Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thwarting New JavaScript Malware Obfuscation

Posted by kdawson on from the drm-never-works-give-it-up dept.

I Don't Believe in Imaginary Property writes "Malware writers have been obfuscating their JavaScript exploit code for a long time now and SANS is reporting that they've come up with some new tricks. While early obfuscations were easy enough to undo by changing eval() to alert(), they soon shifted to clever use of arguments.callee() in a simple cipher to block it. Worse, now they're using document.referrer, document.location, and location.href to make site-specific versions, too. But SANS managed to stop all that with an 8-line patch to SpiderMonkey that prints out any arguments to eval() before executing them. It seems that malware writers still haven't internalized the lesson of DRM — if my computer can access something in plaintext, I can too."

2 of 76 comments (clear)

  1. stop by ypctx · · Score: 5, Funny

    stop all that with an 8-line patch to SpiderMonkey

    Cool, and now malware engineers will lose their jobs, you insensitive clods! Internet Explorer to the rescue!

  2. Its not obfuscation by Anonymous Coward · · Score: 5, Informative

    Sure it may look like the attacker is cleverly trying to obfuscate their malware from prying eyes but usually they could care less about that. By the time you go reversing their code, they've already gotten the bulk of their victims anyway.

    Rather, they're most often using it to make the code easy to replicate elsewhere. A lot of places they'll host it will inadvertently hiccup on certain characters in the code and change them. Like < to &lt;, or + to space, or new line chars to end the string. Using an encoder that converts everything to alphanumeric is much easier to guarantee a successful propagation.

    Especially true for XSS worms