Forum latest

For every JavaScript-endcoded payload there's a corresponding decoder to unravel it
Written by Daniel   
Wednesday, 04 April 2007 06:46

Malware & Attacker, Exposed
Kelly Jackson Higgins, Senior Editor,
Dark Reading

APRIL 4, 2007 | Smart attackers are always looking for ways to disguise their malware so it can do its dirty work undetected, and JavaScript is becoming a popular tool for slipping malware into the browser.

This increasingly popular form of malware obfuscation can be frustrating to the naked eye. But researcher Jose Nazario, senior software and security engineer for Arbor Networks, says the good news is: For every JavaScript-endcoded payload there's a corresponding decoder to unravel it. Nazario will discuss his research on reverse-engineering JavaScript later this month at the CanSecWest conference.

"They use JavaScript to obscure what's going on. It looks almost encrypted, so researchers look at it and say they can't make heads or tails of it," Nazario says. Then it can get known exploits past security scanners. But all is not lost: "The decoder ships along with it so the browser can decode [the JavaScript] and run. So we simply run the decoder."

And once you get to the malware beneath the JavaScript cover, you can dig in and analyze characteristics about the attacker, pinpoint the malware distribution points, and shut them down -- and even figure out what data the attacker is after, as well as his endgame. "We can find out if there's spyware, where is the information going? If they are taking information stolen from a computer and emailing to an account at Gmail, we contact the security [people] there and tell them here are the mailboxes used to receive information from spyware-infected boxes," he explains.

Nazario says he and fellow researchers can also detect RFC bots, and shut them down, too. "If we didn't have visibility into what the obfuscated exploits were doing, we wouldn't get any of that."

It comes down to attackers shifting their focus toward clients, namely Web browsers. "They used to wait for you to come to them as clients." But now more attackers are targeting the browser itself, he says. "We are seeing a lot of attacker interest recently in this."

There are around 10 major endcoder/decoder tools available today, according to Nazario, including HTML Protector, Advanced HTML Protector, and ScriptAsylum.... More

Comments in the forums 


See also

None found.

Hardware | Windows | Linux | Security | Mobile Devices | Gaming
Tech Business | Editorial | General News | folding@home

Forum | Download Files

Copyright ©2001 - 2012, AOA Forums.  All rights reserved.

Alliance of Overclocking Arts

Links monetized by VigLink

Don't Click Here Don't Click Here Either