Nick Guo, Ulysses Wang JavaScript De-Obfuscation Engine -- JDOE.
-
Upload
norma-benfield -
Category
Documents
-
view
224 -
download
2
Transcript of Nick Guo, Ulysses Wang JavaScript De-Obfuscation Engine -- JDOE.
Nick Guo, Ulysses Wang
JavaScript De-Obfuscation Engine -- JDOE
• Obfuscation Introduction• Anti de-obfuscation• Browser Knowledge• Current Solution• JDOE • Demo• Challenge & Improvement
Agenda
Obfuscation Introduction
• Concealing the intent of the code by making the code difficult for human analysis and detection
• Copy right protection• Hide Information (E.g. Email address)• Evade detection
Obfuscation
• Three types of obfuscations
• Injection obfuscation• Public Packer Obfuscation• Exploit Kit Obfuscation
Obfuscation Types
• “As recorded in 2007, over 80% of detected malicious code was already using obfuscation”
• Most obfuscations are simple.• Injection: 83%, exploit kit: <1%
• Complex obfuscations occupy a small proportion.
• Obfuscation become more complex
Obfuscation Types
Anti de-obfuscation
• Splitting important codes into pieces of Javascirpt code, HTML code or external scripts• String concatenate
– Var temp=“get”+”Elem”+”ent”+”ById”• Tag concatenate
– Put content in <div>,<p>,<textarea>– OpenSource Exploit kit
Fragmentation
• File concatenate – Put critical function or data in another file– Phoenix Exploit Kit 2.5
• Traffic concatenate – Save data on server and client need to request
Fragmentation
• Fetch external access or perform a connection check• Ajax fetch data
• Connection check– Neosploit exploit kit
External Access
• Browser detectuas=navigator.userAgent;while(uai<uas.length){xor+=uas.charCodeAt(uai++);}
• IE6
• Firefox
Condition check
• Time check• getUTCFullYear()• getUTCMonth()• getUTCDate()
• Plugin check• new ActiveXObject('ShockwaveFlash.ShockwaveFla
sh'); (IE)• Check navigator.plugins (not IE)
Condition check
• Trigger a function after certain seconds• setTimeout("alert(Hello!')",3000)• setInterval("clock()",1000)
• Trigger a function on certain event• <body onload="load()">• <button id="j_id" onclick="j_function2();"• window.attachEvent or addEventListener
• Trigger a function on plugin• Call js function from Actionscript
Trigger Function
• Uncommon tag• Save content in CSS
• Modification check• var hybxs = arguments.callee;hybxs =
hybxs.toString();
Bypass de-obfuscation tool
Browser Knowledge
Browser Component
Webkit
DOM Tree
Current Solution
Jsunpack
• Light weight• Spidermonkey and Python• Set hook in js file• Environment DOM Enumeration• Detection module(Yara)• PDF and SWF parser• Intrusion Detection(libnids)• http://jsunpack.jeek.org/
Fireshark
• Firefox Plugin• Mainwindow and child Frame Source Code• Mainwindow and child Frame DOM Tree• Http Request and Response Logged• Malicious URL check• URL redirection graph• http://fireshark.org/
Malzilla
• Research tool• Spidermonkey• Shellcode analysis• Limited DOM support• http://malzilla.sourceforge.net/
Limitations
• Firefox based• Limited on DOM support• Limited on De-obfuscation• Performance
JDOE
• What engine we want ?• High performance• Good coverage• Good output and log formats• Analytics platform
JDOE
• JDOE is based on Google Chrome• Render Engine : Webkit
• 85% smart phone browser market• 21% desktop browser market• Include DOM tree and parser
• JavaScript Engine : V8
JDOE
• JDOE based on a test project for Chrome• Command line tool, feasible to be ported as
server-side application • Be able to simulate basic functions of
browser• Full DOM Support• Good fault tolerance about html format• HTML format output
Prototyping
JDOE Architecture
• Base on Chrome and Webkit• Strong Parser• Full DOM Support • Fast js execution speed• High coverage• Good expansibility
JDOE advantage
• JDOE De-obfuscation Method• Hook eval()
– Get some inner status of JavaScript• Print the final DOM tree
– Get the final status– Document.write should add some nodes
in DOM tree
De-obfuscation Method
• Exploit kits Samples– Samples from Top 10
exploit kits project– Total Samples : 22
JDOE success : 20
– Coverage : 90.9%
Exploit kit Coverage
9%
91%
JDOE Failed JDOE Success
• Injection Samples– Samples from obfuscation
ThreatID matches– Total Samples : 9,544
JDOE Success : 8,450
– Coverage : 88.5%
Injection Coverage
11%
89%
JDOE Failed JDOE Success
Demo time
Challenge & Improvement
• Security • How to keep JDOE server secure?
– Upgrade plan– Sandbox– Javascript Audit
• Performance• Disable external access
• Coverage• Not support on special samples• Output format defected on special samples
Challenge
• More trigger function handler• PDF and SWF Parser• Shellcode detection• Javascript Audit• Cloud base integration
• http://aceinsight.websense.com/• Auto analysis platform
improvement
37
Questions?
JDOE