Breaking Malware callee protection functions in Javascript

I have recently been working my way through the SANS (http://www.sans.org) coarse on Reverse Engineering Malware, which has been an extremely enjoyable experience. Anyway, while reading the sections on advance JavaScript obfuscation which explain how malware authors use the capabilities of the JavaScript argument.callee function to make analysis and debugging a lot harder, it struck me that there may be an opportunity to actually to turn this capability on its head and use it to protect against such malicious JavaScript.

If a JavaScript malware author uses the arguement.callee function to either check for script modification, by change in script length or by implementation of a checksum, or the arguement.callee function is used in more advance methods like as the source key for decoding the main JavaScript. Then why can’t we implement protective measures that add random blank lines and random length “canary comments” before any JavaScript is processed by the end browser.

This might be able to be implemented as a browser plug-in (e.g. NoScript capability??), in Anti-Virus/HIPS agents or even on a proxy server that does content scanning at the perimeter.

Will wide spread use of adding such “canary values” on pre-processed JavaScript diminish the threat from malicious code? No. But if it reduces the execution effectiveness of a tool that is currently used to mainly make decoding and analysing malicious JavaScript difficult, then it has to be a positive. Plus in the short term, it would gives some people better protection against the malicious JavaScript that are dependent on arguement.callee protections, and make reverse engineering malicious JavaScript’s a bit simpler.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: