Wednesday, June 16, 2010

Antivirus Struggling with Obfuscated JavaScript

Via Zscaler Research -

As part of our offline research, we regularly test various desktop antivirus (AV) solutions to determine how effective they are at catching web based threats. One segment where I feel that AV has struggled, is with the identification of malicious content when analyzing obfuscated JavaScript. While obfuscated JavaScript can be an indication of malicious content, such as injected IFRAME attacks, the technique is regularly used by legitimate sites. Most notably, we see heavy usage of JavaScript obfuscation among online advertising vendors. JavaScript obfuscation is used by legitimate sites for two reasons. First, code may be obfuscated in an effort to limit the size of the code by removing whitespace and changing variable names in order to make it more efficient. Secondly, sites leverage obfuscation in order to 'protect' code by making it harder to understand and therefore copy. This latter motivation is of minimal value however as client side content can always be de-obfuscated given a basic level of effort. After all, the browser needs to interpret the code at some point.

JavaScript obfuscation presents a challenge for AV vendors. Despite what marketing literature would suggest, detecting malicious content still heavily relies on the use static signatures. Obfuscation is problematic as signatures cannot detect what they cannot see. This leaves two options. The AV engine can either first de-obfuscate the JavaScript or signatures can be created for obfuscated content. The latter is problematic as even a slight change in the content or encoding algorithm can lead to vastly different output, while de-obfuscation is an imperfect science as those who have used tools such as Malzilla can attest to.


Video: Client-Side Exploitation - JavaScript Obfuscation/AV Evasion

No comments:

Post a Comment