JavaScript De-Obfuscation Engine -- JDOE
Nick Guo, Ulysses Wang
Agenda
•
•
•
•
•
•
•
Obfuscation Introduction
Anti de-obfuscation
Browser Knowledge
Current Solution
JDOE
Demo
Challenge & Improvement
Obfuscation Introduction
Phase I Review
Obfuscation
• Concealing the intent of the code by making the code
difficult for human analysis and detection
• Copy right protection
• Hide Information (E.g. Email address)
• Evade detection
Obfuscation Types
• Three types of obfuscations
• Injection obfuscation
• Public Packer Obfuscation
• Exploit Kit Obfuscation
Obfuscation Types
• “As recorded in 2007, over 80% of detected malicious
code was already using obfuscation”
• Most obfuscations are simple.
• Injection: 83%, exploit kit: <1%
• Complex obfuscations occupy a small proportion.
• Obfuscation become more complex
Anti de-obfuscation
JDOE Prototype
Fragmentation
• Splitting important codes into pieces of Javascirpt
code, HTML code or external scripts
• String concatenate
– Var temp=“get”+”Elem”+”ent”+”ById”
• Tag concatenate
– Put content in <div>,<p>,<textarea>
– OpenSource Exploit kit
Fragmentation
• File concatenate
– Put critical function or data in another file
– Phoenix Exploit Kit 2.5
• Traffic concatenate
– Save data on server and client need to request
External Access
• Fetch external access or perform a connection check
• Ajax fetch data
• Connection check
– Neosploit exploit kit
Condition check
• Browser detect
uas=navigator.userAgent;
while(uai<uas.length)
{xor+=uas.charCodeAt(uai++);}
• IE6
• Firefox
Condition check
• Time check
• getUTCFullYear()
• getUTCMonth()
• getUTCDate()
• Plugin check
• new ActiveXObject('ShockwaveFlash.ShockwaveFlash'); (IE)
• Check navigator.plugins (not IE)
Trigger Function
• Trigger a function after certain seconds
• setTimeout("alert(Hello!')",3000)
• setInterval("clock()",1000)
• Trigger a function on certain event
• <body onload="load()">
• <button id="j_id" onclick="j_function2();"
• window.attachEvent or addEventListener
• Trigger a function on plugin
• Call js function from Actionscript
Bypass de-obfuscation tool
• Uncommon tag
• Save content in CSS
• Modification check
• var hybxs = arguments.callee;hybxs = hybxs.toString();
Browser Knowledge
JDOE Prototype
Browser Component
Webkit
DOM Tree
Current Solution
Phase I Review
Jsunpack
•
•
•
•
•
•
•
•
Light weight
Spidermonkey and Python
Set hook in js file
Environment DOM Enumeration
Detection module(Yara)
PDF and SWF parser
Intrusion Detection(libnids)
http://jsunpack.jeek.org/
Fireshark
•
•
•
•
•
•
•
Firefox Plugin
Mainwindow and child Frame Source Code
Mainwindow and child Frame DOM Tree
Http Request and Response Logged
Malicious URL check
URL redirection graph
http://fireshark.org/
Malzilla
•
•
•
•
•
Research tool
Spidermonkey
Shellcode analysis
Limited DOM support
http://malzilla.sourceforge.net/
Limitations
•
•
•
•
Firefox based
Limited on DOM support
Limited on De-obfuscation
Performance
JDOE
Phase I Review
JDOE
• What engine we want ?
•
•
•
•
High performance
Good coverage
Good output and log formats
Analytics platform
JDOE
• JDOE is based on Google Chrome
• Render Engine : Webkit
• 85% smart phone browser market
• 21% desktop browser market
• Include DOM tree and parser
• JavaScript Engine : V8
Prototyping
• JDOE based on a test project for Chrome
• Command line tool, feasible to be ported as serverside application
• Be able to simulate basic functions of browser
• Full DOM Support
• Good fault tolerance about html format
• HTML format output
JDOE Architecture
JDOE advantage
•
•
•
•
•
•
Base on Chrome and Webkit
Strong Parser
Full DOM Support
Fast js execution speed
High coverage
Good expansibility
De-obfuscation Method
• JDOE De-obfuscation Method
• Hook eval()
– Get some inner status of JavaScript
• Print the final DOM tree
– Get the final status
– Document.write should add some nodes in
DOM tree
Exploit kit Coverage
• Exploit kits Samples
JDOE Failed
– Samples from Top 10 exploit
kits project
– Total Samples : 22
JDOE success : 20
JDOE Success
9%
– Coverage : 90.9%
91%
Injection Coverage
• Injection Samples
JDOE Failed
– Samples from obfuscation
ThreatID matches
– Total Samples : 9,544
JDOE Success : 8,450
JDOE Success
11%
– Coverage : 88.5%
89%
Demo time
Demo
Challenge & Improvement
Status and Next Step
Challenge
• Security
• How to keep JDOE server secure?
–
–
–
Upgrade plan
Sandbox
Javascript Audit
• Performance
• Disable external access
• Coverage
• Not support on special samples
• Output format defected on special samples
improvement
•
•
•
•
•
More trigger function handler
PDF and SWF Parser
Shellcode detection
Javascript Audit
Cloud base integration
• http://aceinsight.websense.com/
• Auto analysis platform
JDOE
Questions?
37