By: Julien Sobrier

Deep Javascript Obfuscation Can Make Exploits Easier To Detect

Analysis

UPDATE: AVG displayed false alerts about the obfuscated Javascript codes samples displayed in the post. These samples are all harmless. I have replaced these codes samples with screenshots.


Minification, packing, obfuscation

Javascript code is usually pre-processed before it is served to users in order to make it smaller, resulting in a faster page load times, or to obfuscate it.


function add(one, two) {
return one + two;
}
An example of original source code

Minifier

The most common form of pre-processing involves minification. The source code is stripped of white space, comments, etc., in order to make it more compact. Some minifiers can also rename internal variables to make them shorter. The minified Javascript is less readable for humans, but not to automation tools or security scanners. It is a common practice to serve minified Javascript either inline, as part of an HTML page, or in external sites, to reduce the loading time of pages. Google, Amazon, and most major websites use this technique.


function add(a,b){return a+b}
Example of minified Javascript

Packer

Then webmasters try to go further and additionally reduce code size by leveraging packers, such as using a base64 encoding. The source code is endoded in the new base, and decoded through Javascript in the browser. This results in a smaller code (if the original code is not too short) that is harder for humans to interpret and often harder for security tools to inspect.

Packed Javascript is not widely used because the smaller file size is balanced by a longer execution time in the browser to decode the Javascript.


Example of packed Javascript (line break inserted for readability)


Obfuscator

Obfuscation is done for the sole purpose of "hiding" the original code. Obfuscated code often results in a larger code size than that of unprocessed Javascript. The resulting code is unreadable by humans, and once again, complicates parsing for security scanners. A slight code change in the original code can also create a completely different set of obfuscated Javascript. That means an attacker can create many versions of the same original code and each will look very different from the others.



Example of lightly obfuscated Javascript

Obfuscated exploits

There are legitimate uses of obfuscated Javascript. For example, obfuscation can be used to hide e-mail addresses from web crawlers. Obfuscation is also commonly used by many advertising networks.

But Javascript obfuscation is widely used for malicious purposes. Attackers obfuscate their exploits to bypass security tools. They can also easily change the code on each site they infect, so that one detected malicious page does not result in all other exploited pages being detected.

Sometimes however, extreme obfuscation can make it easier to detect malicious code. When Javascript looks very different from minified, packed or even common obfuscation code patterns, they really stand out. It is sometimes easier to detect the obfuscation itself rather than the underlying exploit.

Metasploit is a popular and powerful exploitation framework, which includes a number of browser exploits. It goes to great lengths to obfuscate the exploits: most variables are generated randomly for each run and the Javascript code is heavily obfuscated overall. As a result, Metasploit generated HTML code can really stand out:
  • the code density is unusual: they have very long variable names, spaces at the beginning of lines, several line breaks in a row, etc.
  • repeatable patterns
    • most ActiveX objects are called with new ActiveXObject(String.fromCharCode(
    • reassignment of the unescape Javascript function to a variable: <...> = unescape;
    • the decoding loop uses some unusual pieces of code: .toString(16); unescape(unescape(, etc.
as a result, it can actually become easier to detect the exploits coming from Metasploit. We've seen other examples where the attacker goes a little too far to obfuscate his code, and actually make it easier to recognize.

Obfuscation done right can make it harder to detect and understand exploits. Crazy obfuscation does the opposite.

-- Julien

Learn more about Zscaler.