We need to understand the flow and monitor the variables in malicious browser scripts. For this Script Debuggers and Script Interpreters are necessary.
Some Open Source Tools:
Creme Brulee
Firebug – Firefox plug-in
Google Chrome Developer Tools
Javascript Deobfuscator – Firefox plug-in
JSDebug
Malzilla
Rhino
SpiderMonkey + V8
The Mina
Microsoft Tools:
Microsoft Script Debugger
Microsoft IE8 Developer Tools
Cscript and Wscript - Execute JavaScript and VBScript outside the browser.
Internet Explorer 8 comes with a powerful debugger installed.
Lets see an example of obfuscated script. The target here is Storm worm. This worm started spreading in January 2007. It used e-mail messages with subject lines about weather disasters in Europe, hence the name.
Lets inspect the javascript which has the obfuscation function shall we,
function xor_str(plain_str, xor_key)
{
var xored_str = "";
for (var i = 0 ; i < plain_str.length; ++i) xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i));
return xored_str;
}
var plain_str = "\x94\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe .... really long chars ...9d\x8f\xbe";
var xored_str = xor_str(plain_str, 180);
document.write(xored_str);
The main exploit code here is obfuscated and stored in a string variable plain_str. The code calls obfuscation function xor_str(), the output from this function is passed as input argument to document.write(). Thus to see the deobfuscated code, we will have to set a breakpoint on document.write(xored_str) line and then examine the content of xored_str variable before it gets executed by document.write().
Malzilla
To analyze Storm we will use Malzilla. Click on the Decoder tab in Malzilla, then right click in the top frame and click 'Load from File'. This allows you to load the malicious script into Malzilla.
Then click 'Run script' button. We can see the deobfuscated in the window below.
Sometimes there may be multiple layers of obfuscation where the first obfuscated script needs to be deobfuscated as well. In this case copy the script from the lower pane and paste it in a new tab and repeat the process.
The deobfuscated Storm script contains additional JavaScript that once executed by the victim browser will attempt to exploit an Internet Explorer vulnerability to download and execute a malicious program.
Some Open Source Tools:
Creme Brulee
Firebug – Firefox plug-in
Google Chrome Developer Tools
Javascript Deobfuscator – Firefox plug-in
JSDebug
Malzilla
Rhino
SpiderMonkey + V8
The Mina
Microsoft Tools:
Microsoft Script Debugger
Microsoft IE8 Developer Tools
Cscript and Wscript - Execute JavaScript and VBScript outside the browser.
Internet Explorer 8 comes with a powerful debugger installed.
Lets see an example of obfuscated script. The target here is Storm worm. This worm started spreading in January 2007. It used e-mail messages with subject lines about weather disasters in Europe, hence the name.
Lets inspect the javascript which has the obfuscation function shall we,
function xor_str(plain_str, xor_key)
{
var xored_str = "";
for (var i = 0 ; i < plain_str.length; ++i) xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i));
return xored_str;
}
var plain_str = "\x94\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe .... really long chars ...9d\x8f\xbe";
var xored_str = xor_str(plain_str, 180);
document.write(xored_str);
The main exploit code here is obfuscated and stored in a string variable plain_str. The code calls obfuscation function xor_str(), the output from this function is passed as input argument to document.write(). Thus to see the deobfuscated code, we will have to set a breakpoint on document.write(xored_str) line and then examine the content of xored_str variable before it gets executed by document.write().
Malzilla
To analyze Storm we will use Malzilla. Click on the Decoder tab in Malzilla, then right click in the top frame and click 'Load from File'. This allows you to load the malicious script into Malzilla.
Then click 'Run script' button. We can see the deobfuscated in the window below.
Sometimes there may be multiple layers of obfuscation where the first obfuscated script needs to be deobfuscated as well. In this case copy the script from the lower pane and paste it in a new tab and repeat the process.
The deobfuscated Storm script contains additional JavaScript that once executed by the victim browser will attempt to exploit an Internet Explorer vulnerability to download and execute a malicious program.