2. HELLO!
I am Vikram Kharvi
Student@PESIT Intern@Deloitte-Cyber Risk
Malware Analysis,Pen-Testing,Developer.
You can find me at
vikram984511@gmail.com
2
3. All about this session
Note
•Will not cover intent of exploit.
•Will not cover reverse engineering.
•We will be interested in what malicious
script does and not how it does.
Getting started with analysis of malicious
script.
Common obfuscation techniques used by
Malicious script authors.
Ways to deobfuscate scripts without
wasting much time.
Tools that can be used to deobfuscate
scripts.
Find this slide @ cysinfo.com
3
7. ⊗ Always replace eval() with
console.log() to understand what
is being executed by Javascript.
⊗ Focus on try catch method in
javascript.
⊗ Check for Evercookie for
persistent data.
https://github.com/samyk/evercookie
7
8. ⊗ Flag iframes.
⊗ Flag CSS where you find
visibility:false; or hidden.
⊗ Check for external links.
⊗ Flag DOM in JS
8
9. Obfuscation Techniques
• Minification
• Visual Noise
• Function name/keyword substitution
• Obscure language features (e.g. JS tuples)
• Encoding/Encryption
• Multiple levels of obfuscation
• JavaScript obfuscation web sites
9
10. Minification
• Remove whitespace from script.
• Rename variables and functions with smaller names
• JSCompress.com
• To reformat use beautification tool like js -beautify
beautify beautify or website. or website.
10
11. Visual Noise
Increase difficulty of reading code without changing
its functionality.
•Spurious comments
•Dead code
•Long names
•String splitting
•Character substitution (e.g. replace)
11
12. Removing Visual Noise
How to deobfuscate
•Manually remove noise.
•Write a script.
•Extract meaningful code.
12
15. Deobfuscation Principles
• Make the script do work.
• Don’t sweat the details.
• Beautify the script
• Look for anything recognizable.
• Peel back the layers.
15
16. Tools
•oledump.py: Analyse Analyse MS Office files.
•pdfid.py/pdf -parser.py: Analyze PDF files.
•base64dump.py: Extract base64 and hex encoded
strings
•js -file/js -ascii(modified SpiderMonkey)
Run JavaScript outside browser.
16
19. 19Prevention and best practices
● Having a robust anti-virus or full security solution installed on their computers.
● Make sure to update the operating system with the latest security patches.
● Keeping all updates running on computer up-to-date and download updates on a regular basis
as they are released to avoid vulnerabilities.
● Making it a habit to run regular full system scans to check for problems and remove them.
● Avoid clicking on links from websites of unknown origins or are embedded in the body of
emails, especially in spam e-mails.
● Checking the redirection of links by hovering on top of the links, you can see where the links
will redirect from the status bar.
● Installing security plugin opened by web browser, such as automatic blockage of JavaScript
execution or force download activities.
● For Web administrators take a note on upgrading all web applications and monitoring them to
locate any type of scripts that may have been inserted by third parties.