JavaScript Deobfuscation (Spiffy)
JavaScript Deobfuscation (Spiffy)
Automated
JavaScript Deobfuscation
Stephan Chenette Alex Rice
Principle Security Researcher Sr. Security Researcher
Malcode analysis
Current malcode research is focused on binary analysis.
Signature evasion
Anti-analysis techniques
Pain in the #*&#$! for all researchers!!
Unpacking and anti-debugging
Packing/Protecting/Anti-reversing
Compression, Encryption, CRC protection
Anti-debugging
Virtualization detection
Anti-emulation
XOR stubs
Obfuscation Evolution
String splitting:
AD + ODB.S + treAM
String encoding/escaping:
%41\u0044 + O\x44%42\u002ES + t%72eAM
Closing html tags (e.g. </TEXTAREA>)
Code length dependant obfuscation:
arguments.callee.toString()
Server-side [poly|meta]-morphic obfuscation
Malicious JavaScript
What we actually see
Our Approach
Emulation: a browser without a browser
HTML Parser
DOM Implementation
Scripting Engine(s)/Interpreter(s)
Allow the page to decode itself
Dont render content, just log everything!
HTML Parser
The first step in emulating a browser: HTML.
Websense Blogs
http://www.websense.com/securitylabs/blog/blog.php?BlogID=86
http://www.websense.com/securitylabs/blog/blog.php?BlogID=98
http://www.websense.com/securitylabs/blog/blog.php?BlogID=142
The End
Stephan Chenette Alex Rice
Principle Security Researcher Sr .Security Researcher
schenette || websense com arice || websense com