nick guo ulysses wang
Download
Skip this Video
Download Presentation
Nick Guo , Ulysses Wang

Loading in 2 Seconds...

play fullscreen
1 / 37

Nick Guo , Ulysses Wang - PowerPoint PPT Presentation


  • 129 Views
  • Uploaded on

JavaScript De-Obfuscation Engine -- JDOE. Nick Guo , Ulysses Wang. Agenda. Obfuscation Introduction Anti de-obfuscation Browser Knowledge Current Solution JDOE Demo Challenge & Improvement. Obfuscation Introduction. Phase I Review. Obfuscation.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Nick Guo , Ulysses Wang' - kiaria


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
agenda
Agenda
  • Obfuscation Introduction
  • Anti de-obfuscation
  • Browser Knowledge
  • Current Solution
  • JDOE
  • Demo
  • Challenge & Improvement
obfuscation
Obfuscation
  • Concealing the intent of the code by making the code difficult for human analysis and detection
    • Copy right protection
    • Hide Information (E.g. Email address)
    • Evade detection
obfuscation types
Obfuscation Types
  • Three types of obfuscations
      • Injection obfuscation
      • Public Packer Obfuscation
      • Exploit Kit Obfuscation
obfuscation types1
Obfuscation Types
  • “As recorded in 2007, over 80% of detected malicious code was already using obfuscation”
  • Most obfuscations are simple.
    • Injection: 83%, exploit kit: <1%
  • Complex obfuscations occupy a small proportion.
  • Obfuscation become more complex
jdoe prototype
Anti de-obfuscation

JDOE Prototype

fragmentation
Fragmentation
  • Splitting important codes into pieces of Javascirpt code, HTML code or external scripts
    • String concatenate
      • Var temp=“get”+”Elem”+”ent”+”ById”
    • Tag concatenate
      • Put content in <div>,<p>,<textarea>
      • OpenSource Exploit kit
fragmentation1
Fragmentation
  • File concatenate
    • Put critical function or data in another file
    • Phoenix Exploit Kit 2.5
  • Traffic concatenate
    • Save data on server and client need to request
external access
External Access
  • Fetch external access or perform a connection check
    • Ajax fetch data
    • Connection check
      • Neosploit exploit kit
condition check
Condition check
  • Browser detect

uas=navigator.userAgent;

while(uai<uas.length)

{xor+=uas.charCodeAt(uai++);}

    • IE6
    • Firefox
condition check1
Condition check
  • Time check
    • getUTCFullYear()
    • getUTCMonth()
    • getUTCDate()
  • Plugin check
    • newActiveXObject(\'ShockwaveFlash.ShockwaveFlash\'); (IE)
    • Check navigator.plugins (not IE)
trigger function
Trigger Function
  • Trigger a function after certain seconds
    • setTimeout("alert(Hello!\')",3000)
    • setInterval("clock()",1000)
  • Trigger a function on certain event
    • <body onload="load()">
    • <button id="j_id" onclick="j_function2();"
    • window.attachEvent or addEventListener
  • Trigger a function on plugin
    • Call js function from Actionscript
bypass de obfuscation tool
Bypass de-obfuscation tool
  • Uncommon tag
    • Save content in CSS
  • Modification check
    • varhybxs = arguments.callee;hybxs = hybxs.toString();
jdoe prototype1
Browser Knowledge

JDOE Prototype

phase i review1
Current Solution

Phase I Review

jsunpack
Jsunpack
  • Light weight
  • Spidermonkey and Python
  • Set hook in js file
  • Environment DOM Enumeration
  • Detection module(Yara)
  • PDF and SWF parser
  • Intrusion Detection(libnids)
  • http://jsunpack.jeek.org/
fireshark
Fireshark
  • Firefox Plugin
  • Mainwindow and child Frame Source Code
  • Mainwindow and child Frame DOM Tree
  • Http Request and Response Logged
  • Malicious URL check
  • URL redirection graph
  • http://fireshark.org/
malzilla
Malzilla
  • Research tool
  • Spidermonkey
  • Shellcode analysis
  • Limited DOM support
  • http://malzilla.sourceforge.net/
limitations
Limitations
  • Firefox based
  • Limited on DOM support
  • Limited on De-obfuscation
  • Performance
phase i review2
JDOE

Phase I Review

slide25
JDOE
  • What engine we want ?
      • High performance
      • Good coverage
      • Good output and log formats
      • Analytics platform
slide26
JDOE
  • JDOE is based on Google Chrome
  • Render Engine : Webkit
    • 85% smart phone browser market
    • 21% desktop browser market
    • Include DOM tree and parser
  • JavaScript Engine : V8
prototyping
Prototyping
  • JDOE based on a test project for Chrome
      • Command line tool, feasible to be ported as server-side application
      • Be able to simulate basic functions of browser
      • Full DOM Support
      • Good fault tolerance about html format
      • HTML format output
jdoe advantage
JDOE advantage
  • Base on Chrome and Webkit
  • Strong Parser
  • Full DOM Support
  • Fast js execution speed
  • High coverage
  • Good expansibility
de obfuscation method
De-obfuscation Method
  • JDOE De-obfuscation Method
      • Hook eval()
        • Get some inner status of JavaScript
      • Print the final DOM tree
        • Get the final status
        • Document.write should add some nodes in DOM tree
exploit kit coverage
Exploit kit Coverage
  • Exploit kits Samples
    • Samples from Top 10 exploit kits project
    • Total Samples : 22 JDOE success : 20
    • Coverage : 90.9%
injection coverage
Injection Coverage
  • Injection Samples
    • Samples from obfuscation ThreatID matches
    • Total Samples : 9,544 JDOE Success : 8,450
    • Coverage : 88.5%
status and next step
Challenge & Improvement

Status and Next Step

challenge
Challenge
  • Security
    • How to keep JDOE server secure?
      • Upgrade plan
      • Sandbox
      • Javascript Audit
  • Performance
    • Disable external access
  • Coverage
    • Not support on special samples
    • Output format defected on special samples
improvement
improvement
  • More trigger function handler
  • PDF and SWF Parser
  • Shellcode detection
  • JavascriptAudit
  • Cloud base integration
    • http://aceinsight.websense.com/
  • Auto analysis platform
slide37
JDOE

Questions?

ad