informa
News

Malware & Attacker, Exposed

New research will show how to decode malware hidden with JavaScript

Smart attackers are always looking for ways to disguise their malware so it can do its dirty work undetected, and JavaScript is becoming a popular tool for slipping malware into the browser.

This increasingly popular form of malware obfuscation can be frustrating to the naked eye. But researcher Jose Nazario, senior software and security engineer for Arbor Networks, says the good news is: For every JavaScript-endcoded payload there's a corresponding decoder to unravel it. Nazario will discuss his research on reverse-engineering JavaScript later this month at the CanSecWest conference.

"They use JavaScript to obscure what's going on. It looks almost encrypted, so researchers look at it and say they can't make heads or tails of it," Nazario says. Then it can get known exploits past security scanners. But all is not lost: "The decoder ships along with it so the browser can decode [the JavaScript] and run. So we simply run the decoder."

And once you get to the malware beneath the JavaScript cover, you can dig in and analyze characteristics about the attacker, pinpoint the malware distribution points, and shut them down -- and even figure out what data the attacker is after, as well as his endgame. "We can find out if there's spyware, where is the information going? If they are taking information stolen from a computer and emailing to an account at Gmail, we contact the security [people] there and tell them here are the mailboxes used to receive information from spyware-infected boxes," he explains.

Nazario says he and fellow researchers can also detect IRC bots, and shut them down, too. "If we didn't have visibility into what the obfuscated exploits were doing, we wouldn't get any of that."

It comes down to attackers shifting their focus toward clients, namely Web browsers. "They used to wait for you to come to them as clients." But now more attackers are targeting the browser itself, he says. "We are seeing a lot of attacker interest recently in this."

There are around 10 major endcoder/decoder tools available today, according to Nazario, including HTML Protector, Advanced HTML Protector, and ScriptAsylum.

Being able to reverse-engineer malware lets an analyst determine if the attacker is going after banking site passwords, gaming license keys, or just to install bot software or spamkits, Nazario says. "There's some attacker profiling we do."

If an attacker only recycles existing malware tools or does a minor edit to them, that indicates a low level of skill. But the danger here is that it can spread more quickly, although it's easier to detect and mitigate in the end, he says.

Attackers who write their own code are typically more sophisticated and determined. "We see a very small number of people who write their own private exploit code. You know then that you've got an adversary who studies the technology, is highly motivated, and making a bunch of money off of this."

And every attacker has his or her own "voice," with certain techniques or clues in their coding that can identify it's the same attacker doing the dirty deed. "There's a behavioral marker for that person. We all have a set of skills we fall back on. We all have a unique voice."

Still, if there's Visual Basic involved in the JavaScript-based attack, decoding won't help. "The biggest problem we have is understanding obfuscated Visual Basic script," which is sometimes done manually.

Aside from Nazario and his colleagues at Arbor, Websense and SANS Internet Storm Center researchers have beeen blogging about decoding obfuscated JavaScript code. But Nazario says even if it becomes a more widespread reverse-engineering practice, the attackers will find a way to get around it. "We already have seen a few anti-reverse engineering techniques" out there, he says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc.
  • Websense Inc. (Nasdaq: WBSN)
  • The SANS Institute
  • Recommended Reading: