Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nick Guo, Ulysses Wang JavaScript De-Obfuscation Engine -- JDOE.

Similar presentations


Presentation on theme: "Nick Guo, Ulysses Wang JavaScript De-Obfuscation Engine -- JDOE."— Presentation transcript:

1 Nick Guo, Ulysses Wang JavaScript De-Obfuscation Engine -- JDOE

2 Obfuscation Introduction Anti de-obfuscation Browser Knowledge Current Solution JDOE Demo Challenge & Improvement Agenda

3 Phase I Review Obfuscation Introduction

4 Concealing the intent of the code by making the code difficult for human analysis and detection Copy right protection Hide Information (E.g. address) Evade detection Obfuscation

5 Three types of obfuscations Injection obfuscation Public Packer Obfuscation Exploit Kit Obfuscation Obfuscation Types

6 “As recorded in 2007, over 80% of detected malicious code was already using obfuscation” Most obfuscations are simple. Injection: 83%, exploit kit: <1% Complex obfuscations occupy a small proportion. Obfuscation become more complex Obfuscation Types

7 JDOE Prototype Anti de-obfuscation

8 Splitting important codes into pieces of Javascirpt code, HTML code or external scripts String concatenate – Var temp=“get”+”Elem”+”ent”+”ById” Tag concatenate – Put content in,, – OpenSource Exploit kit Fragmentation

9 File concatenate – Put critical function or data in another file – Phoenix Exploit Kit 2.5 Traffic concatenate – Save data on server and client need to request Fragmentation

10 Fetch external access or perform a connection check Ajax fetch data Connection check – Neosploit exploit kit External Access

11 Browser detect uas=navigator.userAgent; while(uai

12 Time check getUTCFullYear() getUTCMonth() getUTCDate() Plugin check new ActiveXObject('ShockwaveFlash.ShockwaveFlash'); (IE) Check navigator.plugins (not IE) Condition check

13 Trigger a function after certain seconds setTimeout("alert(Hello!')",3000) setInterval("clock()",1000) Trigger a function on certain event


Download ppt "Nick Guo, Ulysses Wang JavaScript De-Obfuscation Engine -- JDOE."

Similar presentations


Ads by Google