1 / 37

Nick Guo , Ulysses Wang

JavaScript De-Obfuscation Engine -- JDOE. Nick Guo , Ulysses Wang. Agenda. Obfuscation Introduction Anti de-obfuscation Browser Knowledge Current Solution JDOE Demo Challenge & Improvement. Obfuscation Introduction. Phase I Review. Obfuscation.

kiaria
Download Presentation

Nick Guo , Ulysses Wang

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. JavaScript De-Obfuscation Engine -- JDOE Nick Guo, Ulysses Wang

  2. Agenda • Obfuscation Introduction • Anti de-obfuscation • Browser Knowledge • Current Solution • JDOE • Demo • Challenge & Improvement

  3. Obfuscation Introduction Phase I Review

  4. Obfuscation • Concealing the intent of the code by making the code difficult for human analysis and detection • Copy right protection • Hide Information (E.g. Email address) • Evade detection

  5. Obfuscation Types • Three types of obfuscations • Injection obfuscation • Public Packer Obfuscation • Exploit Kit Obfuscation

  6. Obfuscation Types • “As recorded in 2007, over 80% of detected malicious code was already using obfuscation” • Most obfuscations are simple. • Injection: 83%, exploit kit: <1% • Complex obfuscations occupy a small proportion. • Obfuscation become more complex

  7. Anti de-obfuscation JDOE Prototype

  8. Fragmentation • Splitting important codes into pieces of Javascirpt code, HTML code or external scripts • String concatenate • Var temp=“get”+”Elem”+”ent”+”ById” • Tag concatenate • Put content in <div>,<p>,<textarea> • OpenSource Exploit kit

  9. Fragmentation • File concatenate • Put critical function or data in another file • Phoenix Exploit Kit 2.5 • Traffic concatenate • Save data on server and client need to request

  10. External Access • Fetch external access or perform a connection check • Ajax fetch data • Connection check • Neosploit exploit kit

  11. Condition check • Browser detect uas=navigator.userAgent; while(uai<uas.length) {xor+=uas.charCodeAt(uai++);} • IE6 • Firefox

  12. Condition check • Time check • getUTCFullYear() • getUTCMonth() • getUTCDate() • Plugin check • newActiveXObject('ShockwaveFlash.ShockwaveFlash'); (IE) • Check navigator.plugins (not IE)

  13. Trigger Function • Trigger a function after certain seconds • setTimeout("alert(Hello!')",3000) • setInterval("clock()",1000) • Trigger a function on certain event • <body onload="load()"> • <button id="j_id" onclick="j_function2();" • window.attachEvent or addEventListener • Trigger a function on plugin • Call js function from Actionscript

  14. Bypass de-obfuscation tool • Uncommon tag • Save content in CSS • Modification check • varhybxs = arguments.callee;hybxs = hybxs.toString();

  15. Browser Knowledge JDOE Prototype

  16. Browser Component

  17. Webkit

  18. DOM Tree

  19. Current Solution Phase I Review

  20. Jsunpack • Light weight • Spidermonkey and Python • Set hook in js file • Environment DOM Enumeration • Detection module(Yara) • PDF and SWF parser • Intrusion Detection(libnids) • http://jsunpack.jeek.org/

  21. Fireshark • Firefox Plugin • Mainwindow and child Frame Source Code • Mainwindow and child Frame DOM Tree • Http Request and Response Logged • Malicious URL check • URL redirection graph • http://fireshark.org/

  22. Malzilla • Research tool • Spidermonkey • Shellcode analysis • Limited DOM support • http://malzilla.sourceforge.net/

  23. Limitations • Firefox based • Limited on DOM support • Limited on De-obfuscation • Performance

  24. JDOE Phase I Review

  25. JDOE • What engine we want ? • High performance • Good coverage • Good output and log formats • Analytics platform

  26. JDOE • JDOE is based on Google Chrome • Render Engine : Webkit • 85% smart phone browser market • 21% desktop browser market • Include DOM tree and parser • JavaScript Engine : V8

  27. Prototyping • JDOE based on a test project for Chrome • Command line tool, feasible to be ported as server-side application • Be able to simulate basic functions of browser • Full DOM Support • Good fault tolerance about html format • HTML format output

  28. JDOE Architecture

  29. JDOE advantage • Base on Chrome and Webkit • Strong Parser • Full DOM Support • Fast js execution speed • High coverage • Good expansibility

  30. De-obfuscation Method • JDOE De-obfuscation Method • Hook eval() • Get some inner status of JavaScript • Print the final DOM tree • Get the final status • Document.write should add some nodes in DOM tree

  31. Exploit kit Coverage • Exploit kits Samples • Samples from Top 10 exploit kits project • Total Samples : 22 JDOE success : 20 • Coverage : 90.9%

  32. Injection Coverage • Injection Samples • Samples from obfuscation ThreatID matches • Total Samples : 9,544 JDOE Success : 8,450 • Coverage : 88.5%

  33. Demo time Demo

  34. Challenge & Improvement Status and Next Step

  35. Challenge • Security • How to keep JDOE server secure? • Upgrade plan • Sandbox • Javascript Audit • Performance • Disable external access • Coverage • Not support on special samples • Output format defected on special samples

  36. improvement • More trigger function handler • PDF and SWF Parser • Shellcode detection • JavascriptAudit • Cloud base integration • http://aceinsight.websense.com/ • Auto analysis platform

  37. JDOE Questions?

More Related