Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thwarting New JavaScript Malware Obfuscation

Posted by kdawson on from the drm-never-works-give-it-up dept.

I Don't Believe in Imaginary Property writes "Malware writers have been obfuscating their JavaScript exploit code for a long time now and SANS is reporting that they've come up with some new tricks. While early obfuscations were easy enough to undo by changing eval() to alert(), they soon shifted to clever use of arguments.callee() in a simple cipher to block it. Worse, now they're using document.referrer, document.location, and location.href to make site-specific versions, too. But SANS managed to stop all that with an 8-line patch to SpiderMonkey that prints out any arguments to eval() before executing them. It seems that malware writers still haven't internalized the lesson of DRM — if my computer can access something in plaintext, I can too."

62 of 76 comments (clear)

  1. SANS by Anonymous Coward · · Score: 1, Funny

    I'm still not sure what I think of them.
    I mean, it's a great idea. But they update their diary every day, which means for the most part, it's totally boring crap. Today's entry is a little different.

    I still think of SANS as a bunch of old guys all sort of pontificating about the most mundane things. Wind back 5 years and I think they had a valid part to play, especially with the amount of viruses and worms flying around. These days, not so much. Security is so much higher on everyone's radar that they're a bit old in the tooth now.

    This is still good work though and I do appreciate it. I just wonder if they need "handlers" and daily updates anymore, the Internet just isn't that risky anymore.

    Tim

    1. Re:SANS by sm62704 · · Score: 2, Insightful

      But they update their diary every day, which means for the most part, it's totally boring crap.

      Welcome to my slashdot journal (NSFW)

      they're a bit old in the tooth now

      Piece of cake, easy as pie. The saying is "long in the tooth", comrad.

      the Internet just isn't that risky anymore.

      You're not paying attenton.

      --
      mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
    2. Re:SANS by mweather · · Score: 1

      Agreed, only because with Windows normal means you're running anti-virus from behind a firewall.

  2. A case of "duh" by Annymouse+Cowherd · · Score: 2, Interesting

    Is it just me or is this way of getting around it mind-blowingly obvious.

    The techniques the malware writers are using are quite interesting though, i've never heard of arguments.callee.

    1. Re:A case of "duh" by kesuki · · Score: 3, Interesting

      "Is it just me or is this way of getting around it mind-blowingly obvious."

      even more mind blowingly obvious, is noscript. it's pretty hard for java/javascript based malware to infect you when the browser won't automatically launch javascript or java.

      --
      https://www.gnu.org/philosophy/free-sw.html
  3. DRM and copy protection schemes by spion666 · · Score: 2, Informative

    It seems that malware writers still haven't internalized the lesson of DRM -- if my computer can access something in plaintext, I can too.

    In fact, thats the lesson from any digital copy protection scheme, some of which precede DRM (at least the term DRM)

    1. Re:DRM and copy protection schemes by panaceaa · · Score: 4, Interesting

      I'm glad you highlighted that line of the summary. The point of the obfuscation was to slow down analysis of the code and require special tools (SpiderMonkey) that average web users don't have. Here the malware author clearly won. The article author spent hours figuring out a new obfuscation technique and writing an article about it. If there are malware detectors, they have to be updated to detect the new obfuscations.

      This is not the traditional DRM argument. No one's trying to decode a video or music file they have legal rights to access. This is a malware arms race: The point IS to hide what's going on, not to lock things down. What's more interesting here, and not even discussed, is the parallel between Javascript malware development and computer viruses. The technique the author uncovered is an adaptation of polymorphic virus concepts into web malware. And while the technique is something many developers could come up with, I haven't heard being used in practice yet, so it's likely a noteworthy step in the arms race.

      --
      my blog
    2. Re:DRM and copy protection schemes by Jherek+Carnelian · · Score: 1

      The point IS to hide what's going on, not to lock things down.

      Right, this is not security through obscurity folks.
      It is obscurity through obscurity!

    3. Re:DRM and copy protection schemes by zeptobyte · · Score: 1

      Oh that'll never work.

    4. Re:DRM and copy protection schemes by kesuki · · Score: 1

      "The point of the obfuscation was to slow down analysis of the code and require special tools (SpiderMonkey) that average web users don't have."

      noscript is an easy firefox add-on. if you're advising 'normal' people how to use the internet safely, you'd have told them to use noscript and only allow really trusted sites that you can't live without.

      personally, I don't trust any site that much. besides, with noscript, slashdot tells you to use the old style instead of the new style layout.

      --
      https://www.gnu.org/philosophy/free-sw.html
    5. Re:DRM and copy protection schemes by CodeBuster · · Score: 1

      Here the malware author clearly won

      No more than the RIAA has "won" by imposing or using DRM on their music downloads and on iTunes. In that case it only takes one cracked version to leak out before everyone else gets the benefit of the original cracker's behavior ad-infinitum. Likewise, once the detection is worked into a Javascript blocking and filtering tool, such as no-script, everyone using no-script benefits from the original analysis (it doesn't have to be cracked afresh each time it comes up). So the malware author is really only inconveniencing the really uninformed users and not those who understand and take steps to protect their hosts from attack.

    6. Re:DRM and copy protection schemes by asrail · · Score: 1

      SpiderMonkey is the Mozilla's C's JavaScript engine - they got one in Java, called Rhino and one in JavaScript that I don't remember its naming.

      SpiderMonkey is used on the Firefox browser, so a millions of people got it handy.

      It's fairly easy to make a graphical interface to allow any end user to copy or save the data to a file.

      Everywhere you have to update your techniques when new malwares appear.
      The better your heuristic, the less you have to update.

    7. Re:DRM and copy protection schemes by nahdude812 · · Score: 1

      Plus Firebug 1.2 already does what their patch does. If you want to see what the final execution result is, click the dropdown in the Scripts window to see the text of all eval() calls.

      How long until they do setTimeout("final code", 1) instead of eval(), and how long until they do document.write("<div id='foo' onclick='malware.code;'></div>"); document.getElementById('foo').onclick(); etc? As gp said, it's a malware arms race, they're changing their obfuscation techniques to bypass the current market tools.

      There's a lot of ways to generate on-the-fly code to execute in javascript, automated tools are going to have a hard time coping with all possible variants.

      --
      Slay a dragon... over lunch!
  4. first post? by hesaigo999ca · · Score: 2, Funny

    This is too much, now we all will have to download a pre validator for javascript to view the code (what does this code do, i can't read this, I am an 80 year old grandmother...) before going to the webpage and view it...sucks to go on the web these days!

    1. Re:first post? by loftwyr · · Score: 1

      No, no... it prints it out to itself and then executes it. You'll see no more than you did before.

      Unless you're a hacker and then it will stick it's tongue out at you first.

  5. Baby & Bathwater? by XanC · · Score: 4, Informative

    There are certainly legitimate uses of eval, and legitimate reasons to "obfuscate". Like to compress the script that you send to each & every client. The savings in bandwidth for you (and for them, especially if they're on dialup) can add up. For example: http://www.javascriptcompressor.com

    1. Re:Baby & Bathwater? by larry+bagina · · Score: 1

      gzip compression is just as effective.

      --
      Do you even lift?

      These aren't the 'roids you're looking for.

    2. Re:Baby & Bathwater? by XanC · · Score: 1

      Well, if you leave off the base62 encode option, you get a file that's "prepped" for better gzipping. But of course that doesn't require an eval, which was the point of this whole thread, so you're right about that.

      I've also noticed, though, that IE will barf on long Javascript files, so doing the base62 compression on the Javascript even with gzip is a workaround for that.

    3. Re:Baby & Bathwater? by VGPowerlord · · Score: 1

      Exactly how do you "prep" a file for gzipping? Remove all the linebreaks and spaces?

      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
    4. Re:Baby & Bathwater? by XanC · · Score: 1

      Yes, and also to shrink variable names, arguments, etc. See Javascript compression guru Dean Edwards's take on the subject.

    5. Re:Baby & Bathwater? by TLLOTS · · Score: 1

      Simply minifying your scripts by stripping out comments and unneeded whitespace will do almost as good a job compressing the data with eval. Add in gzipping and the difference is negligible, plus there's no additional delay on the client side when that script is decompressed for each and every page that uses it.

  6. document.referrer by Anders · · Score: 4, Interesting

    I turn off referrer headers for privacy (set network.http.sendRefererHeader to 0 in about:config in Firefox). Now it seems that it can also save me from malware :-). Why would you want it enabled, anyway?

    1. Re:document.referrer by ypctx · · Score: 2, Informative

      Many sites won't work without it, mainly to prevent "hotlinking".

    2. Re:document.referrer by geminidomino · · Score: 3, Interesting

      I turn off referrer headers for privacy (set network.http.sendRefererHeader to 0 in about:config in Firefox). Now it seems that it can also save me from malware :-).

      Why would you want it enabled, anyway?

      Silly websites that check it as some sort of "security." Easily foiled by sending the site's own URL as the referer though.

    3. Re:document.referrer by Anders · · Score: 2, Informative

      Many sites won't work without it, mainly to prevent "hotlinking".

      That is about as effective as User-Agent sniffing.

      This Firefox addon gives you arbitrary Referer headers on a per-site basis.

    4. Re:document.referrer by ArcticFlood · · Score: 2, Informative

      Most "hotlinking prevention" methods (either in a .htaccess or in PHP) that I've seen allow no referrer, since no referrer usually means it was a bookmark or a URL entered by hand. Since this also allows people to copy and paste links to site, these methods are generally pointless unless there is a real problem.

      --
      This is here so you don't ignore the last two lines of my posts.
    5. Re:document.referrer by vrmlguy · · Score: 1

      I turn off referrer headers for privacy (set network.http.sendRefererHeader to 0 in about:config in Firefox). Now it seems that it can also save me from malware :-).

      Why would you want it enabled, anyway?

      Silly websites that check it as some sort of "security." Easily foiled by sending the site's own URL as the referer though.

      Of course, that might revive any Javascript malware.

      --
      Nothing for 6-digit uids?
    6. Re:document.referrer by ypctx · · Score: 1

      If you allow no referrer for a web page, you will usually get no traffic from outside, like from search engines and other pages that might link to you.
      If you allow any referrer for an image, you are allowing anybody to embed this image into their page, thus stealing your bandwidth. To prevent that, you only allow your own pages to refer to your own images. Of course this can be spoofed manually by the client, but too complicated for most people.
      A funny thing is that the "HTTP_REFERER" header name is wrongly spelt, and it made it so to the the HTTP RFC.

    7. Re:document.referrer by VGPowerlord · · Score: 1

      I turn off referrer headers for privacy (set network.http.sendRefererHeader to 0 in about:config in Firefox). Now it seems that it can also save me from malware :-).

      Why would you want it enabled, anyway?

      Silly websites that check it as some sort of "security." Easily foiled by sending the site's own URL as the referer though.

      Even that doesn't work for all sites. Newegg, for example, won't let you finish checking out if you forge the referrer. I had to add an exception to it to RefControl.

      P.S. I have RefControl set to Forge by default, which sends the site's base URL as the referrer.

      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
    8. Re:document.referrer by ArcticFlood · · Score: 2, Informative

      I was unclear. I meant an empty referrer, which occurs when you weren't referred by a URL (such as typing the URL manually or clicking a bookmark). If you prevent the use of an empty referrer, your page cannot be bookmarked or manually typed in the address bar, which is why it is allowed.

      --
      This is here so you don't ignore the last two lines of my posts.
    9. Re:document.referrer by Nos. · · Score: 2, Interesting

      I check the referrer header for images on some sites, not for security, but for reducing bandwidth thieves doing hotlinking. On more than one occasion folks have linked to images on busy forum sites which costs me bandwidth. Checking that the referrer is either the local site or blank reduces that bandwidth waste to virtually zero. Yes, some will still get through, but the few minutes it takes to add to the virtual host configuration in Apache is well worth it.

    10. Re:document.referrer by antdude · · Score: 1

      Some sites hate it and I get blocked, missing images, etc. :(

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    11. Re:document.referrer by Snaller · · Score: 1

      "Why would you want it enabled, anyway?"

      To access the thousands of sites which check it to make sure nobody isn't "stealing" their bandwith.

      --
      If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
    12. Re:document.referrer by Bisqwit · · Score: 1

      Because website authors can use the referrer field to improve their services, by figuring out which access patterns are most common, and which links should be made more or less prominent.
      By hiding that information, you are depriving them of that possibility, and you are therefore depriving the Internet a certain means of becoming better.

    13. Re:document.referrer by atraintocry · · Score: 1

      I agree with your method, but "bandwidth thief" is misplaced. Nothing wrong with a referrer check, and I don't hotlink on forums...it's rude. But that's it. Rude, at best...not thievery. You posted the image, and it's your hosting bill. So if you only want it served in a specific context (certain referrer, certain browser, who knows) it's your responsibility to host it that way. Otherwise, people's browsers are asking for the image, and you're serving it. If you don't like giving out Halloween candy, don't answer the door.

    14. Re:document.referrer by abigsmurf · · Score: 1

      Some sites could potentially use it to aid in navigation. It's not a great option to use it but it can be better than using back options, especially if there are lots of forms used in the site.

      Never actually used it like that (prefer to store that kind of thing in session variables if I'm forced to) but I could see someone doing so

    15. Re:document.referrer by Nos. · · Score: 1

      If you don't like giving out Halloween candy, don't answer the door.

      Its more like my neighbour handing out the candy I bought. He gets the "credit" while I paid for the goodies.

    16. Re:document.referrer by IdeaMan · · Score: 1

      I thought this was Slashdot, and privacy trumped all?
      Any time we give information away it gets used against us. Thanks to one of the previous posters as of today I now use RefControl.

      --
      They ARE out to get you simply because They are in it for themselves and they don't care about you.
  7. DRM Lesson by MyLongNickName · · Score: 2, Insightful

    It seems that malware writers still haven't internalized the lesson of DRM â" if my computer can access something in plaintext, I can too.

    The malware writers don't need a 100% success rate. They are simply tring to get their software on enough machines to build a nice bot empire.

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
    1. Re:DRM Lesson by Urd.Yggdrasil · · Score: 1

      Exactly, the idea behind javascript obfuscation is to get past automated tools (antivirus engines) not flesh and blood analysts, and it does the job very well. It really isn't the same thing as DRM.

  8. stop by ypctx · · Score: 5, Funny

    stop all that with an 8-line patch to SpiderMonkey

    Cool, and now malware engineers will lose their jobs, you insensitive clods! Internet Explorer to the rescue!

  9. Comment removed by account_deleted · · Score: 4, Insightful

    Comment removed based on user account deletion

  10. Re:So how does this solve anything in the real wor by larry+bagina · · Score: 1

    if you're using JSON (fairly common now), there's a good chance you're using eval(). Generally, it's overused and can be replaced with other techniques in a modern browser/js interpreter

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  11. Re:So how does this solve anything in the real wor by Anders · · Score: 4, Informative

    This is not a detection method. It is merely an aid in reverse engineering, once you have found some malware that you want to analyze.

  12. Re:Threat levels? by martinw89 · · Score: 2, Insightful

    Ouch, I didn't realize how common this was. Feel free to moderate the grandparent post into oblivion.

  13. old school protection by Threni · · Score: 1

    lets hope they don't try stuff like this:

    http://en.wikipedia.org/wiki/Rob_Northen_copylock

    it was hard. I guess there's no way to use special cpu modes, but you could still knock up a large amount (megs) of seemingly random data which contains code which you decrypt a few bytes at a time, re-encrypting the 'code' you just executed and hide, within thousands of jumps, loops and other messed up logic the actual guts of your code.

  14. Re:Funding by CatBegemot · · Score: 1

    Sorry, your job application has been denied. If you don't know where we are you don't belong here. :)

  15. Re:Funding by Joebert · · Score: 1

    Apparently I don't belong on either side of the fence. I suppose I'll just have to burn it down with my bait of flame. :)

    --
    Wanna fight ? Bend over, stick your head up your ass, and fight for air.
  16. Its not obfuscation by Anonymous Coward · · Score: 5, Informative

    Sure it may look like the attacker is cleverly trying to obfuscate their malware from prying eyes but usually they could care less about that. By the time you go reversing their code, they've already gotten the bulk of their victims anyway.

    Rather, they're most often using it to make the code easy to replicate elsewhere. A lot of places they'll host it will inadvertently hiccup on certain characters in the code and change them. Like < to &lt;, or + to space, or new line chars to end the string. Using an encoder that converts everything to alphanumeric is much easier to guarantee a successful propagation.

    Especially true for XSS worms

  17. eval() by smoker2 · · Score: 1

    Surely, that should read -
    evil()
    ?
    It is after all, an inbuilt function of Javascript.

  18. Re:So how does this solve anything in the real wor by cparker15 · · Score: 2, Interesting

    See http://www.json.org/js.html

    If you're using JSON, you're using eval(). Sure, there are some workarounds that avoid calling the eval() function directly, but in the end, they all eval-uate remote code.

    JSON parsers use eval() after checking the JSON string to make sure it's actually a JSON string.

    cat http://www.json.org/json2.js | grep eval(

    --
    Have you driven a fnord... lately?

    You must wait a little bit before using this resource; please try again later.

  19. Re:Threat levels? by Jherek+Carnelian · · Score: 1

    Ouch, I didn't realize how common this was. Feel free to moderate the grandparent post into oblivion.

    No, don't. Just because 'everyone' does it doesn't make it any less stupid.
    Its like the terrorism threat levels - they don't have any correspondance to what is likely to happen to you as an individual. Even if SANS says the "internet threat level is green" you can still get DDOS'd, or get infected by a virus, or browse to the wrong website and get suckered by a cross-site scripting attack, or any number of other things.

    The internet is just as dangerous to individuals regardess of what the 'threat level' is.

  20. Re:So how does this solve anything in the real wor by QuestionsNotAnswers · · Score: 1

    If someone can modify your JSON messages, they can inject script into any .js files requested. If your JSON generation is unsafe, then go home.

    --
    Happy moony
  21. I'm not sure it's more than a speedbump by Anonymous Coward · · Score: 1, Interesting

    > I'm glad you highlighted that line of the summary. The point of the obfuscation was to slow down analysis of the code and require special tools (SpiderMonkey) that average web users don't have. Here the malware author clearly won. The article author spent hours figuring out a new obfuscation technique and writing an article about it.

    Actually, it looks like they spent more time writing about it than solving it. That 8-line patch isn't exactly complex, and it appears that it'll kill most techniques they can use. Their only hope now is to rely on various variables that won't be present in the interpreter, but there's a limit to how complex those can be.

    Also there's the fact that the guy's script was buggy thanks to case sensitivity (he named a file .HTM instead of .htm). But you have a point about them only needing to slow folks down, even though I don't think they're getting slowed down very much compared to all the work going into those obfuscation techniques.

  22. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  23. JavaScript? by PPH · · Score: 1

    Isn't that the thing I've got turned off in my preferences?

    --
    Have gnu, will travel.
  24. Re:Threat levels? by atraintocry · · Score: 1

    You were right the first time...it's marketing. Plenty of security sites out there aimed at IT folks that discuss these things rationally and aren't trying to scare you. Similarly, I've dealt with levelheaded IT guys and I've dealt with the ones who bust through the door talking about obscure exploits, hoping to catch someone who can't smell the BS and will pay for fake peace of mind.

  25. Save yourself some headache, just gzip it by patio11 · · Score: 2, Informative

    It isn't an either/or choice, but programs with verbose variable names (which is typically one of the first targets of javascript compression: "replace timeSinceLastUpdate with r") compress disgustingly well. You may find that the gzip compression is effective enough that the obfuscation isn't worth the various attendant headaches (maintaining two versions of the code, etc).

    --
    Help poke pirates in the eyepatch, arr.
  26. A more detailed analysis by X · · Score: 2, Interesting

    I did a fairly detailed analysis of an instantiation of typical Javascript malware these days.

    --
    sigs are a waste of space
  27. Re:So how does this solve anything in the real wor by vrmlguy · · Score: 1

    If you're using JSON, you're using eval(). Sure, there are some workarounds that avoid calling the eval() function directly, but in the end, they all eval-uate remote code.

    Did you even bother to read that page that you directed me to?

    To defend against this, a JSON parser should be used. A JSON parser will recognize only JSON text, rejecting all scripts. In browsers that provide native JSON support, JSON parsers are also much faster than eval.

    So, you're claiming that a JSON parser, which is faster than eval, checks its input and then calls eval. I think I see a contradiction.

    Or are you talking about legacy browsers that don't yet provide JSON support? In that case, I hope that you aren't invoking eval either directly or from some home-grown function library, but are using that json2.js that you point to; yes, it sometimes (not always!) uses eval, but only after checking that the browser doesn't provide a native JSON object. Furthermore, if you eliminate comments and blank lines from json2.js, you're left with 174 lines of code, of which one line invokes eval, and most of the rest make sure that there isn't anything bad hidden inside the text. I suspect that those 173 lines of code are better than anything that you or I could whip out on short notice.

    --
    Nothing for 6-digit uids?
  28. Re:So how does this solve anything in the real wor by cparker15 · · Score: 1

    Was there even a point to your tirade?

    My comment was in reply to your sweeping generalization that “everyone” knew using eval() is just setting oneself up for failure. json2.js is proof that, with adequate attention given to security, eval() usage isn't a problem.

    To the best of my knowledge, as of this writing, the only browser that supports native JSON is Firefox 3/Mozilla 1.9: http://developer.mozilla.org/en/docs/nsIJSON -- this still excludes most people, however.

    The rest all require an external parser, such as Crockford's, which eval()s JSON code for everyone else. If you personally feel like writing a JSON parser based entirely on a combination of regex and String.substring()/String.indexOf(), for the sole purpose of avoiding evil eval(), be our guest.

    --
    Have you driven a fnord... lately?

    You must wait a little bit before using this resource; please try again later.

  29. Re:So how does this solve anything in the real wor by vrmlguy · · Score: 1

    My point was that programmers shouldn't use eval() in Javascript, just like programmers shouldn't use goto statements. That doesn't mean that you can't use tools that use those features (I use yacc and lex many times a year), it just means that using them is very hazardous and best avoided. And yes, I realize that this means that there are exceptions to the rule, since it is programmers who write those tools, but those exceptions are very, very, limited. Thinking that you can whip out some code that uses eval() just because json.js uses it is a supreme act of hubris. I wouldn't let anyone I work with use an eval(), no matter what the circumstances, because circumstances change and it's unlikely that the code will change in lockstep. Nor would I use some random library that someone found somewhere. I'd want code that had been looked at by a lot more eyes than mine and tested in the field in a lot of deployments. Crockford's stuff meets that criteria. Anything you might come up with is unlikely to.

    --
    Nothing for 6-digit uids?