Research: Javascript Cryptography/Obfuscation techniques used in Drive-By-Dowload attacks


To discuss further about them, please join our group list

The recent and common practice of hackers, is to infect with malware using a rising methodology called: ‘Drive-by-Download’. The Ankler Kit Exploit for example uses Obfuscated Javascript code in these attacks. The attack targets vulnerable browsers (Internet Explorer) injecting payload, it creates a malicious webpage containing encrypted or obfuscated javascript code which hides or disguises the exploitation part. Given the big popularity of this attack, the research would like to answer the following questions

Research questions:
  1. Are actual browsers able to identify web pages containing these malicious- obfuscated javascript code?
  2. If they do, what kind of messages are displayed to the users?
  3. Are these messages enough to alert users regaridng potential exploitation?
  4. If not, what possible solutions could be developed to alert potential victims or users about the attack before is to late?
Preliminary findings

We did a small test with a malicious webpage which contains obfuscated Javascript code (using BASE64) and it can be easily de-obfuscated using Javascript De-obfuscater Firefox plug-in. After reading the code, the browser targeted is Microsoft IE trying to execute an ActiveObjectX component. Opening this page in IE version 11.0.9600.18053 does alert the user about a blocked content but it does not explain the nature and why. Indeed an inexperienced user could just unblock the content, thinking that he has land in a legitimate site or open the html page. If the user allows to unblocked the content, the script proceeds to contact through UDP/DNS a suspicious domain name.

Firefox JavaScript DeObfuscator

This an add-on shows you what JavaScript code runs on a web page, even if it is obfuscated and generated on the fly. Simply open JavaScript Deobfuscator from the Web Developer menu and watch the scripts being compiled/executed.

Scripts to obfuscate and deobfuscate

Ali Ramzoo has kindly created some basic scripts that show how these functions of obfuscation and deofuscation work
First put the file.html and good.js on your desktop in same directory.
Open file.html and you will see it showing the clock.
Now run the python file. it will open good.js file in same directory and output is encode.js [see encode.js too but you can generate it yourself]
Now edit html source code and replace src="good.js" with src="encode.js" [or replace the content of encode.js with good.js]
open your file.html again and you will see it open the same as before. just we encode good.js :)
This way we can generate more powerful encodes automaticly with python and conver any .js file to random encoding or some encoding with formula ...