April 19th, 2007

JavaScript encryption added to malware arsenal

Posted by Ryan Naraine @ 8:16 am

Categories: Botnets, Browsers, Data theft, Exploit code, Hackers, McAfee, Metasploit, Microsoft, Mozilla, Patch Watch, Responsible disclosure, Rootkits, Spam and Phishing, Spyware and Adware, Symantec, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: JavaScript, Malware, Encryption, Tool, Ryan Naraine

VANCOUVER, BC — Malicious hackers are starting to encrypt JavaScript files to escape anti-virus detection, adding another element of sophistication to browser-based malware attacks.

But, according to a security researcher who spends his time reversing malware samples, there are tools available to figure out exactly what obfuscated Javascript does and pinpoint the motive of the attacker.

At the CanSecWest conference here, Arbor Networks senior security engineer Jose Nazario gave attendees a glimpse at the lengths to which malware writers go to defeat anti-virus scanners, warning that the use of cleverly encrypted JavaScript has been added to the attackers' arsenal.

For example, when the Dolphin Stadium site was hijacked just before this year's Super Bowl, a malicious JavaScript file was inserted into the header of the front page of the site. A surfer browsing the site with a vulnerable version of Microsoft's Internet Explorer then executed the script, which installed a Trojan downloader from a different server.

During his talk, Nazario described how command-line JavaScript interpreters like NJS can be used alongside tools like Mozilla's SpiderMonkey and Rhino to pick away at the obfuscation techniques.  He offered a simple tutorial for doing this and suggested the need or improved tools to automate some of the reverse-engineering efforts.

Nazario also warned that Flash was becoming another distribution mechanism for malware, noting that .swf files were also redirecting browsers to phishing scams and dirty sites rigged with malicious executables.  Here again, Nazario said a free tool like Flasm could be used to disassemble Flash ActionScript bytecode.

"The bad guys are using JavaScript [and Flash] as their delivery vehicle.  You should learn it and love it to figure out their actions," Nazario told the conference attendees.