Nick Guo, Ulysses Wang

JavaScript De-Obfuscation Engine -- JDOE

• Obfuscation Introduction• Anti de-obfuscation• Browser Knowledge• Current Solution• JDOE • Demo• Challenge & Improvement

Agenda

Obfuscation Introduction

• Concealing the intent of the code by making the code difficult for human analysis and detection

• Copy right protection• Hide Information (E.g. Email address)• Evade detection

Obfuscation

• Three types of obfuscations

• Injection obfuscation• Public Packer Obfuscation• Exploit Kit Obfuscation

Obfuscation Types

• “As recorded in 2007, over 80% of detected malicious code was already using obfuscation”

• Most obfuscations are simple.• Injection: 83%, exploit kit: <1%

• Complex obfuscations occupy a small proportion.

• Obfuscation become more complex

Obfuscation Types

Anti de-obfuscation

• Splitting important codes into pieces of Javascirpt code, HTML code or external scripts• String concatenate

– Var temp=“get”+”Elem”+”ent”+”ById”• Tag concatenate

– Put content in <div>,<p>,<textarea>– OpenSource Exploit kit

Fragmentation

• File concatenate – Put critical function or data in another file– Phoenix Exploit Kit 2.5

• Traffic concatenate – Save data on server and client need to request

Fragmentation

• Fetch external access or perform a connection check• Ajax fetch data

• Connection check– Neosploit exploit kit

External Access

• Browser detectuas=navigator.userAgent;while(uai<uas.length){xor+=uas.charCodeAt(uai++);}

• IE6

• Firefox

Condition check

• Time check• getUTCFullYear()• getUTCMonth()• getUTCDate()

• Plugin check• new ActiveXObject('ShockwaveFlash.ShockwaveFla

sh'); (IE)• Check navigator.plugins (not IE)

Condition check

• Trigger a function after certain seconds• setTimeout("alert(Hello!')",3000)• setInterval("clock()",1000)

• Trigger a function on certain event• <body onload="load()">• <button id="j_id" onclick="j_function2();"• window.attachEvent or addEventListener

• Trigger a function on plugin• Call js function from Actionscript

Trigger Function

• Uncommon tag• Save content in CSS

• Modification check• var hybxs = arguments.callee;hybxs =

hybxs.toString();

Bypass de-obfuscation tool

Browser Knowledge

Browser Component

Webkit

DOM Tree

Current Solution

Jsunpack

• Light weight• Spidermonkey and Python• Set hook in js file• Environment DOM Enumeration• Detection module(Yara)• PDF and SWF parser• Intrusion Detection(libnids)• http://jsunpack.jeek.org/

Fireshark

• Firefox Plugin• Mainwindow and child Frame Source Code• Mainwindow and child Frame DOM Tree• Http Request and Response Logged• Malicious URL check• URL redirection graph• http://fireshark.org/

Malzilla

• Research tool• Spidermonkey• Shellcode analysis• Limited DOM support• http://malzilla.sourceforge.net/

Limitations

• Firefox based• Limited on DOM support• Limited on De-obfuscation• Performance

JDOE

• What engine we want ?• High performance• Good coverage• Good output and log formats• Analytics platform

JDOE

• JDOE is based on Google Chrome• Render Engine : Webkit

• 85% smart phone browser market• 21% desktop browser market• Include DOM tree and parser

• JavaScript Engine : V8

JDOE

• JDOE based on a test project for Chrome• Command line tool, feasible to be ported as

server-side application • Be able to simulate basic functions of

browser• Full DOM Support• Good fault tolerance about html format• HTML format output

Prototyping

JDOE Architecture

• Base on Chrome and Webkit• Strong Parser• Full DOM Support • Fast js execution speed• High coverage• Good expansibility

JDOE advantage

• JDOE De-obfuscation Method• Hook eval()

– Get some inner status of JavaScript• Print the final DOM tree

– Get the final status– Document.write should add some nodes

in DOM tree

De-obfuscation Method

• Exploit kits Samples– Samples from Top 10

exploit kits project– Total Samples : 22

JDOE success : 20

– Coverage : 90.9%

Exploit kit Coverage

9%

91%

JDOE Failed JDOE Success

• Injection Samples– Samples from obfuscation

ThreatID matches– Total Samples : 9,544

JDOE Success : 8,450

– Coverage : 88.5%

Injection Coverage

11%

89%

JDOE Failed JDOE Success

Demo time

Challenge & Improvement

• Security • How to keep JDOE server secure?

– Upgrade plan– Sandbox– Javascript Audit

• Performance• Disable external access

• Coverage• Not support on special samples• Output format defected on special samples

Challenge

• More trigger function handler• PDF and SWF Parser• Shellcode detection• Javascript Audit• Cloud base integration

• http://aceinsight.websense.com/• Auto analysis platform

improvement

37

Questions?

JDOE