Analyzing Malicious JavaScript

2016.10.22AV TOKYO 2016Kazuki Takada

Who am I ?Kazuki TakadaSecureBrain Corporation

Software engineer and Researcher. Originally, programmer of the Embedded Software.

I like Python and drinking modestly.I dislike JavaScript and CUDA programming.

Contents• About Banking malware• About malicious JavaScript

3

Banking malware

4

Banking malware• It is called Banking Trojan.• It falsifies banking credential information and does

fraudulent money transfer.

5

ROVNIX• It started to appear in Japan at end of 2015.• Alias name : Cidox• Rewrites MITB communication content

6

MITB by ROVNIX

7

Malware

BankWeb server

Request of JavaScript from inserted <script>

Malicious JavaScript

<html><head>

<title>Internet Banking</title><script src=“….”>

Manipulation server

RequestOriginal content

Insert <script> to origin content in target URL.

Injection

C&C Server

Victim PC

Command and configurationEx) target URL

Major Banking malware in 2016• ROVNIX

• URLZONE

• VAWTRAK (New)

• URSNIF

8

Other name Shiotob, Beblohbd

Other name Snifula

Other name Gozi

The two malware have something in common.

9

Malicious JavaScript is same

10

CENSORED

Function of malicious JavaScript

11

Malicious JavaScript• It has about 40,000 lines of code.

• It includes jQuery. But it is enormous even without jQuery.

• It has a common base and is customized for each bank site.

• It injects fraudulent web content screens for various security software introduction and information fraud.

• Its usage has been traced back to many countries. For example, Japanese, English, Hangul and Arabic.

12

13

CENSORED

Behind fraudulent web content...

14

Victim PC

Login

Bank Manipulation server

Login credential info.

Login process

Login Screen

Remittance process

Request of Settlement info.

Dum

my screen of

security software

Settlement info

Display some input screen an necessary

Record of the fight

15

Pre-conditionSecureBrain Corporation• To find out what JavaScript manipulates, I traverse

the DOM information after the content has been read

Criminal• Malware will inject <SCRIPT> just after <HEAD>.

Malicious JavaScript is read than anyone else earlier.

• Of course, there are no holds barred.

16

Before hiding• Manipulation by added <DIV>

17

I can find it only when I traverse DOM information.

Round 1• Override of alert

18

It can find by alert.toString. Because it shows content of the function.

Round 2• Override of toString

ex)

19

window.alert.toString = function() {

return “[native code]”;}

It can find alert.toString.toString

20

CENSORED

Round 3• Nest of toString...

21

It can find difference inObject.prototype.toString

Round 4• Override of Object.prototype.toStringResult of Object.prototype.toString is changed freely by following function.

22

It can find the true in

Function.prototype.toString.

Round 5• Of course, Function.prototype.toString is overrided.

23

略

It can find difference of Property by getOwnPropertyDescriptor.

Round 6• Override of getOwnPropertyDescriptor

24

略

We have been chasing in getOwnPropertyDescriptor now.

The fight continues...

25

26

CENSORED

Conclusion• After understanding the specification of JavaScript,

the criminal would keep attacking persistently.

• The specification of JavaScript which can override every object is a double-edged sword.

• The sharing of threat information is too important.

27

28

CENSORED

Thank you!!

29