Circumventing Automated JavaScript Analysis - PowerPoint PPT Presentation

aglaia
circumventing automated javascript analysis l.
Skip this Video
Loading SlideShow in 5 Seconds..
Circumventing Automated JavaScript Analysis PowerPoint Presentation
Download Presentation
Circumventing Automated JavaScript Analysis

play fullscreen
1 / 64
Download Presentation
Presentation Description
178 Views
Download Presentation

Circumventing Automated JavaScript Analysis

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Circumventing Automated JavaScript Analysis Billy Hoffman (billy.hoffman@hp.com) HP Web Security Research Group

  2. Overview • JavaScript is part of attackers toolkit • All the “vanilla” stuff over • Packing traditional malware • IBM ISS: “In second half 2007 Web attack obfuscation approached 100%”* • Exploit frameworks amplify the problem • Rapid adoption of new techniques • We need tools to analyze this • How are we doing and can we win? * From: IBM Internet Security Systems X-Force® 2008 Mid-Year Trend Statistics

  3. Obfuscation Design Pattern • Malicious code is stored • String literals • Numeric literals • Decode function unpacks literals into new code • Ratio of literals to total code is huge! • Normal code: 2%-7% • Obfuscated code: > 30%

  4. Obfuscation Example

  5. Obfuscation != Malicious • Legitimate reasons for obfuscating • “Protect” client-side code • Reducing download size • Common packers • JSMin • Dean Edwards packer • Yahoo’s • Result: Its tough to know what to analyze


  6. Original Approach to JS Analysis • The Lazy Method • Replace dangerous calls with alert() • Run in a browser • The Tom Liston Method • Wrap writes in <TEXTAREA>’s • Run in a browser • The Perl-Fu Method • Port malware to in Perl • The Monkey Wrench Method • Run it in Spider Monkey

  7. Tricks to Defeating Analysis • Deliberate sandbox breaks • </TEXTAREA> • Integrity Checks • Arguments.callee.toString() • arguments.callee.toString().replace(/\W/g,"").toUpperCase(); • Gives source code of function body • Length checks • Use function body as key

  8. VBScript Wrapper • Still in use! • Older DHTML web apps • Plug-in enumeration (IE8) • Malware • No open source VBScript parsers • No public standard grammar • Not very wide-spread JavaScript JavaScript VBScript

  9. Preventing Sample Collection • Can’t reverse what you don’t have! • Track IPs • Geolocation • Blacklist security firms • Serve once per IP • User-agent sniffing • document.referrer tricks

  10. For those playing at home

  11. Approach Today • Combination of automatic and manual • Interpreters and debuggers (aka sandboxes) • Rhino • NJS • DecryptJS • SpiderMonkey • Trap/monitor certain events • DOM calls • eval()s, etc

  12. Its More Complex Than That • JS interpreter/debugger less than ½ the battle • JavaScript != DOM • Host objects • Events/Timers • HTTP requests • Error handling • DOM >= HTML • HTTP headers/cookies • Browser environment • Plug-ins

  13. Fundamental Issue Current JavaScript sandboxes fail to fully/properly emulate browser environment. These discrepancies are detectable by the JavaScript running inside the sandbox.

  14. Fundamental Issue . !=

  15. Detecting JavaScript Sandboxes • 4 big areas • DOM Testing • Network Testing • Execution Environment Testing • Plug-in Testing • Use test results • Decrypt next layer • Handshake to serve next layer

  16. DOM Testing • Using the DOM values • Detecting presence/lack of • Get and sets on values • Interacting with HTML elements

  17. DOM Testing: Basic • Sandbox Specific Functions • gc() • clone() • trap() • untrap() • readline() • Malware forces SpiderMonkey to die • try {quit();} catch (e) { }; //more code here

  18. Detecting Sandbox Specific Functions if(typeof(gc)==“function”) {… } else {…}

  19. Function Clobbering • JavaScript is highly dynamic • Can redefine functions at runtime!

  20. Redefining print() as quit()

  21. Redefining quit()To Nothing

  22. Intertwined DOM Properties • Various aliases in the DOM • document.location == window.location == document.URL • window == window.window == window.self == window.parent • == window.self.self.self.self... • Any global variable attaches to window • var spi = 5; window.spi == spi; //true • Set a value on one alias • Read on another alias • Different values means sandbox

  23. document.retarded • Mosaic Netscape 0.9beta (1994) • Set using HTTP headers • Set-Cookie: • Cookie: • Get/Set using JavaScript • document.cookie

  24. document.retarded • Mosaic Netscape 0.9beta (1994) • Set using HTTP headers • Set-Cookie: • Cookie: • Get/Set using JavaScript • document.cookie • Set using HTML • <META> tag

  25. Meta Tag • Supply meta data about HTML document • http-equiv attribute • Allows document to specify HTTP headers • Content overriding an application protocol

  26. HTTP-EQUIV to the rescue • Setting cookies with HTML <html> <meta HTTP-EQUIV="Set-Cookie" CONTENT="cook2=Value 2"> <meta HTTP-EQUIV="Set-Cookie" CONTENT="cook1=Value 1"> <script> alert(document.cookie); </script>

  27. Setting Cookies with HTML

  28. Hello Proprietary Extension! • Setting cookies with HTML <html> <meta HTTP-EQUIV="Set-Cookie" CONTENT="cook2=Value 2; HttpOnly"> <meta HTTP-EQUIV="Set-Cookie" CONTENT="cook1=Value 1"> <script> alert(document.cookie); </script>

  29. Setting Cookies with HTML

  30. More Meta Tag Fun • Hide Script in non-scriptable attribute <html> <title>Safe</title> <meta http-equiv="refresh" content="0;url=javascript:alert(‘EVIL’)“> <h1>All safe. Trust me!</h1> </html>

  31. HTTP Refresh Header • Completely remove JS from response body! HTTP/1.1 200 OK Refresh: 0;url=javascript:alert('EVIL!') Connection: close Content-Length: 29 <h1>I'm Clean... really.</h1>

  32. Psst! (IE8 supports the data:URI... data:text/html and data:text/javascript are awesome!)

  33. Network Testing • Sandbox use dummy network objects • Good “Are you a browser?” test • Use information about response • DNS successful? • Last Modified? • Image Dimensions? • Valid Response? • Forces Sandbox to send network traffic • Web bugs for hackers?

  34. Network Testing – DNS Lookups <script> var count =0; function loaded(name) {if(name!="bad")count++;} window.onload = function evil() { if(count == 1) alert("Browser!"); else alert("Sandbox!"); } </script> <iframe src="http://doesnotexist1" onload="loaded(this.name);" name="bad"></iframe> <iframe src="http://doesnotexist2" onload="loaded(this.name);" name="bad"></iframe> <iframe src="http://exists/foo.html" onload="loaded(this.name);" name="good"></iframe>

  35. Network Testing – DNS Lookups

  36. Network Testing - Images • Image object provides rich meta data • Length • Width • Image was valid? • CSS Images too • Use this information • Complex handshaking • Construct a Key var img = new Image(); img.onload = goodFunc; img.onerror = badFunc; img.src="http://evil.com/"

  37. Side Note: Image Side Channels • JavaScript Image object • Height + width = 8 bytes • How to send 0xFFFFFFFF without 4GB of pixel data? • GIF, PNG, Windows too short • BMP + RLE? Nope • XBM Image Format #define w 1351 #define h 1689 static char b[]={0};

  38. FF XBM WTF??!!!1111oneoneoneomg

  39. The Dan Kaminski Option

  40. Network Testing - Ajax • Ajax can see HTTP response headers • Complex handshaking • Construct a key var xhr = new XmlHttpRequest(); xhr.onreadystatechange = function() { if (xhr.readyState==4 && xhr.status=200) { if(xhr.getResponseHeader("Secr3t") == "key") { //do evil } } }

  41. Execution Environment Testing • Sandbox execute code differently • Trap function calls • Step/break on code • Manipulate data • Can tell these differences • Timing information • Event Order • Error Handling

  42. Timing Information • Use JavaScript’s Date object • Millisecond resolution times • Can detect paused execution <script> var start = (new Date()).getTime(); document.writeln(String.fromCharCode(66,77,72)); </script> <script> var diff= (new Date()).getTime() - start; if(diff < 3) document.writeln("Browser"); else document.writeln("Sandbox"); </script>

  43. Detecting Steps/Breaks with Timers … Count++ Count++ Count++ • Timers are a pain! • Can’t really wait 5 seconds • Ordering • Clearing • Can detect paused execution • Start a Timer • Perform some math operation • After fixed interval • Sample the value

  44. Detecting Steps/Breaks with Timers var count = 0; setInterval("count++;", 10); setTimeout(checkSum, 1000); function checkSum() { //allow for skew if(count >= 950 && count <=1000) { alert("Browser"); } else { alert("Sandbox"); } }

  45. Event Order • Sandboxs don’t run events in the proper order • XmlHttpRequest’s onreadystatechange() fires 4 times • onclick() >> onclick() >> ondbclick() • onkeydown() >> onkeyup() >> onkeypress() • onmousedown() >> onmouseup() >> onclick() • onmouseover() >> onmousemove() • onclick() >> onfocus() (for inputs) • onfocus() >> onblur() • onload() >> onunload()

  46. Advanced Event Order • Dependant’s onload before window.onload • iFrames • Images • Event propagation • DOM events must bubble • Continue based on return value of event • Events that never fire • Invisible with CSS WINDOW BODY DIV DIV onclick onclick onclick INPUT

  47. Error Handling • window.onerror handles uncaught exceptions • Induce syntax errors • Recover in handler <script> window.onerror = function() { //evil code } </script> <script> Lolz &nd B00m$; //Syntax Error </script>

  48. Error Handling • window.onerror handles uncaught exceptions • Induce runtime errors • Harder to handle/debug window.onerror = function() { //evil code } function boom() { return ‘so long!’ & boom(); } boom(); // error too much recursion

  49. Advanced Error Handling • Detailed info passed to window.onerror • Message • File • Line Number • Can be to • Fingerprint web browser • Verify domain/location • Construct a decryption key

  50. Plug-in Testing • Not just navigator.plug-ins checks • Timing is a cool test • Did I really invoke that ActiveX object? • Sizing is a cool test • Is that Applet really 400 x 300? • Cross Communication • Really sexy! • Apply previous methods inside plug-in • Error handling, Eventing, etc