Thwarting New JavaScript Malware Obfuscation

I Don't Believe in Imaginary Property writes "Malware writers have been obfuscating their JavaScript exploit code for a long time now and SANS is reporting that they've come up with some new tricks. While early obfuscations were easy enough to undo by changing eval() to alert(), they soon shifted to clever use of arguments.callee() in a simple cipher to block it. Worse, now they're using document.referrer, document.location, and location.href to make site-specific versions, too. But SANS managed to stop all that with an 8-line patch to SpiderMonkey that prints out any arguments to eval() before executing them. It seems that malware writers still haven't internalized the lesson of DRM — if my computer can access something in plaintext, I can too."

SANS

[by Anonymous Coward]

I'm still not sure what I think of them.
I mean, it's a great idea. But they update their diary every day, which means for the most part, it's totally boring crap. Today's entry is a little different.

I still think of SANS as a bunch of old guys all sort of pontificating about the most mundane things. Wind back 5 years and I think they had a valid part to play, especially with the amount of viruses and worms flying around. These days, not so much. Security is so much higher on everyone's radar that they'

Re:

[sm62704 (957197)]

But they update their diary every day, which means for the most part, it's totally boring crap.

Welcome to my slashdot journal (NSFW)

they're a bit old in the tooth now

Piece of cake, easy as pie. The saying is "long in the tooth", comrad.

the Internet just isn't that risky anymore.

You're not paying attenton.

Re:

[mweather (1089505)]

Agreed, only because with Windows normal means you're running anti-virus from behind a firewall.

A case of "duh"

[Annymouse Cowherd (1037080)]

Is it just me or is this way of getting around it mind-blowingly obvious.

The techniques the malware writers are using are quite interesting though, i've never heard of arguments.callee.

Re:A case of "duh"

[kesuki (321456)]

"Is it just me or is this way of getting around it mind-blowingly obvious."

even more mind blowingly obvious, is noscript. it's pretty hard for java/javascript based malware to infect you when the browser won't automatically launch javascript or java.

DRM and copy protection schemes

[spion666 (922711)]

It seems that malware writers still haven't internalized the lesson of DRM -- if my computer can access something in plaintext, I can too.

In fact, thats the lesson from any digital copy protection scheme, some of which precede DRM (at least the term DRM)

Re:DRM and copy protection schemes

[panaceaa (205396)]

I'm glad you highlighted that line of the summary. The point of the obfuscation was to slow down analysis of the code and require special tools (SpiderMonkey) that average web users don't have. Here the malware author clearly won. The article author spent hours figuring out a new obfuscation technique and writing an article about it. If there are malware detectors, they have to be updated to detect the new obfuscations.

This is not the traditional DRM argument. No one's trying to decode a video or music file they have legal rights to access. This is a malware arms race: The point IS to hide what's going on, not to lock things down. What's more interesting here, and not even discussed, is the parallel between Javascript malware development and computer viruses. The technique the author uncovered is an adaptation of polymorphic virus concepts into web malware. And while the technique is something many developers could come up with, I haven't heard being used in practice yet, so it's likely a noteworthy step in the arms race.

Re:

[Jherek Carnelian (831679)]

The point IS to hide what's going on, not to lock things down.

Right, this is not security through obscurity folks.
It is obscurity through obscurity!

Re:

[nahdude812 (88157)]

Plus Firebug 1.2 already does what their patch does. If you want to see what the final execution result is, click the dropdown in the Scripts window to see the text of all eval() calls.

How long until they do setTimeout("final code", 1) instead of eval(), and how long until they do document.write("<div id='foo' onclick='malware.code;'></div>"); document.getElementById('foo').onclick(); etc? As gp said, it's a malware arms race, they're changing their obfuscation techniques to bypass the current

Re:

[kesuki (321456)]

"The point of the obfuscation was to slow down analysis of the code and require special tools (SpiderMonkey) that average web users don't have."

noscript is an easy firefox add-on. if you're advising 'normal' people how to use the internet safely, you'd have told them to use noscript and only allow really trusted sites that you can't live without.

personally, I don't trust any site that much. besides, with noscript, slashdot tells you to use the old style instead of the new style layout.

Re:

[CodeBuster (516420)]

Here the malware author clearly won

No more than the RIAA has "won" by imposing or using DRM on their music downloads and on iTunes. In that case it only takes one cracked version to leak out before everyone else gets the benefit of the original cracker's behavior ad-infinitum. Likewise, once the detection is worked into a Javascript blocking and filtering tool, such as no-script [mozilla.org], everyone using no-script benefits from the original analysis (it doesn't have to be cracked afresh each time it comes up). So the malware author is really only inco

Funding

[Joebert (946227)]

Who pays these freakin people ?!

I could sit here all day comming up with ways to put ghosts in the machine !

Re:

[Joebert (946227)]

Apparently I don't belong on either side of the fence. I suppose I'll just have to burn it down with my bait of flame. :)

first post?

[hesaigo999ca (786966)]

This is too much, now we all will have to download a pre validator for javascript to view the code (what does this code do, i can't read this, I am an 80 year old grandmother...) before going to the webpage and view it...sucks to go on the web these days!

Re:

[loftwyr (36717)]

No, no... it prints it out to itself and then executes it. You'll see no more than you did before.

Unless you're a hacker and then it will stick it's tongue out at you first.

Baby & Bathwater?

[XanC (644172)]

There are certainly legitimate uses of eval, and legitimate reasons to "obfuscate". Like to compress the script that you send to each & every client. The savings in bandwidth for you (and for them, especially if they're on dialup) can add up. For example: http://www.javascriptcompressor.com [javascriptcompressor.com]

Re:

[TLLOTS (827806)]

Simply minifying your scripts by stripping out comments and unneeded whitespace will do almost as good a job compressing the data with eval. Add in gzipping and the difference is negligible, plus there's no additional delay on the client side when that script is decompressed for each and every page that uses it.

Save yourself some headache, just gzip it

[patio11 (857072)]

It isn't an either/or choice, but programs with verbose variable names (which is typically one of the first targets of javascript compression: "replace timeSinceLastUpdate with r") compress disgustingly well. You may find that the gzip compression is effective enough that the obfuscation isn't worth the various attendant headaches (maintaining two versions of the code, etc).

Re:

[XanC (644172)]

Well, if you leave off the base62 encode option, you get a file that's "prepped" for better gzipping. But of course that doesn't require an eval, which was the point of this whole thread, so you're right about that.

I've also noticed, though, that IE will barf on long Javascript files, so doing the base62 compression on the Javascript even with gzip is a workaround for that.

Re:

[VGPowerlord (621254)]

Exactly how do you "prep" a file for gzipping? Remove all the linebreaks and spaces?

Re:

[XanC (644172)]

Yes, and also to shrink variable names, arguments, etc. See Javascript compression guru Dean Edwards's take on the subject [edwards.name].

document.referrer

[Anders (395)]

I turn off referrer headers for privacy (set network.http.sendRefererHeader to 0 in about:config in Firefox). Now it seems that it can also save me from malware :-). Why would you want it enabled, anyway?

Re:

[ypctx (1324269)]

Many sites won't work without it, mainly to prevent "hotlinking".

Re:

[Anders (395)]

Many sites won't work without it, mainly to prevent "hotlinking".

That is about as effective as User-Agent sniffing.

This Firefox addon [mozilla.org] gives you arbitrary Referer headers on a per-site basis.

Re:

[ArcticFlood (863255)]

Most "hotlinking prevention" methods (either in a .htaccess or in PHP) that I've seen allow no referrer, since no referrer usually means it was a bookmark or a URL entered by hand. Since this also allows people to copy and paste links to site, these methods are generally pointless unless there is a real problem.

Re:

[ArcticFlood (863255)]

I was unclear. I meant an empty referrer, which occurs when you weren't referred by a URL (such as typing the URL manually or clicking a bookmark). If you prevent the use of an empty referrer, your page cannot be bookmarked or manually typed in the address bar, which is why it is allowed.

Re:document.referrer

[geminidomino (614729)]

I turn off referrer headers for privacy (set network.http.sendRefererHeader to 0 in about:config in Firefox). Now it seems that it can also save me from malware :-).

Why would you want it enabled, anyway?

Silly websites that check it as some sort of "security." Easily foiled by sending the site's own URL as the referer though.

Re:

[vrmlguy (120854)]

I turn off referrer headers for privacy (set network.http.sendRefererHeader to 0 in about:config in Firefox). Now it seems that it can also save me from malware :-).

Why would you want it enabled, anyway?

Silly websites that check it as some sort of "security." Easily foiled by sending the site's own URL as the referer though.

Of course, that might revive any Javascript malware.

Re:

[VGPowerlord (621254)]

I turn off referrer headers for privacy (set network.http.sendRefererHeader to 0 in about:config in Firefox). Now it seems that it can also save me from malware :-).

Why would you want it enabled, anyway?

Silly websites that check it as some sort of "security." Easily foiled by sending the site's own URL as the referer though.

Even that doesn't work for all sites. Newegg [newegg.com], for example, won't let you finish checking out if you forge the referrer. I had to add an exception to it to RefControl.

P.S. I have RefCon

Re:

[Nos. (179609)]

I check the referrer header for images on some sites, not for security, but for reducing bandwidth thieves doing hotlinking. On more than one occasion folks have linked to images on busy forum sites which costs me bandwidth. Checking that the referrer is either the local site or blank reduces that bandwidth waste to virtually zero. Yes, some will still get through, but the few minutes it takes to add to the virtual host configuration in Apache is well worth it.

Re:

[atraintocry (1183485)]

I agree with your method, but "bandwidth thief" is misplaced. Nothing wrong with a referrer check, and I don't hotlink on forums...it's rude. But that's it. Rude, at best...not thievery. You posted the image, and it's your hosting bill. So if you only want it served in a specific context (certain referrer, certain browser, who knows) it's your responsibility to host it that way. Otherwise, people's browsers are asking for the image, and you're serving it. If you don't like giving out Halloween candy, don't

Re:

[antdude (79039)]

Some sites hate it and I get blocked, missing images, etc. :(

Re:

[Snaller (147050)]

"Why would you want it enabled, anyway?"

To access the thousands of sites which check it to make sure nobody isn't "stealing" their bandwith.

Re:

[abigsmurf (919188)]

Some sites could potentially use it to aid in navigation. It's not a great option to use it but it can be better than using back options, especially if there are lots of forms used in the site.

Never actually used it like that (prefer to store that kind of thing in session variables if I'm forced to) but I could see someone doing so

DRM Lesson

[MyLongNickName (822545)]

It seems that malware writers still haven't internalized the lesson of DRM â" if my computer can access something in plaintext, I can too.

The malware writers don't need a 100% success rate. They are simply tring to get their software on enough machines to build a nice bot empire.

stop

[ypctx (1324269)]

stop all that with an 8-line patch to SpiderMonkey

Cool, and now malware engineers will lose their jobs, you insensitive clods! Internet Explorer to the rescue!

Its not obfuscation

[by Anonymous Coward]

Sure it may look like the attacker is cleverly trying to obfuscate their malware from prying eyes but usually they could care less about that. By the time you go reversing their code, they've already gotten the bulk of their victims anyway.

Rather, they're most often using it to make the code easy to replicate elsewhere. A lot of places they'll host it will inadvertently hiccup on certain characters in the code and change them. Like < to &lt;, or + to space, or new line chars to end the string. Using an encoder that converts everything to alphanumeric is much easier to guarantee a successful propagation.

Especially true for XSS worms

eval()

[smoker2 (750216)]

Surely, that should read -
evil()
?
It is after all, an inbuilt function of Javascript.

JavaScript?

[PPH (736903)]

Isn't that the thing I've got turned off in my preferences?

A more detailed analysis

[X (1235)]

I did a fairly detailed analysis [xman.org] of an instantiation of typical Javascript malware these days.

Re:Threat levels?

[liquidpele (663430)]

Everyone [iss.net] does [symantec.com] it [bitdefender.com]

Re:

[martinw89 (1229324)]

Ouch, I didn't realize how common this was. Feel free to moderate the grandparent post into oblivion.

Re:

[Jherek Carnelian (831679)]

Ouch, I didn't realize how common this was. Feel free to moderate the grandparent post into oblivion.

No, don't. Just because 'everyone' does it doesn't make it any less stupid.
Its like the terrorism threat levels - they don't have any correspondance to what is likely to happen to you as an individual. Even if SANS says the "internet threat level is green" you can still get DDOS'd, or get infected by a virus, or browse to the wrong website and get suckered by a cross-site scripting attack, or any number of other things.

The internet is just as dangerous to individuals regardess of what the 'threat level' i

Re:

[liquidpele (663430)]

The threat levels are elevated for things like exploits in the wild for remote vulnerabilities with no patches, or other significant factors that businesses take into account. The pretty colors are there because other websites and companies partner with the creators of the threat levels, and display them for their management or customers. It's purely marketing, but they do have a real purpose, they grab your attention so you can look at the details of whatever caused it to elevate.

Re:

[atraintocry (1183485)]

You were right the first time...it's marketing. Plenty of security sites out there aimed at IT folks that discuss these things rationally and aren't trying to scare you. Similarly, I've dealt with levelheaded IT guys and I've dealt with the ones who bust through the door talking about obscure exploits, hoping to catch someone who can't smell the BS and will pay for fake peace of mind.

Re:So how does this solve anything in the real wor

[Anders (395)]

This is not a detection method. It is merely an aid in reverse engineering, once you have found some malware that you want to analyze.

Re:

[cparker15 (779546)]

See http://www.json.org/js.html [json.org]

If you're using JSON, you're using eval(). Sure, there are some workarounds that avoid calling the eval() function directly, but in the end, they all eval-uate remote code.

JSON parsers use eval() after checking the JSON string to make sure it's actually a JSON string.

cat http://www.json.org/json2.js | grep eval(

Re:

[vrmlguy (120854)]

If you're using JSON, you're using eval(). Sure, there are some workarounds that avoid calling the eval() function directly, but in the end, they all eval-uate remote code.

Did you even bother to read that page that you directed me to?

To defend against this, a JSON parser should be used. A JSON parser will recognize only JSON text, rejecting all scripts. In browsers that provide native JSON support, JSON parsers are also much faster than eval.

So, you're claiming that a JSON parser, which is faster than eval, checks its input and then calls eval. I think I see a contradiction.

Or are you talking about legacy browsers that don't yet provide JSON support? In that case, I hope that you aren't invoking eval either directly or from some home-grown function library, but are using that json2.js that you point to; yes, it sometimes (not always!) uses eval, but only after checking that the bro

Re:

[cparker15 (779546)]

Was there even a point to your tirade?

My comment was in reply to your sweeping generalization that “everyone” knew using eval() is just setting oneself up for failure. json2.js is proof that, with adequate attention given to security, eval() usage isn't a problem.

To the best of my knowledge, as of this writing, the only browser that supports native JSON is Firefox 3/Mozilla 1.9: http://developer.mozilla.org/en/docs/nsIJSON [mozilla.org] -- this still excludes most people, however.

The rest all require an exter

Re:

[vrmlguy (120854)]

My point was that programmers shouldn't use eval() in Javascript, just like programmers shouldn't use goto statements. That doesn't mean that you can't use tools that use those features (I use yacc and lex many times a year), it just means that using them is very hazardous and best avoided. And yes, I realize that this means that there are exceptions to the rule, since it is programmers who write those tools, but those exceptions are very, very, limited. Thinking that you can whip out some code that uses