Malware attacks on unaware Internet users' browsers are becoming more and more common. New techniques for bypassing filters used by security vendors emerge. In turn, the filters are getting better, new analyzing tools are developed - the war continues. At the presentation you will learn how crackers are trying to hamper the work of security engineers, and how reversers are overcoming those problems. Emphasis will be placed on the weaknesses of automated tools - we'll try to avoid detection by jsunpack and Capture-HPC, we'll also trick Dean Edwards' Unpacker.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
There is no perfect obfuscation [cs.princeton.edu]
Analysis as debugging
Debugging is twice as hard as writing a program in the first place. So if you're as clever as you can be when you write it, how will you ever debug it? Brian Kernighan, The Elements of Programming Style
You could easily detect being run in jsunpack sandbox
When detected, you just skip doing bad stuff
If malware code is obfuscated, it will not be detected with signatures
You go under the radar of jsunpack analysis
OWASP 22
Dean Edwards' Unpacker
A JavaScript Decompressor [dean.edwards.name]
Reverses Dean Edward's packer
Packer works like this:
eval(function(p,a,c,k,e,r){/*code*/}(para, meters)) /* which is the same as */ var packer = function(p,a,c,k,e,r) {/**/}; var s = packer(para,meters); eval(s);
// packed code is in input var input="eval(function(p,a,c,k...."; eval("var value=String" + input.slice(4)); // cut "eval" // executed code will be: var value=String(function(p,a,c,k..);
OWASP 24
Unpacker - step 1
Replace eval() with string assignment
value holds decompressed code
But! we're blindly executing cut&pasted code!
// packed code is in input var input="eval(function(p,a,c,k...."; eval("var value=String" + input.slice(4)); // cut "eval" // executed code will be: var value=String(function(p,a,c,k..);
OWASP 25
Unpacker - step 2
Use Function.toString() to display the code
Unpacked code WILL NOT RUN, it wil just print!
Disclaimer - the real code is a bit different, but the concept is the same