Presentation is loading. Please wait.

Presentation is loading. Please wait.

Circumventing Automated JavaScript Analysis

Published byHugues Pruneau Modified over 5 years ago

Similar presentations

Presentation on theme: "Circumventing Automated JavaScript Analysis"— Presentation transcript:

1 Circumventing Automated JavaScript Analysis
Billy Hoffman HP Web Security Research Group

2 Overview JavaScript is part of attackers toolkit
All the “vanilla” stuff over Packing traditional malware IBM ISS: “In second half 2007 Web attack obfuscation approached 100%”* Exploit frameworks amplify the problem Rapid adoption of new techniques We need tools to analyze this How are we doing and can we win? * From: IBM Internet Security Systems X-Force® 2008 Mid-Year Trend Statistics

3 Obfuscation Design Pattern
Malicious code is stored String literals Numeric literals Decode function unpacks literals into new code Ratio of literals to total code is huge! Normal code: 2%-7% Obfuscated code: > 30%

4 Obfuscation Example

5 Obfuscation != Malicious
Legitimate reasons for obfuscating “Protect” client-side code Reducing download size Common packers JSMin Dean Edwards packer Yahoo’s Result: Its tough to know what to analyze

6 Original Approach to JS Analysis
The Lazy Method Replace dangerous calls with alert() Run in a browser The Tom Liston Method Wrap writes in <TEXTAREA>’s The Perl-Fu Method Port malware to in Perl The Monkey Wrench Method Run it in Spider Monkey

7 Tricks to Defeating Analysis
Deliberate sandbox breaks </TEXTAREA> Integrity Checks Arguments.callee.toString() arguments.callee.toString().replace(/\W/g,"").toUpperCase(); Gives source code of function body Length checks Use function body as key

8 VBScript Wrapper Still in use! No open source VBScript parsers
Older DHTML web apps Plug-in enumeration (IE8) Malware No open source VBScript parsers No public standard grammar Not very wide-spread JavaScript VBScript JavaScript

9 Preventing Sample Collection
Can’t reverse what you don’t have! Track IPs Geolocation Blacklist security firms Serve once per IP User-agent sniffing document.referrer tricks

10 For those playing at home
Approach Difficulties All Approaches Sampling Prevention The Lazy Method Integrity checks Running hostile code in browser The Tom Liston Method </TEXTAREA> escapes Perl Fu Way too time consuming Translating JavaScript constructs The Monkey Wrench Approach Does pretty well

11 Approach Today Combination of automatic and manual
Interpreters and debuggers (aka sandboxes) Rhino NJS DecryptJS SpiderMonkey Trap/monitor certain events DOM calls eval()s, etc

12 Its More Complex Than That
JS interpreter/debugger less than ½ the battle JavaScript != DOM Host objects Events/Timers HTTP requests Error handling DOM >= HTML HTTP headers/cookies Browser environment Plug-ins

13 Fundamental Issue Current JavaScript sandboxes fail to fully/properly emulate browser environment. These discrepancies are detectable by the JavaScript running inside the sandbox.

14 Fundamental Issue . !=

15 Detecting JavaScript Sandboxes
4 big areas DOM Testing Network Testing Execution Environment Testing Plug-in Testing Use test results Decrypt next layer Handshake to serve next layer

16 DOM Testing Using the DOM values Detecting presence/lack of
Get and sets on values Interacting with HTML elements

17 DOM Testing: Basic Sandbox Specific Functions
gc() clone() trap() untrap() readline() Malware forces SpiderMonkey to die try {quit();} catch (e) { }; //more code here

18 Detecting Sandbox Specific Functions
if(typeof(gc)==“function”) {… } else {…}

19 Function Clobbering JavaScript is highly dynamic
Can redefine functions at runtime!

20 Redefining print() as quit()

21 Redefining quit()To Nothing

22 Intertwined DOM Properties
Various aliases in the DOM document.location == window.location == document.URL window == window.window == window.self == window.parent == window.self.self.self.self... Any global variable attaches to window var spi = 5; window.spi == spi; //true Set a value on one alias Read on another alias Different values means sandbox

23 document.retarded Mosaic Netscape 0.9beta (1994)
Set using HTTP headers Set-Cookie: Cookie: Get/Set using JavaScript document.cookie

24 document.retarded Set using HTML Mosaic Netscape 0.9beta (1994)
Set using HTTP headers Set-Cookie: Cookie: Get/Set using JavaScript document.cookie Set using HTML <META> tag

25 Meta Tag Supply meta data about HTML document http-equiv attribute
Allows document to specify HTTP headers Content overriding an application protocol

26 HTTP-EQUIV to the rescue
Setting cookies with HTML <html> <meta HTTP-EQUIV="Set-Cookie" CONTENT="cook2=Value 2"> <meta HTTP-EQUIV="Set-Cookie" CONTENT="cook1=Value 1"> <script> alert(document.cookie); </script>

27 Setting Cookies with HTML

28 Hello Proprietary Extension!
Setting cookies with HTML <html> <meta HTTP-EQUIV="Set-Cookie" CONTENT="cook2=Value 2; HttpOnly"> <meta HTTP-EQUIV="Set-Cookie" CONTENT="cook1=Value 1"> <script> alert(document.cookie); </script>

29 Setting Cookies with HTML

30 More Meta Tag Fun Hide Script in non-scriptable attribute <html>
<title>Safe</title> <meta http-equiv="refresh" content="0;url=javascript:alert(‘EVIL’)“> <h1>All safe. Trust me!</h1> </html>

31 HTTP Refresh Header Completely remove JS from response body!
HTTP/ OK Refresh: 0;url=javascript:alert('EVIL!') Connection: close Content-Length: 29 <h1>I'm Clean... really.</h1>

32 Psst! (IE8 supports the data: URI...
data:text/html and data:text/javascript are awesome!)

33 Network Testing Sandbox use dummy network objects
Good “Are you a browser?” test Use information about response DNS successful? Last Modified? Image Dimensions? Valid Response? Forces Sandbox to send network traffic Web bugs for hackers?

34 Network Testing – DNS Lookups
<script> var count =0; function loaded(name) {if(name!="bad")count++;} window.onload = function evil() { if(count == 1) alert("Browser!"); else alert("Sandbox!"); } </script> <iframe src=" onload="loaded(this.name);" name="bad"></iframe> <iframe src=" onload="loaded(this.name);" name="bad"></iframe> <iframe src=" onload="loaded(this.name);" name="good"></iframe>

35 Network Testing – DNS Lookups

36 Network Testing - Images
Image object provides rich meta data Length Width Image was valid? CSS Images too Use this information Complex handshaking Construct a Key var img = new Image(); img.onload = goodFunc; img.onerror = badFunc; img.src="

37 Side Note: Image Side Channels
JavaScript Image object Height + width = 8 bytes How to send 0xFFFFFFFF without 4GB of pixel data? GIF, PNG, Windows too short BMP + RLE? Nope XBM Image Format #define w 1351 #define h 1689 static char b[]={0};

38 FF XBM WTF??!!!1111oneoneoneomg

39 The Dan Kaminski Option

40 Network Testing - Ajax Ajax can see HTTP response headers
Complex handshaking Construct a key var xhr = new XmlHttpRequest(); xhr.onreadystatechange = function() { if (xhr.readyState==4 && xhr.status=200) { if(xhr.getResponseHeader("Secr3t") == "key") { //do evil }

41 Execution Environment Testing
Sandbox execute code differently Trap function calls Step/break on code Manipulate data Can tell these differences Timing information Event Order Error Handling

42 Timing Information Use JavaScript’s Date object
Millisecond resolution times Can detect paused execution <script> var start = (new Date()).getTime(); document.writeln(String.fromCharCode(66,77,72)); </script> var diff= (new Date()).getTime() - start; if(diff < 3) document.writeln("Browser"); else document.writeln("Sandbox");

43 Detecting Steps/Breaks with Timers
Timers are a pain! Can’t really wait 5 seconds Ordering Clearing Can detect paused execution Start a Timer Perform some math operation After fixed interval Sample the value Count++ Count++ Count++

44 Detecting Steps/Breaks with Timers
var count = 0; setInterval("count++;", 10); setTimeout(checkSum, 1000); function checkSum() { //allow for skew if(count >= 950 && count <=1000) { alert("Browser"); } else { alert("Sandbox"); }

45 Event Order Sandboxs don’t run events in the proper order
XmlHttpRequest’s onreadystatechange() fires 4 times onclick() >> onclick() >> ondbclick() onkeydown() >> onkeyup() >> onkeypress() onmousedown() >> onmouseup() >> onclick() onmouseover() >> onmousemove() onclick() >> onfocus() (for inputs) onfocus() >> onblur() onload() >> onunload()

46 Advanced Event Order Dependant’s onload before window.onload
iFrames Images Event propagation DOM events must bubble Continue based on return value of event Events that never fire Invisible with CSS onclick WINDOW onclick BODY DIV DIV onclick INPUT

47 Error Handling Induce syntax errors Recover in handler
window.onerror handles uncaught exceptions Induce syntax errors Recover in handler <script> window.onerror = function() { //evil code } </script> Lolz &nd B00m$; //Syntax Error

48 Error Handling Induce runtime errors Harder to handle/debug
window.onerror handles uncaught exceptions Induce runtime errors Harder to handle/debug window.onerror = function() { //evil code } function boom() { return ‘so long!’ & boom(); boom(); // error too much recursion

49 Advanced Error Handling
Detailed info passed to window.onerror Message File Line Number Can be to Fingerprint web browser Verify domain/location Construct a decryption key

50 Plug-in Testing Not just navigator.plug-ins checks
Timing is a cool test Did I really invoke that ActiveX object? Sizing is a cool test Is that Applet really 400 x 300? Cross Communication Really sexy! Apply previous methods inside plug-in Error handling, Eventing, etc

51 JavaScript -> Flash -> JavaScript
Multiple ways getURL(); Flash LSO Additional capabilities Richer HTTP requests More File formats Excellent browser support JavaScript Flash JavaScript

52 JavaScript -> Java -> JavaScript
Lots of fun object casting JSObject -> double -> JSObject Java has more capabilities than JS High resolution timers Sockets Internal IP Assault the researcher! Signed Applets can access the file system! LiveConnect var myAddress = java.net.InetAddress.getLocalHost(); JavaScript Java JavaScript

53 Preventing Sample Gathering
Browser Identification for Web Applications (Shreeraj Shah 2004) HTTP headers Ordering and Values Redirects, form posts, content types, cookie settings HTTP Caching Obeying the directives HTTP/1.1 HTTP/1.0 Precedence Sending conditional GETs

54 Crazy Idea #1 Obfuscated Code is obviously interesting
But not always malicious “Safe” looking code might not be interesting Can I create code that doesn’t look malicious?

55 Dehydrating a String Converts any string into whitespace
7 bit per character 1 = space 0 = tab \n means we are done ‘a’ = Dehydrate('a') = space, space, tab, tab, tab, tab, space

56 Dehydrate Function function dehydrate(s) { var r = new Array(); for(var i=0; i < s.length; i++) { for(var j=6; j >=0; j—) { if(s.charCodeAt(i) & (Math.pow(2,j))) { r.push(' '); } else { r.push('\t'); } r.push('\n'); return r.join('');

57 Hydrate Function function hydrate(s) { var r = new Array(); var curr = 0; while(s.charAt(curr) != '\n') { var tmp = 0; for(var i=6; i>=0; i—) { if(s.charAt(curr) == ' ') { tmp = tmp | (Math.pow(2,i)); } curr++; r.push(String.fromCharCode(tmp)); return r.join('');

58 Invisible Malicious Code!
//st4rt //3nd var html = document.body.innerHTML; var start = html.indexOf("//st" + "4rt"); var end = html.indexOf("3" + "nd"); var code = html.substring(start+12, end); eval(hydrate(code));

59 Crazy Idea #2 Who cares how its encoded?
Eventually they have to execute the string of code CaffeineMonkey et al are just hooking eval() Can I execute malicious code stored in a string without eval()?

60 Eval() The Interpreter has a Posse…
var evilCode = "alert('evil');"; window.location.replace("javascript:" + evilCode); document.location.replace("javascript:" + evilCode); setTimeout(evilCode, 10); setInterval(evilCode, 500); new Function(evilCode)(); //IE only window.execScript(evilCode);

61 Fixing All of This Advice for tool developers Advice for others
Remove discrepancies between sandbox and browser DOM/HTTP/DNS/Network/Eventing Everything should be interesting The sandbox needs a sandbox; you will be attacked. Advice for others Microsoft Publish a Grammar for VBScript Disable completely based on DOCTYPE Adobe: Release an controllable Flash VM

62 Shoulders of Giants Jose Nazario Ben Feinstein
Internet Storm Center guys Stephan Chenette, et WebSense Shreeraj Shah Rob Freeman Aviv Raff

63 Questions?

64 Circumventing Automated JavaScript Analysis
Billy Hoffman HP Web Security Research Group

Download ppt "Circumventing Automated JavaScript Analysis"

Similar presentations

JavaScript I. JavaScript is an object oriented programming language used to add interactivity to web pages. Different from Java, even though bears some.

JavaScript I. JavaScript is an object oriented programming language used to add interactivity to web pages. Different from Java, even though bears some.
© 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Circumventing Automated JavaScript.

© 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Circumventing Automated JavaScript.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
Java Script Session1 INTRODUCTION.

Java Script Session1 INTRODUCTION.
JavaScript and the DOM Les Carr COMP3001 Les Carr COMP3001.

JavaScript and the DOM Les Carr COMP3001 Les Carr COMP3001.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.

0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
Introduction to JavaScript Module 1 Client Side JS Programming M-GO Sponsored By

Introduction to JavaScript Module 1 Client Side JS Programming M-GO Sponsored By
The Web Warrior Guide to Web Design Technologies

The Web Warrior Guide to Web Design Technologies
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
JavaScript Forms Form Validation Cookies CGI Programs.

JavaScript Forms Form Validation Cookies CGI Programs.
UNIT 6 JAVASCRIPT EVENT HANDLERS &WEB BROWSERS DETECTION.

UNIT 6 JAVASCRIPT EVENT HANDLERS &WEB BROWSERS DETECTION.
Javascript and the Web Whys and Hows of Javascript.

Javascript and the Web Whys and Hows of Javascript.
4.1 JavaScript Introduction

4.1 JavaScript Introduction
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
HTML Forms/Events (Instructor Lesson) The Event model HTML Forms Custom Events 1.

HTML Forms/Events (Instructor Lesson) The Event model HTML Forms Custom Events 1.
CNIT 133 Interactive Web Pags – JavaScript and AJAX Event and Event Handling.

CNIT 133 Interactive Web Pags – JavaScript and AJAX Event and Event Handling.
JavaScript & jQuery the missing manual Chapter 11

JavaScript & jQuery the missing manual Chapter 11
CS346 - Javascript 1, 21 Module 1 Introduction to JavaScript CS346.

CS346 - Javascript 1, 21 Module 1 Introduction to JavaScript CS346.
Intro to JavaScript Events. JavaScript Events Events in JavaScript let a web page react to some type of input Many different ways to handle events due.

Intro to JavaScript Events. JavaScript Events Events in JavaScript let a web page react to some type of input Many different ways to handle events due.
CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.

CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.

Similar presentations

Ads by Google