malicious intent: adventures in javascript obfuscation and deobfuscation

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Malicious IntentAdventures in JavaScript Obfuscation and DeobfuscationRicky Lawshae / October, 2013


Boring Introductory Things

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3

Who am I?

Security Researcher and Content Developer for TippingPoint• Write IPS signatures for the known bads by day• Mess with things to try and uncover the unknown bads by night

Regular Contributor at the Austin Hackers Association monthly meetups• http://takeonme.org• #aha on irc.freenode.org

Amateur lock-picker

Texas State University Alumnus (go Bobcats!)

http://takeonme.org/


What is (de)obfuscation?

Obfuscation• Basically, making your code unreadable to humans or undetectable to scanners• Look at code obfuscation contests for fun examples

– International Obfuscated C Code Contest http://www.ioccc.org/years.html– Obfuscated Perl Contest http://en.wikipedia.org/wiki/Obfuscated_Perl_Contest

Deobfuscation• Taking obfuscated code, analyzing it, and making it readable again• Uncover the true functionality of the code

http://www.ioccc.org/years.html

http://www.ioccc.org/years.html

http://en.wikipedia.org/wiki/Obfuscated_Perl_Contest

http://en.wikipedia.org/wiki/Obfuscated_Perl_Contest


Why JavaScript?

Popularity• Redmonk Analytics consistently ranked JavaScript as the 1st or 2nd most popular

programming language over the past two years [http://redmonk.com/sogrady/2013/07/25/language-rankings-6-13/]

• TIOBE Index ranks it at 9th most popular, up from 11th in 2012 and 32nd in 1998 [http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html]

Flexibility• Entirely platform-independent and interpreted• New webapp frameworks gaining momentum

– Node.js– Meteor– Coffeescript

http://redmonk.com/sogrady/2013/07/25/language-rankings-6-13/

http://redmonk.com/sogrady/2013/07/25/language-rankings-6-13/

http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html

http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html


When is obfuscation needed?

The Light• Protect your code from copy-paste bandits• Security through obscurity (NO!)• Make code smaller

The Dark• Hide true intentions• Avoid automated detection• Buy time


How can you tell the difference?


Basic Obfuscation


String Manipulation

Concatenation• Take multiple separate strings and join them together• "He" + "l" + "l" + "o, w" + "o" + "rld!" == “Hello, world!”

unescape()• Takes a “percent encoded” string of character bytes and converts each byte to its ASCII

equivalent• unescape("%48%65%6c%6c%6f%2c%20%77%6f%72%6c%64%21") == “Hello, world!”

String.fromCharCode()• Same idea as unescape, but use a list of numbers instead of a percent encoded string• String.fromCharCode(0x48,0x65,0x6c,0x6c,0x6f,0x2c,0x20,0x77,0x6f,0x72,0x6c,0x64,0

x21)• Can be any format that JavaScript recognizes as a number (decimal, octal, hexadecimal,

etc)


Number Manipulation

Base Conversion• Mixing decimal, hexadecimal, and octal together add confusion• 10 == 0x0a == 012

Math• Simple arithmetic operations add complexity and analysis time• 10 / 2 + 5 – 9 == 1

Functions that return numbers• Using the return value of a function or property can also buy some time• " ".length == 5


Whitespace

Adding extraneous spaces and lines• Can hide things from people who aren’t looking too closely• JavaScript pretty much ignores all whitespace and comments

– alert /* blah blah blah */ ("Hello, world!");

Removing all whitespace• Make your code one long line!• Almost impossible to read through• A great way to make your code smaller for faster load times


Functions and Variables

Naming• Calling something “a” or “aflkFGsaf” is a lot less forthright than “counter”

– Single letter function and variable names also make code smaller– You can also use special characters as names: var ___;

• Misleading names can confuse users– function countToTen() { return "bacon"; }

Hiding calls• Store function names in variables

– var blah = alert; blah("Hello, world!"); • Access functions as a member of the parent (more on this later)

– window["alert"]("Hello, world!");


Misdirection and Cruft

if/else statements• Set up to always evaluate the same way• One branch contains code that will intentionally never be run• The other contains the code that is actually used

try/catch statements• Deliberately trigger an exception before code that again never gets run• Interrupt execution flow and jump to “catch” statement• “Catch” contains code that actually gets run

Unused variables• Pointless variables that have no impact on functionality


Basic Deobfuscation


Retrieve the Code; Don’t Run the Code

wget• Unix tool that fetches webpages as-is• Doesn’t have a JavaScript engine• Has many other useful options for safe browsing

– --max-redirect– --no-cookies– --user-agent

Disable JavaScript or use a NoScript-style browser plug-in• May break some functionality, but most plug-ins allow whitelisting• Once you figure out what the page is doing, you can turn it back on• Annoying at first, but worth it in the long run


Browsers and Plug-ins

Firefox• NoScript. Period.• JavaScript Deobfuscator plug-in is pretty decent• Firebug plug-in is also good

Chrome• Has built-in deobfuscator and debugger in Developer Tools• Uses an up-to-date webpage blacklist from Google to warn about malicious pages

Internet Explorer• Don’t.


Tricks to Speed Things Along

eval and document.write• Common ways to manipulate pages and run obfuscated code• Just replace with alert or console.log…• Wrap in textarea tags if you’re feeling fancy [https://isc.sans.edu/diary/

Climb+a+small+mountain.../1917]

Learn a scripting language or two• Can quickly scan and replace in a source code file• cat malicious.html | sed 's/eval/alert/g' > safe.html ; echo "BASH SCRIPTING FTW“

jsbeautifier.org and jsfiddle.net• Online tools for cleaning up and inspecting JavaScript

https://isc.sans.edu/diary/Climb+a+small+mountain.../1917





Basic Demo


Advanced Obfuscation


Language Idiosyncrasies

Bitwise math• ~ operator is a bitwise NOT (flip all the bits)

– ~N == -(N + 1)• Combine with negation [-] and you get an increment or decrement

– -~N == N + 1; ~-N == N – 1

Type confusion• JavaScript is loosely typed…very loosely typed

– [] == "" but typeof [] != typeof ""– 1 + "2" + 3 - 3 == 120

• Operators can change the type of objects– typeof [] == object; typeof ![] == boolean; typeof +[] == number


More String Tricks

Strings as numbers• toString() method can take a base as an argument

– (17795081).toString(36) == "alert"

Strings as arrays of characters• Each character in a string has an index just like an array

– var chars = "yzsnpaobcutwedrvxfqkmighjl"– chars[5] + chars[25] + chars[12] + chars[14] + chars[10] == "alert“

LOLWUT?• (![]+[])[-~+[]]+(![]+[])[-~-~+[]]+(![]+[])[-~-~-~-~+[]]+(!![]+[])[-~+[]]+(!![]+[])[+[]]

== "alert"


More Function Tricks

Implicit function calling• A function can be called by its declaration• (function (msg) { alert(msg); })("hello");

Getting reference to window• Just using window is too straightforward for us!• Use another object that is equivalent to a window object

– this["alert"]("hello"); frames["alert"]("hello"); self["alert"]("hello"); opener["alert"]("hello");

• Use a function that can return the window object

Create a function as a string (or, even better, an obfuscated string)• (new Function("alert('hello')"))()


Encoding

An algorithm mangles data and it’s only interpreted correctly by a decoding algorithm• Encoded chunk looks like garbage, and is• When run as is, it does nothing at best

Decoder block• Need a way to tell the script how to decode itself• Increases size of code and adds to likelihood of being recognized

Polymorphism and self-modification• Polymorphic code is code that rearranges itself every time it’s run• Self-modifying code is code that evolves and changes• Not technically encoding, but this is the only place it fit in my slides…


Encoding

XOR (Exclusive OR) encoding• A bitwise comparison of two things• Outputs 1 where they differ and 0 where they are equal• XOR’ing the output with one of the original things will output the other original thing

– A ^ B == C; C ^ B == A

XOR data with a secret key• Key must be same length as data (output will also be the same length)• In the case of JavaScript, key could be based on User-Agent string or something similar

– Would only decode properly when loaded in the intended browser– Could get around inspection engines– Decoder block will still be a giveaway


Advanced Deobfuscation


Things to Keep in Mind

Look for techniques that repeat• Only have to figure it out once• Did I mention scripting languages?

Malicious people are lazy• Same code reused on multiple sites• Google is your friend

Trees first, forest later


Advanced Demo


Conclusions

Infinite ways to write JavaScript• Automated analysis is hard (impossible?)• Manual analysis is easy(-ish)

Obfuscated doesn’t always mean malicious

NoScript!

Exercise your deobfuscator muscles


References

http://sla.ckers.org/forum/list.php?24 [sla.ckers.org Obfuscation Discussion forum]

https://isc.sans.edu/diaryarchive.html [Internet Storm Center Diary Archive]

https://twitter.com/HeadlessZeke [I never say anything valuable, but I am responsive]

[email protected]

http://sla.ckers.org/forum/list.php?24

http://sla.ckers.org/forum/list.php?24

https://isc.sans.edu/diaryarchive.html

https://isc.sans.edu/diaryarchive.html

https://twitter.com/HeadlessZeke

https://twitter.com/HeadlessZeke


Thank you

malicious intent: adventures in javascript obfuscation and deobfuscation

Technology