JavaScript encryption added to malware arsenal

JavaScript encryption added to malware arsenal

Summary: Malicious hackers are starting to encrypt JavaScript files to escape anti-virus detection, adding another element of sophistication to browser-based malware attacks.

SHARE:
TOPICS: Open Source, Malware
1
VANCOUVER, BC -- Malicious hackers are starting to encrypt JavaScript files to escape anti-virus detection, adding another element of sophistication to browser-based malware attacks.

But, according to a security researcher who spends his time reversing malware samples, there are tools available to figure out exactly what obfuscated Javascript does and pinpoint the motive of the attacker.

At the CanSecWest conference here, Arbor Networks senior security engineer Jose Nazario gave attendees a glimpse at the lengths to which malware writers go to defeat anti-virus scanners, warning that the use of cleverly encrypted JavaScript has been added to the attackers' arsenal.

For example, when the Dolphin Stadium site was hijacked just before this year's Super Bowl, a malicious JavaScript file was inserted into the header of the front page of the site. A surfer browsing the site with a vulnerable version of Microsoft's Internet Explorer then executed the script, which installed a Trojan downloader from a different server.

During his talk, Nazario described how command-line JavaScript interpreters like NJS can be used alongside tools like Mozilla's SpiderMonkey and Rhino to pick away at the obfuscation techniques.  He offered a simple tutorial for doing this and suggested the need or improved tools to automate some of the reverse-engineering efforts.

Nazario also warned that Flash was becoming another distribution mechanism for malware, noting that .swf files were also redirecting browsers to phishing scams and dirty sites rigged with malicious executables.  Here again, Nazario said a free tool like Flasm could be used to disassemble Flash ActionScript bytecode.

"The bad guys are using JavaScript [and Flash] as their delivery vehicle.  You should learn it and love it to figure out their actions," Nazario told the conference attendees.

Topics: Open Source, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Are we talking obfuscation or real encryption??

    Excuse me, but obfuscation is [b]NOT[/b] encryption. It's simply a shortened, altered form of code, and is much easier to turn into readable code than truly encrypted code.

    Even if they're using real encryption, though, the decrypter and the key must be stored somewhere in the program (you can't run encrypted code directly - you have to have a way of decrypting it before running it), and can be found with some careful reverse engineering.
    CobraA1