Thwarting New JavaScript Malware Obfuscation

Posted by kdawson on Tuesday July 15, 2008 @07:04AM from the drm-never-works-give-it-up dept.

I Don't Believe in Imaginary Property writes "Malware writers have been obfuscating their JavaScript exploit code for a long time now and SANS is reporting that they've come up with some new tricks. While early obfuscations were easy enough to undo by changing eval() to alert(), they soon shifted to clever use of arguments.callee() in a simple cipher to block it. Worse, now they're using document.referrer, document.location, and location.href to make site-specific versions, too. But SANS managed to stop all that with an 8-line patch to SpiderMonkey that prints out any arguments to eval() before executing them. It seems that malware writers still haven't internalized the lesson of DRM — if my computer can access something in plaintext, I can too."

1 of 76 comments (clear)

Min score:

Reason:

Sort:

Threat levels? by martinw89 · 2008-07-15 07:13 · Score: 0, Troll

I guess I'm new to this whole Internet thing; I haven't been to SANS ICS before. But what's up with the color coded threat level indicator? Doesn't that seem a little pointless and similar to the ridiculed DHS Threat Level? I don't know, I respect their opinion, it's just harder to trust someone with an "internet threat level" indicator.