString() method can take a base as an argument
– (17795081).toString(36) == "alert"
Strings as arrays of characters• Each character in a string has an index just like an array
– var chars = "yzsnpaobcutwedrvxfqkmighjl"– chars[5] + chars[25] + chars[12] + chars[14] + chars[10] == "alert“
LOLWUT?• (![]+[])[-~+[]]+(![]+[])[-~-~+[]]+(![]+[])[-~-~-~-~+[]]+(!![]+[])[-~+[]]+(!![]+[])[+[]]
== "alert"
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.23
More Function Tricks
Implicit function calling• A function can be called by its declaration• (function (msg) { alert(msg); })("hello");
Getting reference to window• Just using window is too straightforward for us!• Use another object that is equivalent to a window object
– this["alert"]("hello"); frames["alert"]("hello"); self["alert"]("hello"); opener["alert"]("hello");
• Use a function that can return the window object
Create a function as a string (or, even better, an obfuscated string)• (new Function("alert('hello')"))()
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24
Encoding
An algorithm mangles data and it’s only interpreted correctly by a decoding algorithm• Encoded chunk looks like garbage, and is• When run as is, it does nothing at best
Decoder block• Need a way to tell the script how to decode itself• Increases size of code and adds to likelihood of being recognized
Polymorphism and self-modification• Polymorphic code is code that rearranges itself every time it’s run• Self-modifying code is code that evolves and changes• Not technically encoding, but this is the only place it fit in my slides…
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25
Encoding
XOR (Exclusive OR) encoding• A bitwise comparison of two things• Outputs 1 where they differ and 0 where they are equal• XOR’ing the output with one of the original things will output the other original thing
– A ^ B == C; C ^ B == A
XOR data with a secret key• Key must be same length as data (output will also be the same length)• In the case of JavaScript, key could be based on User-Agent string or something similar
– Would only decode properly when loaded in the intended browser– Could get around inspection engines– Decoder block will still be a giveaway
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Advanced Deobfuscation
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27
Things to Keep in Mind
Look for techniques that repeat• Only have to figure it out once• Did I mention scripting languages?
Malicious people are lazy• Same code reused on multiple sites• Google is your friend
Trees first, forest later
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Advanced Demo
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29
Conclusions
Infinite ways to write JavaScript• Automated analysis is hard (impossible?)• Manual analysis is easy(-ish)
Obfuscated doesn’t always mean malicious
NoScript!
Exercise your deobfuscator muscles
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30
References
http://sla.ckers.org/forum/list.php?24 [sla.ckers.org Obfuscation Discussion forum]
https://isc.sans.edu/diaryarchive.html [Internet Storm Center Diary Archive]
https://twitter.com/HeadlessZeke [I never say anything valuable, but I am responsive]
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you