SlideShare uma empresa Scribd logo

Understanding and analyzing obfuscated malicious web scripts

C
Cysinfo Cyber Security Community

Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi

Tecnologia
1 de 21
Baixar para ler offline
Understanding and analyzing obfuscated malicious web scripts
HELLO! I am Vikram Kharvi Student@PESIT Intern@Deloitte-Cyber Risk Malware Analysis,Pen-Testing,Developer. You can find me at vikram984511@gmail.com 2
All about this session Note •Will not cover intent of exploit. •Will not cover reverse engineering. •We will be interested in what malicious script does and not how it does. Getting started with analysis of malicious script. Common obfuscation techniques used by Malicious script authors. Ways to deobfuscate scripts without wasting much time. Tools that can be used to deobfuscate scripts. Find this slide @ cysinfo.com 3
Getting started with analysis of malicious web scripts
MOBILE PROJECT Show and explain your web, app or software projects using these gadget templates. Place your screenshot here 5
Use Virtual Machines or Sandbox before visiting malicious site. 6
⊗ Always replace eval() with console.log() to understand what is being executed by Javascript. ⊗ Focus on try catch method in javascript. ⊗ Check for Evercookie for persistent data. https://github.com/samyk/evercookie 7
⊗ Flag iframes. ⊗ Flag CSS where you find visibility:false; or hidden. ⊗ Check for external links. ⊗ Flag DOM in JS 8
Obfuscation Techniques • Minification • Visual Noise • Function name/keyword substitution • Obscure language features (e.g. JS tuples) • Encoding/Encryption • Multiple levels of obfuscation • JavaScript obfuscation web sites 9
Minification • Remove whitespace from script. • Rename variables and functions with smaller names • JSCompress.com • To reformat use beautification tool like js -beautify beautify beautify or website. or website. 10
Visual Noise Increase difficulty of reading code without changing its functionality. •Spurious comments •Dead code •Long names •String splitting •Character substitution (e.g. replace) 11
Removing Visual Noise How to deobfuscate •Manually remove noise. •Write a script. •Extract meaningful code. 12
Character Encoding Encodings •Hex (just hex characters) •Backslash Hex (x<n>) https://www.obkb.com/dcljr/charstxt.html • Ampersand Hex(&H<n>) https://www.toptal.com/designers/htmlarrows/letters • Backslash Unicode (u<n>)https://en.wikipedia.org/wiki/List_of_Unicode_characters • Percent Unicode (%u<n>)https://en.wikipedia.org/wiki/List_of_Unicode_characters • Octal (<n>) 13
Deobfuscating Character Encoding • Normalize encoded chars to readable characters. • Didier Stevens tools (base64dump.py, numbers-to-string.py, etc.) https://remnux.org/ • Custom script 14
Deobfuscation Principles • Make the script do work. • Don’t sweat the details. • Beautify the script • Look for anything recognizable. • Peel back the layers. 15
Tools •oledump.py: Analyse Analyse MS Office files. •pdfid.py/pdf -parser.py: Analyze PDF files. •base64dump.py: Extract base64 and hex encoded strings •js -file/js -ascii(modified SpiderMonkey) Run JavaScript outside browser. 16
•urldecode.py •Strip_xml •Combine_strings •decode_chars.py: Decode mixed encodings. •js -beautify •Linux tools (grep, sed, awk awk, cut, etc.) More Tools 17
Demo 18
19Prevention and best practices ● Having a robust anti-virus or full security solution installed on their computers. ● Make sure to update the operating system with the latest security patches. ● Keeping all updates running on computer up-to-date and download updates on a regular basis as they are released to avoid vulnerabilities. ● Making it a habit to run regular full system scans to check for problems and remove them. ● Avoid clicking on links from websites of unknown origins or are embedded in the body of emails, especially in spam e-mails. ● Checking the redirection of links by hovering on top of the links, you can see where the links will redirect from the status bar. ● Installing security plugin opened by web browser, such as automatic blockage of JavaScript execution or force download activities. ● For Web administrators take a note on upgrading all web applications and monitoring them to locate any type of scripts that may have been inserted by third parties.
CREDITS Evan H Dygert Didier Stevens Monnappa K A 20 Thanks
THANKS! Any questions? You can find me at: vikram984511@gmail.com 21

Recomendados

The Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraThe Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraCysinfo Cyber Security Community
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-OrdnanceVeilFramework
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Wordlist Generation and Wifi Cracking
Wordlist Generation and Wifi CrackingWordlist Generation and Wifi Cracking
Wordlist Generation and Wifi CrackingShakar Bhattarai
 
Wordpress security
Wordpress securityWordpress security
Wordpress securityMehmet Ince
 
Async js
Async jsAsync js
Async jslahin31
 
Generamba
GenerambaGeneramba
GenerambaNicolae Ghimbovschi
 
Same-origin Policy (SOP)
Same-origin Policy (SOP)Same-origin Policy (SOP)
Same-origin Policy (SOP)Netsparker
 

Recomendados

The Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraThe Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraCysinfo Cyber Security Community
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-OrdnanceVeilFramework
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Wordlist Generation and Wifi Cracking
Wordlist Generation and Wifi CrackingWordlist Generation and Wifi Cracking
Wordlist Generation and Wifi CrackingShakar Bhattarai
 
Wordpress security
Wordpress securityWordpress security
Wordpress securityMehmet Ince
 
Async js
Async jsAsync js
Async jslahin31
 
Generamba
GenerambaGeneramba
GenerambaNicolae Ghimbovschi
 
Same-origin Policy (SOP)
Same-origin Policy (SOP)Same-origin Policy (SOP)
Same-origin Policy (SOP)Netsparker
 
The state of JavaScript Linting - English version
The state of JavaScript Linting - English versionThe state of JavaScript Linting - English version
The state of JavaScript Linting - English versionMichael Kühnel
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
0d1n
0d1n0d1n
0d1nAntonio Costa aka Cooler_
 
WAF protections and bypass resources
WAF protections and bypass resourcesWAF protections and bypass resources
WAF protections and bypass resourcesAntonio Costa aka Cooler_
 
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by SreelakshmiDeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by SreelakshmiCysinfo Cyber Security Community
 
Web Exploitation
Web ExploitationWeb Exploitation
Web ExploitationUTD Computer Security Group
 
Make CSRF Again
Make CSRF AgainMake CSRF Again
Make CSRF AgainNetsparker
 
Tdd using Jasmine and karma
Tdd using Jasmine and karmaTdd using Jasmine and karma
Tdd using Jasmine and karmaSiddharth Mishra
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationCTruncer
 
Static analysis for beginners
Static analysis for beginnersStatic analysis for beginners
Static analysis for beginnersAntonio Costa aka Cooler_
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
20151117 es lint
20151117 es lint20151117 es lint
20151117 es lintNakajima Shigeru
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+CsrfBipin Upadhyay
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2UTD Computer Security Group
 
Understand study
Understand studyUnderstand study
Understand studyAntonio Costa aka Cooler_
 
Server-Side JavaScript with Nashorn
Server-Side JavaScript with NashornServer-Side JavaScript with Nashorn
Server-Side JavaScript with NashornDaniel Woods
 
DEF CON 27 - ALON WEINBERG - please inject me a x64 code injection
DEF CON 27 - ALON WEINBERG - please inject me a x64 code injection DEF CON 27 - ALON WEINBERG - please inject me a x64 code injection
DEF CON 27 - ALON WEINBERG - please inject me a x64 code injection Felipe Prado
 
Pipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as CodePipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as CodeKris Buytaert
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 

Mais conteúdo relacionado

Mais procurados

The state of JavaScript Linting - English version
The state of JavaScript Linting - English versionThe state of JavaScript Linting - English version
The state of JavaScript Linting - English versionMichael Kühnel
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
Make CSRF Again
Make CSRF AgainMake CSRF Again
Make CSRF AgainNetsparker
 
Tdd using Jasmine and karma
Tdd using Jasmine and karmaTdd using Jasmine and karma
Tdd using Jasmine and karmaSiddharth Mishra
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationCTruncer
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+CsrfBipin Upadhyay
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
 
Server-Side JavaScript with Nashorn
Server-Side JavaScript with NashornServer-Side JavaScript with Nashorn
Server-Side JavaScript with NashornDaniel Woods
 
DEF CON 27 - ALON WEINBERG - please inject me a x64 code injection
DEF CON 27 - ALON WEINBERG - please inject me a x64 code injection DEF CON 27 - ALON WEINBERG - please inject me a x64 code injection
DEF CON 27 - ALON WEINBERG - please inject me a x64 code injection Felipe Prado
 

Mais procurados (20)

The state of JavaScript Linting - English version
The state of JavaScript Linting - English versionThe state of JavaScript Linting - English version
The state of JavaScript Linting - English version
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
 
0d1n
0d1n0d1n
0d1n
 
WAF protections and bypass resources
WAF protections and bypass resourcesWAF protections and bypass resources
WAF protections and bypass resources
 
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by SreelakshmiDeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
 
Web Exploitation
Web ExploitationWeb Exploitation
Web Exploitation
 
Make CSRF Again
Make CSRF AgainMake CSRF Again
Make CSRF Again
 
Tdd using Jasmine and karma
Tdd using Jasmine and karmaTdd using Jasmine and karma
Tdd using Jasmine and karma
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
 
Static analysis for beginners
Static analysis for beginnersStatic analysis for beginners
Static analysis for beginners
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
20151117 es lint
20151117 es lint20151117 es lint
20151117 es lint
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
 
Understand study
Understand studyUnderstand study
Understand study
 
Server-Side JavaScript with Nashorn
Server-Side JavaScript with NashornServer-Side JavaScript with Nashorn
Server-Side JavaScript with Nashorn
 
DEF CON 27 - ALON WEINBERG - please inject me a x64 code injection
DEF CON 27 - ALON WEINBERG - please inject me a x64 code injection DEF CON 27 - ALON WEINBERG - please inject me a x64 code injection
DEF CON 27 - ALON WEINBERG - please inject me a x64 code injection
 

Semelhante a Understanding and analyzing obfuscated malicious web scripts

Pipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as CodePipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as CodeKris Buytaert
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
Django dev-env-my-way
Django dev-env-my-wayDjango dev-env-my-way
Django dev-env-my-wayRobert Lujo
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersPhú Phùng
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?AFUP_Limoges
 
Coding for production
Coding for productionCoding for production
Coding for productionjehiah
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017Mandi Walls
 
Quality code in wordpress
Quality code in wordpressQuality code in wordpress
Quality code in wordpressRan Bar-Zik
 
How to write good quality code
How to write good quality codeHow to write good quality code
How to write good quality codeHayden Bleasel
 
On the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangOn the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangChris McEniry
 
Building Open-source React Components
Building Open-source React ComponentsBuilding Open-source React Components
Building Open-source React ComponentsZack Argyle
 
Building Open-Source React Components
Building Open-Source React ComponentsBuilding Open-Source React Components
Building Open-Source React ComponentsZack Argyle
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Native Script Overview
Native Script OverviewNative Script Overview
Native Script OverviewBaskar rao Dsn
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 

Semelhante a Understanding and analyzing obfuscated malicious web scripts (20)

Pipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as CodePipeline as code for your infrastructure as Code
Pipeline as code for your infrastructure as Code
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
Django dev-env-my-way
Django dev-env-my-wayDjango dev-env-my-way
Django dev-env-my-way
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
 
Coding for production
Coding for productionCoding for production
Coding for production
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017
 
Quality code in wordpress
Quality code in wordpressQuality code in wordpress
Quality code in wordpress
 
How to write good quality code
How to write good quality codeHow to write good quality code
How to write good quality code
 
On the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangOn the Edge Systems Administration with Golang
On the Edge Systems Administration with Golang
 
Building Open-source React Components
Building Open-source React ComponentsBuilding Open-source React Components
Building Open-source React Components
 
Building Open-Source React Components
Building Open-Source React ComponentsBuilding Open-Source React Components
Building Open-Source React Components
 
Continuous feature-development
Continuous feature-developmentContinuous feature-development
Continuous feature-development
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
Native Script Overview
Native Script OverviewNative Script Overview
Native Script Overview
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 

Mais de Cysinfo Cyber Security Community

Understanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K AUnderstanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K ACysinfo Cyber Security Community
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKGetting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKCysinfo Cyber Security Community
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiCysinfo Cyber Security Community
 
Reversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaReversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaCysinfo Cyber Security Community
 
Understanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k aUnderstanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k aCysinfo Cyber Security Community
 
Security challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasaraoSecurity challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasaraoCysinfo Cyber Security Community
 

Mais de Cysinfo Cyber Security Community (20)

Understanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K AUnderstanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K A
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKGetting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
 
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyEmerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
 
Closer look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin ShenoiCloser look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin Shenoi
 
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
Unicorn: The Ultimate CPU Emulator by Akshay AjayanUnicorn: The Ultimate CPU Emulator by Akshay Ajayan
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
 
Reversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaReversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by Monnappa
 
Analysis of android apk using adhrit by Abhishek J.M
Analysis of android apk using adhrit by Abhishek J.M Analysis of android apk using adhrit by Abhishek J.M
Analysis of android apk using adhrit by Abhishek J.M
 
Understanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k aUnderstanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k a
 
Security challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasaraoSecurity challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasarao
 
S2 e (selective symbolic execution) -shivkrishna a
S2 e (selective symbolic execution) -shivkrishna aS2 e (selective symbolic execution) -shivkrishna a
S2 e (selective symbolic execution) -shivkrishna a
 
Dynamic binary analysis using angr siddharth muralee
Dynamic binary analysis using angr siddharth muraleeDynamic binary analysis using angr siddharth muralee
Dynamic binary analysis using angr siddharth muralee
 
Bit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleyaBit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleya
 
Security Analytics using ELK stack
Security Analytics using ELK stack Security Analytics using ELK stack
Security Analytics using ELK stack
 
Linux Malware Analysis
Linux Malware Analysis Linux Malware Analysis
Linux Malware Analysis
 
Introduction to Binary Exploitation
Introduction to Binary Exploitation Introduction to Binary Exploitation
Introduction to Binary Exploitation
 
ATM Malware: Understanding the threat
ATM Malware: Understanding the threat ATM Malware: Understanding the threat
ATM Malware: Understanding the threat
 
XXE - XML External Entity Attack
XXE - XML External Entity Attack XXE - XML External Entity Attack
XXE - XML External Entity Attack
 
Image (PNG) Forensic Analysis
Image (PNG) Forensic Analysis Image (PNG) Forensic Analysis
Image (PNG) Forensic Analysis
 
POS Malware: Is your Debit/Credit Transcations Secure?
POS Malware: Is your Debit/Credit Transcations Secure?POS Malware: Is your Debit/Credit Transcations Secure?
POS Malware: Is your Debit/Credit Transcations Secure?
 

Último

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Último (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Understanding and analyzing obfuscated malicious web scripts

  • 2. HELLO! I am Vikram Kharvi Student@PESIT Intern@Deloitte-Cyber Risk Malware Analysis,Pen-Testing,Developer. You can find me at vikram984511@gmail.com 2
  • 3. All about this session Note •Will not cover intent of exploit. •Will not cover reverse engineering. •We will be interested in what malicious script does and not how it does. Getting started with analysis of malicious script. Common obfuscation techniques used by Malicious script authors. Ways to deobfuscate scripts without wasting much time. Tools that can be used to deobfuscate scripts. Find this slide @ cysinfo.com 3
  • 4. Getting started with analysis of malicious web scripts
  • 5. MOBILE PROJECT Show and explain your web, app or software projects using these gadget templates. Place your screenshot here 5
  • 6. Use Virtual Machines or Sandbox before visiting malicious site. 6
  • 7. ⊗ Always replace eval() with console.log() to understand what is being executed by Javascript. ⊗ Focus on try catch method in javascript. ⊗ Check for Evercookie for persistent data. https://github.com/samyk/evercookie 7
  • 8. ⊗ Flag iframes. ⊗ Flag CSS where you find visibility:false; or hidden. ⊗ Check for external links. ⊗ Flag DOM in JS 8
  • 9. Obfuscation Techniques • Minification • Visual Noise • Function name/keyword substitution • Obscure language features (e.g. JS tuples) • Encoding/Encryption • Multiple levels of obfuscation • JavaScript obfuscation web sites 9
  • 10. Minification • Remove whitespace from script. • Rename variables and functions with smaller names • JSCompress.com • To reformat use beautification tool like js -beautify beautify beautify or website. or website. 10
  • 11. Visual Noise Increase difficulty of reading code without changing its functionality. •Spurious comments •Dead code •Long names •String splitting •Character substitution (e.g. replace) 11
  • 12. Removing Visual Noise How to deobfuscate •Manually remove noise. •Write a script. •Extract meaningful code. 12
  • 13. Character Encoding Encodings •Hex (just hex characters) •Backslash Hex (x<n>) https://www.obkb.com/dcljr/charstxt.html • Ampersand Hex(&H<n>) https://www.toptal.com/designers/htmlarrows/letters • Backslash Unicode (u<n>)https://en.wikipedia.org/wiki/List_of_Unicode_characters • Percent Unicode (%u<n>)https://en.wikipedia.org/wiki/List_of_Unicode_characters • Octal (<n>) 13
  • 14. Deobfuscating Character Encoding • Normalize encoded chars to readable characters. • Didier Stevens tools (base64dump.py, numbers-to-string.py, etc.) https://remnux.org/ • Custom script 14
  • 15. Deobfuscation Principles • Make the script do work. • Don’t sweat the details. • Beautify the script • Look for anything recognizable. • Peel back the layers. 15
  • 16. Tools •oledump.py: Analyse Analyse MS Office files. •pdfid.py/pdf -parser.py: Analyze PDF files. •base64dump.py: Extract base64 and hex encoded strings •js -file/js -ascii(modified SpiderMonkey) Run JavaScript outside browser. 16
  • 17. •urldecode.py •Strip_xml •Combine_strings •decode_chars.py: Decode mixed encodings. •js -beautify •Linux tools (grep, sed, awk awk, cut, etc.) More Tools 17
  • 19. 19Prevention and best practices ● Having a robust anti-virus or full security solution installed on their computers. ● Make sure to update the operating system with the latest security patches. ● Keeping all updates running on computer up-to-date and download updates on a regular basis as they are released to avoid vulnerabilities. ● Making it a habit to run regular full system scans to check for problems and remove them. ● Avoid clicking on links from websites of unknown origins or are embedded in the body of emails, especially in spam e-mails. ● Checking the redirection of links by hovering on top of the links, you can see where the links will redirect from the status bar. ● Installing security plugin opened by web browser, such as automatic blockage of JavaScript execution or force download activities. ● For Web administrators take a note on upgrading all web applications and monitoring them to locate any type of scripts that may have been inserted by third parties.
  • 20. CREDITS Evan H Dygert Didier Stevens Monnappa K A 20 Thanks
  • 21. THANKS! Any questions? You can find me at: vikram984511@gmail.com 21