Nick guo ulysses wang
This presentation is the property of its rightful owner.
Sponsored Links
1 / 37

Nick Guo , Ulysses Wang PowerPoint PPT Presentation


  • 99 Views
  • Uploaded on
  • Presentation posted in: General

JavaScript De-Obfuscation Engine -- JDOE. Nick Guo , Ulysses Wang. Agenda. Obfuscation Introduction Anti de-obfuscation Browser Knowledge Current Solution JDOE Demo Challenge & Improvement. Obfuscation Introduction. Phase I Review. Obfuscation.

Download Presentation

Nick Guo , Ulysses Wang

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Nick guo ulysses wang

JavaScript De-Obfuscation Engine -- JDOE

Nick Guo, Ulysses Wang


Agenda

Agenda

  • Obfuscation Introduction

  • Anti de-obfuscation

  • Browser Knowledge

  • Current Solution

  • JDOE

  • Demo

  • Challenge & Improvement


Phase i review

Obfuscation Introduction

Phase I Review


Obfuscation

Obfuscation

  • Concealing the intent of the code by making the code difficult for human analysis and detection

    • Copy right protection

    • Hide Information (E.g. Email address)

    • Evade detection


Obfuscation types

Obfuscation Types

  • Three types of obfuscations

    • Injection obfuscation

    • Public Packer Obfuscation

    • Exploit Kit Obfuscation


Obfuscation types1

Obfuscation Types

  • “As recorded in 2007, over 80% of detected malicious code was already using obfuscation”

  • Most obfuscations are simple.

    • Injection: 83%, exploit kit: <1%

  • Complex obfuscations occupy a small proportion.

  • Obfuscation become more complex


Jdoe prototype

Anti de-obfuscation

JDOE Prototype


Fragmentation

Fragmentation

  • Splitting important codes into pieces of Javascirpt code, HTML code or external scripts

    • String concatenate

      • Var temp=“get”+”Elem”+”ent”+”ById”

    • Tag concatenate

      • Put content in <div>,<p>,<textarea>

      • OpenSource Exploit kit


Fragmentation1

Fragmentation

  • File concatenate

    • Put critical function or data in another file

    • Phoenix Exploit Kit 2.5

  • Traffic concatenate

    • Save data on server and client need to request


External access

External Access

  • Fetch external access or perform a connection check

    • Ajax fetch data

    • Connection check

      • Neosploit exploit kit


Condition check

Condition check

  • Browser detect

    uas=navigator.userAgent;

    while(uai<uas.length)

    {xor+=uas.charCodeAt(uai++);}

    • IE6

    • Firefox


Condition check1

Condition check

  • Time check

    • getUTCFullYear()

    • getUTCMonth()

    • getUTCDate()

  • Plugin check

    • newActiveXObject('ShockwaveFlash.ShockwaveFlash'); (IE)

    • Check navigator.plugins (not IE)


Trigger function

Trigger Function

  • Trigger a function after certain seconds

    • setTimeout("alert(Hello!')",3000)

    • setInterval("clock()",1000)

  • Trigger a function on certain event

    • <body onload="load()">

    • <button id="j_id" onclick="j_function2();"

    • window.attachEvent or addEventListener

  • Trigger a function on plugin

    • Call js function from Actionscript


Bypass de obfuscation tool

Bypass de-obfuscation tool

  • Uncommon tag

    • Save content in CSS

  • Modification check

    • varhybxs = arguments.callee;hybxs = hybxs.toString();


Jdoe prototype1

Browser Knowledge

JDOE Prototype


Browser component

Browser Component


Webkit

Webkit


Dom tree

DOM Tree


Phase i review1

Current Solution

Phase I Review


Jsunpack

Jsunpack

  • Light weight

  • Spidermonkey and Python

  • Set hook in js file

  • Environment DOM Enumeration

  • Detection module(Yara)

  • PDF and SWF parser

  • Intrusion Detection(libnids)

  • http://jsunpack.jeek.org/


Fireshark

Fireshark

  • Firefox Plugin

  • Mainwindow and child Frame Source Code

  • Mainwindow and child Frame DOM Tree

  • Http Request and Response Logged

  • Malicious URL check

  • URL redirection graph

  • http://fireshark.org/


Malzilla

Malzilla

  • Research tool

  • Spidermonkey

  • Shellcode analysis

  • Limited DOM support

  • http://malzilla.sourceforge.net/


Limitations

Limitations

  • Firefox based

  • Limited on DOM support

  • Limited on De-obfuscation

  • Performance


Phase i review2

JDOE

Phase I Review


Nick guo ulysses wang

JDOE

  • What engine we want ?

    • High performance

    • Good coverage

    • Good output and log formats

    • Analytics platform


Nick guo ulysses wang

JDOE

  • JDOE is based on Google Chrome

  • Render Engine : Webkit

    • 85% smart phone browser market

    • 21% desktop browser market

    • Include DOM tree and parser

  • JavaScript Engine : V8


Prototyping

Prototyping

  • JDOE based on a test project for Chrome

    • Command line tool, feasible to be ported as server-side application

    • Be able to simulate basic functions of browser

    • Full DOM Support

    • Good fault tolerance about html format

    • HTML format output


Jdoe architecture

JDOE Architecture


Jdoe advantage

JDOE advantage

  • Base on Chrome and Webkit

  • Strong Parser

  • Full DOM Support

  • Fast js execution speed

  • High coverage

  • Good expansibility


De obfuscation method

De-obfuscation Method

  • JDOE De-obfuscation Method

    • Hook eval()

      • Get some inner status of JavaScript

    • Print the final DOM tree

      • Get the final status

      • Document.write should add some nodes in DOM tree


Exploit kit coverage

Exploit kit Coverage

  • Exploit kits Samples

    • Samples from Top 10 exploit kits project

    • Total Samples : 22 JDOE success : 20

    • Coverage : 90.9%


Injection coverage

Injection Coverage

  • Injection Samples

    • Samples from obfuscation ThreatID matches

    • Total Samples : 9,544 JDOE Success : 8,450

    • Coverage : 88.5%


Nick guo ulysses wang

Demo time

Demo


Status and next step

Challenge & Improvement

Status and Next Step


Challenge

Challenge

  • Security

    • How to keep JDOE server secure?

      • Upgrade plan

      • Sandbox

      • Javascript Audit

  • Performance

    • Disable external access

  • Coverage

    • Not support on special samples

    • Output format defected on special samples


Improvement

improvement

  • More trigger function handler

  • PDF and SWF Parser

  • Shellcode detection

  • JavascriptAudit

  • Cloud base integration

    • http://aceinsight.websense.com/

  • Auto analysis platform


Nick guo ulysses wang

JDOE

Questions?


  • Login