Friday, May 29th, 2009

Taking apart crazy JavaScript code; Interview question fodder

Category: Security

Scott Schiller looks like he had some fun taking apart Analyzing Javascript Malware: Obfuscated Evil where he takes a peak into a gnarly JavaScript piece of malware that was just seen in the wild on Facebook:

Since Javascript must be downloaded to run on the client, its source is easily accessible. The code can be captured either during transport, from within the browser, or on disk from cache. For this and other reasons, Javascript malware writers – admittedly a special breed – must resort to all sorts of dirty tricks to hide their particularly-special brand of internet douchebaggery.

Obfuscation not only discourages casual reverse-engineering of the exploit used and its inner workings, it also makes it more difficult for internet security/virus-scanners to corrently identify and prevent the malware from running. If your code appears to be constructing a very large string with hex-encoded data (ie., attempting a buffer overflow condition with “shellcode” to execute arbitrary commands), then you’re due to get flagged. If on the other hand you have some innocent-looking strings compressed or encrypted so as not to reveal their evil nature at first glance, your dirty work may in fact fly under the radar, undetected.

Scott takes apart the code that has a lot of source looking like:

figoeei = (3., saltem)((‘3’ < = 8.3e1 ? solant + 'x': 384.), (funere, aequi) + (6661 <= movens ? .4138 : solant + 'u' + uisae + merui + inibis + solant) + (178., beroen + 'o' + 'ca' + 'n' + campo + gladie + 'x' + ')')); [/javascript] After the analysis Scott says:

I suspect if this code did work, it would execute a JS payload or would dynamically fetch (via xmlHttpRequest), decode/decrypt and execute a payload. (A key/passphrase or decoding loop is suggested, given the output above.) On the other hand and in the words of comedian Dennis Miller, “‘Course that’s just my opinion, I could be wrong.”

Want to give someone a bugger of an interview? Take some snippets and ask them to tell you what they do.

Posted by Dion Almaer at 6:04 am
Comment here

3.3 rating from 6 votes

Comments Here »

Comments feed TrackBack URI

Leave a comment

You must be logged in to post a comment.