By mohamed saher and ahmed garhy

By mohamed saher and ahmed garhy
Catch and release: a new look at detecting and mitigating highly obfuscated Exploit Kits By mohamed saher and ahmed garhy

Agenda Our Intent Rethinking Evasions Domain of the Problem
Current Problem Problem with Current Solutions Solution #1 First Method Solution #2 Second Method

Our intent Is this function malicious?
function Translate(objects, offset, size) { var length = 4; for (var i = 0; i < size; i++) { var r = rc.substr(0, length); if(offset > 0) { r = r.substr(offset) + r.substr(0, offset); } objects[i] = r.substr(0, r.length);

Our intent Is this function malicious?
function Translate(objects, offset, size) { var length = 4; for (var i = 0; i < size; i++) { var r = rc.substr(0, length); if(offset > 0) { r = r.substr(offset) + r.substr(0, offset); } objects[i] = r.substr(0, r.length); Without understanding the context on how a function is used, it is very difficult to determine if it is malicious or not

Our intent What about this script? <script>
var a = '%25%33%43%69%66%72%61%6d%65 ...'; var b = unescape(unescape(a)); var spray = new Function(unescape(b)); </script>

var a = '%25%33%43%69%66%72%61%6d%65 ...'; var b = unescape(unescape(a)); var spray = new Function(unescape(b)); </script> An “expert’s eye” can probably determine it looks suspicious. The two are actually equal to each other

var a = '%25%33%43%69%66%72%61%6d%65 ...'; var b = unescape(unescape(a)); var spray = new Function(unescape(b)); </script> An “expert’s eye” can probably determine it looks suspicious. The two are actually equal to each other Our intent is to allow an attack using the first example script, without depending on obfuscating like the second example script, and propose a more superior method for detecting both

Rethinking evasions Designing a new architecture

Rethinking evasions Designing a new architecture
Use a message oriented architecture (MOA) to split the attack into disparate self contained messages – we refer to this as “units of work”

Use a message oriented architecture (MOA) to split the attack into disparate self contained messages – we refer to this as “units of work” This is a variation of the “script splitting” technique except a message exists within a local scope and is destroyed after it serves its purpose

Use a message oriented architecture (MOA) to split the attack into disparate self contained messages – we refer to this as “units of work” This is a variation of the “script splitting” technique except a message exists within a local scope and is destroyed after it serves its purpose Does not require DOM manipulation to hide “magic strings”

Use a message oriented architecture (MOA) to split the attack into disparate self contained messages – we refer to this as “units of work” This is a variation of the “script splitting” technique except a message exists within a local scope and is destroyed after it serves its purpose Does not require DOM manipulation to hide “magic strings” Avoid the “magic redirect IFRAME” that can be a trigger for some analyzers

Rethinking evasions Designing a new architecture Avoiding HTTP

Rethinking evasions Designing a new architecture Avoiding HTTP
An artifact that can be parsed or scanned for patterns, characteristics, and definitions does not exist

An artifact that can be parsed or scanned for patterns, characteristics, and definitions does not exist An alternative to loading JavaScript in “clear text”

An artifact that can be parsed or scanned for patterns, characteristics, and definitions does not exist An alternative to loading JavaScript in “clear text” Load one message at a time, forcing each message to be analyzed independently – remember “units of work”

An artifact that can be parsed or scanned for patterns, characteristics, and definitions does not exist An alternative to loading JavaScript in “clear text” Load one message at a time, forcing each message to be analyzed independently – remember “units of work” Web Sockets are a perfect candidate for both MOA and bypassing HTTP from a web environment

Avoiding client side state

Avoiding client side state Two components involved, client and server Client Listen Invoke

Avoiding client side state Two components involved, client and server Client Server Listen State Invoke Send

Avoiding client side state Two components involved, client and server For each accepted connection from a client, server maintains a state machine

Avoiding client side state Two components involved, client and server For each accepted connection from a client, server maintains a state machine Messages are essentially commands and do not depend on each other – remember “units of work”

Avoiding client side state Two components involved, client and server For each accepted connection from a client, server maintains a state machine Messages are essentially commands and do not depend on each other – remember “units of work” Client evaluates message, invokes message, and destroys it

Avoiding client side state Limit control flow and function call hierarchy

Avoiding client side state Limit control flow and function call hierarchy Only client control flow is that of the client listening and invoking a message

Avoiding client side state Limit control flow and function call hierarchy Only client control flow is that of the client listening and invoking a message Order of messages not guaranteed by server. Server may send NOP messages as part of an attack to trick certain analyzers

Avoiding client side state Limit control flow and function call hierarchy Only client control flow is that of the client listening and invoking a message Order of messages not guaranteed by server. Server may send NOP messages as part of an attack to trick certain analyzers “Monkey patch” functions dynamically evaluated in messages to trick certain analyzers

Avoiding client side state Limit control flow and function call hierarchy Getting creative in transport format

Avoiding client side state Limit control flow and function call hierarchy Getting creative in transport format Web Sockets are simple TCP pipes, so data can be represented on the wire in an application specific way

Avoiding client side state Limit control flow and function call hierarchy Getting creative in transport format Web Sockets are simple TCP pipes, so data can be represented on the wire in an application specific way No longer restricted to sending JavaScript in clear text

Avoiding client side state Limit control flow and function call hierarchy Getting creative in transport format Web Sockets are simple TCP pipes, so data can be represented on the wire in an application specific way No longer restricted to sending JavaScript in clear text Create custom binary format

Avoiding client side state Limit control flow and function call hierarchy Getting creative in transport format Web Sockets are simple TCP pipes, so data can be represented on the wire in an application specific way No longer restricted to sending JavaScript in clear text Create custom binary format Send message in binary on the wire

Avoiding client side state Limit control flow and function call hierarchy Getting creative in transport format Web Sockets are simple TCP pipes, so data can be represented on the wire in an application specific way No longer restricted to sending JavaScript in clear text Create custom binary format Send message in binary on the wire Simply looking at a binary message won't give hints about what its contents are – is it an audio file, an image, even text?

Avoiding client side state Limit control flow and function call hierarchy Getting creative in transport format Web Sockets are simple TCP pipes, so data can be represented on the wire in an application specific way No longer restricted to sending JavaScript in clear text Create custom binary format Send message in binary on the wire Simply looking at a binary message won't give hints about what its contents are – is it an audio file, an image, even text? To even begin to understand a binary message, its format specification needs to be known beforehand or else it is a very challenging problem in its own

Avoiding client side state Limit control flow and function call hierarchy Getting creative in transport format Confusing the Context

Avoiding client side state Limit control flow and function call hierarchy Getting creative in transport format Confusing the Context Remember this function? function Translate(objects, offset, size) { var length = 4; for (var i = 0; i < size; i++) { var r = rc.substr(0, length); if(offset > 0) { r = r.substr(offset) + r.substr(0, offset); } objects[i] = r.substr(0, r.length);

Avoiding client side state Limit control flow and function call hierarchy Getting creative in transport format Confusing the Context Remember this function? function Translate(objects, offset, size) { var length = 4; for (var i = 0; i < size; i++) { var r = rc.substr(0, length); if(offset > 0) { r = r.substr(offset) + r.substr(0, offset); } objects[i] = r.substr(0, r.length); Now that we get this from our binary format, we again ask the question, how do you determine if it is malicious?

Domain of the problem How can we define a malicious website?

Domain of the problem How can we define a malicious website?
How can we detect a malicious website?

How can we detect a malicious website? How can we detect obfuscation?

How can we detect a malicious website? How can we detect obfuscation? How can we identify obfuscation used for malicious purposes?

How can we detect a malicious website? How can we detect obfuscation? How can we identify obfuscation used for malicious purposes? How can we categorize what is malicious and what is not?

Current Problem Exploits delivered at some point relies on JavaScript

Current Problem Exploits delivered at some point relies on JavaScript
JavaScript is continuously getting obfuscated with more complexity

Current Problem Exploits delivered at some point relies on JavaScript
JavaScript is continuously getting obfuscated with more complexity Current solutions are way behind in technology

Problems with current solutions
Relies heavily on invocative functions that are not a concrete base to be malicious (fromCharCode, eval, unescape, etc.) and have plenty of legitimate use cases

Relies heavily on invocative functions that are not a concrete base to be malicious (fromCharCode, eval, unescape, etc.) and have plenty of legitimate use cases DOM and CSS selectors

Relies heavily on invocative functions that are not a concrete base to be malicious (fromCharCode, eval, unescape, etc.) and have plenty of legitimate use cases DOM and CSS selectors Client side proxies for client-server interaction

Relies heavily on invocative functions that are not a concrete base to be malicious (fromCharCode, eval, unescape, etc.) and have plenty of legitimate use cases DOM and CSS selectors Client side proxies for client-server interaction Client side template engines

Relies heavily on invocative functions that are not a concrete base to be malicious (fromCharCode, eval, unescape, etc.) and have plenty of legitimate use cases Limited sets of characteristics

Relies heavily on invocative functions that are not a concrete base to be malicious (fromCharCode, eval, unescape, etc.) and have plenty of legitimate use cases Limited sets of characteristics Probabilistic decisions is directly proportional with the characteristics extracted

Types of approaches Dynamic analysis of embedded JS

Types of approaches Dynamic analysis of embedded JS
Static analysis of extracted JS (Method #1)

Types of approaches Dynamic analysis of embedded JS
Static analysis of extracted JS (Method #1) Static analysis of extracted JS (Method #2)

Dynamic Analysis AdHoc Forwarding

Dynamic Analysis AdHoc Forwarding
Create a middle layer between the browser and the JS engine

Create a middle layer between the browser and the JS engine Analyze the CFG of the scripts being executed

Create a middle layer between the browser and the JS engine Analyze the CFG of the scripts being executed Analyze a call hierarchy of functions order

Create a middle layer between the browser and the JS engine Analyze the CFG of the scripts being executed Analyze a call hierarchy of functions order Analyze certain combination of functions used including known highly risky ones

Dynamic Analysis AdHoc Forwarding Browser Automation

Dynamic Analysis AdHoc Forwarding Browser Automation
Attach to IE process

Attach to IE process Use shdocvw.dll to automate COM callbacks

Attach to IE process Use shdocvw.dll to automate COM callbacks Capture events while they trigger and manipulate them

Attach to IE process Use shdocvw.dll to automate COM callbacks Capture events while they trigger and manipulate them Analyze in the same manner as AdHoc Forwarding

Browser In-Memory Injection

Browser In-Memory Injection Inject JS in DOM to monitor events

Browser In-Memory Injection Inject JS in DOM to monitor events Use a JS Debugger (FireBug or other)

Static analysis (Method 1)
Extract local scripts

Extract local scripts Extract remote scripts

Analyze the script and categorize them based on certain criteria

Analyze the script and categorize them based on certain criteria Web page encoding

Analyze the script and categorize them based on certain criteria Web page encoding Detecting current language used and extracting features

Analyze the script and categorize them based on certain criteria Web page encoding Detecting current language used and extracting features Check the WHOIS for the web page

Analyze the script and categorize them based on certain criteria Web page encoding Detecting current language used and extracting features Check the WHOIS for the web page Determine probabilistically to which category it belongs to

Shannon’s entropy Formula

Shannon’s entropy Formula
We use Shannon’s Entropy to determine the entropy of the file only as a side-effect and not a main criteria to determine the decision whether it was malicious or not

Naïve Bayesian A machine-learning technique that can be used to predict to which category a particular data case belongs

Naïve Bayesian A machine-learning technique that can be used to predict to which category a particular data case belongs Given the above formula’: An event A is INDEPENDENT from event B if the conditional probability is the same as the marginal probability

Laplacian Smoothing To avoid having a 0 joint in any partial probability we use the add-one smoothing technique

Laplacian Smoothing To avoid having a 0 joint in any partial probability we use the add-one smoothing technique. Given an observation x = (x1, …, xd) from a multinomial distribution with N trials and parameter vector θ = (θ1, …, θd), a "smoothed" version of the data gives the estimator where α > 0 is the smoothing parameter (α = 0 corresponds to no smoothing)

How is JS executed/handled?

How is JS executed/handled? The code is scanned for all function(s) declaration. Each declaration is executed by creating a function object and a named reference to that function is created so that the function can be called from within a statement.

How is JS executed/handled? The code is scanned for all function(s) declaration. Each declaration is executed by creating a function object and a named reference to that function is created so that the function can be called from within a statement. The statements are evaluated and executed by order as they appear on the page after fully loaded.

JS Example #1 This works <script> DoNothing(); function DoNothing() { return; } </script>

JS Example #2 This does not works <script> DoNothing(); </script> function DoNothing() { return; }

JS Example #3 This works <script> function DoNothing() { return; } </script> DoNothing();

JS Example #3 <script> // assuming that DoNothing is not defined DoNothing(); alert(1); </script> This does not works

JS Example #3 <script> // assuming that DoNothing is not defined DoNothing(); </script> alert(1); This works

Semantic analysis to focus on “what does this mean”

Semantic analysis to focus on “what does this mean” Optimizer-Compiler for JS which focuses on structure other than extracted invocative functions

Optimizer-compiler The following describes the architecture of any ordinary compiler and the current compiler as well Lexer Tokens Parser AST Translator IR Optimizer

Optimizer-compiler At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes

Optimizer-compiler At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference

Optimizer-compiler At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference Inline Caches

Optimizer-compiler At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Hidden Classes Type Inference Inline Caches Function Synthesis

Optimizer-compiler At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Inline Expansion Hidden Classes Type Inference Inline Caches Function Synthesis

Loop Invariant Code Motion
Optimizer-compiler At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Inline Expansion Loop Invariant Code Motion Hidden Classes Type Inference Inline Caches Function Synthesis

Optimizer-compiler At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Inline Expansion Loop Invariant Code Motion Hidden Classes Constant Folding Type Inference Inline Caches Function Synthesis

Optimizer-compiler At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Inline Expansion Loop Invariant Code Motion Hidden Classes Constant Folding Type Inference Copy Propagation Inline Caches Function Synthesis

Optimizer-compiler At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Inline Expansion Loop Invariant Code Motion Hidden Classes Constant Folding Type Inference Copy Propagation Inline Caches Common Sub-Expression Elimination Function Synthesis

Optimizer-compiler At this phase the optimizer tries to optimize the JS input based on optimization theories after the AST was generated and converted into an IR Optimizer Inline Expansion Loop Invariant Code Motion Hidden Classes Constant Folding Type Inference Copy Propagation Inline Caches Common Sub-Expression Elimination Function Synthesis Dead Code Elimination

By mohamed saher and ahmed garhy

Similar presentations

Presentation on theme: "By mohamed saher and ahmed garhy"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

By mohamed saher and ahmed garhy

Similar presentations

Presentation on theme: "By mohamed saher and ahmed garhy"— Presentation transcript:

Similar presentations

About project

Feedback