JavaScript Code Obfuscation Or How To Bypass Antivirus Detection
A one liner definition of obfuscation from Wikipedia:
Obfuscated JavaScript code is a widely used technique to hide initial functionality of a given script. There is nothing malicious in obfuscation itself. Its valid use can be to protect intellectual property of a developer or a company implemented given script or library; to compress code; to decrease size of downloaded web page; and etc.
Due to its popularity there are plenty of free online obfuscators that easily translate simple JavaScript code to something unreadable and mostly impossible for human understanding.
Let's run a simple example:
We have a simple JavaScript snippet. All that it does is showing the message window with string "Obfuscated string"
We can have something like this:
var _0x86eb=["\x4F\x62\x66\x75\x73\x63\x61\x74\x65\x64\x20\x73\x74\x72\x69\x6E\x67"]; var a=_0x86eb[0];function msg(_0x988dx3){alert(_0x988dx3);} ;msg(a);
and
eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('3 0="4 5";6 1(2){7(2)}1(0);',8,8,'a|msg|m|var|Obfuscated|string|function|alert'.split('|'),0,{}))
Not we can go further and pass the output of the
first obfuscator through the
second one which will give us result even more far different from the original script:
eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('1 4=["\\9\\c\\i\\k\\2\\7\\8\\3\\b\\l\\d\\2\\3\\e\\f\\g\\h"];1 a=4[0];j 5(a){6(a)};5(a);',22,22,'|var|x73|x74|_0x86eb|msg|alert|x63|x61|x4F||x65|x62|x20|x72|x69|x6E|x67|x66|function|x75|x64'.split('|'),0,{}))
This far, without any special skills required, we have converted original source code to something completely not related and "unreadable". Our intellectual property is safe and unless, of course, a group of hackers will spent time dedicated to de-obfuscation (there are
no 100% proof targets as history shows).
Hiding malicious code in the web
Unfortunately, JavaScript obfuscation is used not only for legal and legitimate purposes. Almost every exploit kit (for example
http://en.wikipedia.org/wiki/Blackhole_exploit_kit) utilizes JavaScript obfuscation algorithms in order bypass antivirus protection and invisibly inject malware into victim PC or touch devices.
Worth mentioning website malware cases are being collected with public online Website Malware Scanner. Some cases of execution flow of JavaScript threats:
Looking at the analysis we can see that the target of all these threats is to inject hidden iframe, which finally redirects visitors browser to malware distribution server. Successful attack results in silently installed malware on PC or touch devices that were used to visit infected web site.
So why JavaScript obfuscation bypass antivirus detection?
Fairly, there are few integral parts playing a major role in this puzzle. First of all JavaScript itself is simple and very rich language that provides possibility for dynamic generation and execution of script code using eval
and unescape
methods. This fact backed with all modern obfuscation techniques make it simply impossible to detect such payload using pattern-based engines utilized by antiviruses.
Antiviruses are still an essential part of the
secure perimeter as they capable to prevent accessing links to
known infected web servers that distribute malware. Obviously, the remaining issue here is that thousands of new web servers hacked and compromised day by day while it take some amount of time until such web servers get listed in antivirus blacklist.
If you suspect your website was compromised or would like us to remove the malware, please select from
ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites:
http://quttera.com/website-malware-scannerFor other questions, do not hesitate to contact
Quttera's help-desk.