Bypassing Antivirus Detection With JavaScript Obfuscation

JavaScript Code Obfuscation Or How To Bypass Antivirus Detection

A one liner definition of obfuscation from Wikipedia:

In software development, obfuscation is the deliberate act of creating obfuscated code, i.e. source or machine code that is difficult for humans to understand.

Obfuscated JavaScript code is a widely used technique to hide initial functionality of a given script. There is nothing malicious in obfuscation itself. Its valid use can be to protect intellectual property of a developer or a company implemented given script or library; to compress code; to decrease size of downloaded web page; and etc.

Due to its popularity there are plenty of free online obfuscators that easily translate simple JavaScript code to something unreadable and mostly impossible for human understanding.

Let's run a simple example:

We have a simple JavaScript snippet. All that it does is showing the message window with string "Obfuscated string"
We can have something like this:

1. var a="Obfuscated string";
2. function msg(m){alert(m);}
3. msg(a);

Passing this script through freely available online obfuscators http://javascriptobfuscator.com/ and http://javascriptcompressor.com/ gives us two completely different outputs:

var _0x86eb=["\x4F\x62\x66\x75\x73\x63\x61\x74\x65\x64\x20\x73\x74\x72\x69\x6E\x67"]; var a=_0x86eb[0];function msg(_0x988dx3){alert(_0x988dx3);} ;msg(a);

and

eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('3 0="4 5";6 1(2){7(2)}1(0);',8,8,'a|msg|m|var|Obfuscated|string|function|alert'.split('|'),0,{}))

Not we can go further and pass the output of the first obfuscator through the second one which will give us result even more far different from the original script:

eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('1 4=["\\9\\c\\i\\k\\2\\7\\8\\3\\b\\l\\d\\2\\3\\e\\f\\g\\h"];1 a=4[0];j 5(a){6(a)};5(a);',22,22,'|var|x73|x74|_0x86eb|msg|alert|x63|x61|x4F||x65|x62|x20|x72|x69|x6E|x67|x66|function|x75|x64'.split('|'),0,{}))

This far, without any special skills required, we have converted original source code to something completely not related and "unreadable". Our intellectual property is safe and unless, of course, a group of hackers will spent time dedicated to de-obfuscation (there are no 100% proof targets as history shows).

Hiding malicious code in the web

Unfortunately, JavaScript obfuscation is used not only for legal and legitimate purposes. Almost every exploit kit (for example http://en.wikipedia.org/wiki/Blackhole_exploit_kit) utilizes JavaScript obfuscation algorithms in order bypass antivirus protection and invisibly inject malware into victim PC or touch devices.

Worth mentioning website malware cases are being collected with public online Website Malware Scanner. Some cases of execution flow of JavaScript threats:

http://pastebin.com/uMX957TZ
http://pastebin.com/6ByZH4GT
http://pastebin.com/VPkKXeMJ

Looking at the analysis we can see that the target of all these threats is to inject hidden iframe, which finally redirects visitors browser to malware distribution server. Successful attack results in silently installed malware on PC or touch devices that were used to visit infected web site.

So why JavaScript obfuscation bypass antivirus detection?

Fairly, there are few integral parts playing a major role in this puzzle. First of all JavaScript itself is simple and very rich language that provides possibility for dynamic generation and execution of script code using eval and unescape methods. This fact backed with all modern obfuscation techniques make it simply impossible to detect such payload using pattern-based engines utilized by antiviruses.

Antiviruses are still an essential part of the secure perimeter as they capable to prevent accessing links to known infected web servers that distribute malware. Obviously, the remaining issue here is that thousands of new web servers hacked and compromised day by day while it take some amount of time until such web servers get listed in antivirus blacklist.

If you suspect your website was compromised or would like us to remove the malware, please select from ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites: http://quttera.com/website-malware-scanner

For other questions, do not hesitate to contact Quttera's help-desk.