Paid Advertising
web application security lab

De-Obfuscation Woes

I ran into an interesting article on SANS that I think proves an interesting point in the next generation of JavaScript Malware, which is browser dependant and self-dependant decoding. This article explains two techniques used by the malware author to return different values depending on how you attempt to dump the code in a visible way, as well as dependant on the browser you use. This is a very interesting read, because it seems like this is the first time the SANS guys have done this which makes it for a more interesting read than it would have been if I had said the same thing, as well as the fact that it describes in pretty good detail about the deobfuscation issues they ran into themselves.

I too use nearly the exact same methodology as the author does. Unfortunately there is no good tool that I have come across like a JavaScript decompiler that would have completely obviated this issue. The closest I’ve come across is a decompiler that is based on having no dom whatsoever (not particularly useful when we are talking about a web-page). It would be interesting to have such a tool, though, because it would make it possible to traverse a JavaScript function without worrying about it actually executing without warning. Sure, you can do other things like watch the HTTP traffic in transit (easy enough to do) but that may not be enough information (perhaps it calls different sites at different times of day, or based on your browser type, or your screen width or any of hundreds of other variables).

Of course a decompiler would have similar issues, because it would still only follow a specific path based on the variables you had off hand, so perhaps that’s not the best way to do it. Another possibility is measuring relative entropy. If a JavaScript function has high entropy, it could be considered untrustworthy. Of course then the Malware author could submit a lot of nulls or whitespace or other characters to be stripped which would bring the entropy down to much lower levels. All of these ideas probably need a lot more thought, but JavaScript really is beginning to show off how obfuscation really does make straight detection much harder.

One Response to “De-Obfuscation Woes”

  1. WhiteAcid Says:

    I asked for a copy of the original JavaScript and they were happy to send me a copy. First the obligatory warning:
    The password for the zip is “infected”. Please be careful when playing with this, if you run it from unpatched Internet Explorer it will execute the exploit which drops a downloader).