Sunday, March 29, 2009

Jsunpack: Automated JS Unpacker (or Deobfuscator)

As we have seen the recent growth of HTTP Botnets and DIY toolkits used to drive more sophisticated and targeted attacks to deny, deceive and destroy various network infrastructures and services. There is a famous saying in Chinese as:
"Deceive the sky to cross the ocean"

Today's rapidly growing embedded javascript attacks (e.g. iframe tags) has raised a red flag at the client's browser landing space. Increase in number of encoding and encrypted exploits based on JS include common functions, such as, eval(), document.writeln(), createElement(), setTimeout(), appendChild(), etc. Assuming the IDS/IPS basic functionality with an advanced set of rules and dynamic plug-ins but still today these attacks bypass and evade the network defenses because they require manual inspection of code. Since, doing manual decoding could take an effective time and resources.


This process could involve the use of some debuggers like MS-debugger or Firefox debugger plug-in. On contrast, there could be a malicious adversary who managed to apply advanced techniques to defeat manual decoding such as escape sequences, envrionment variables, timing and black listing.

An example of simple javascript hooking is given below:
----
function func0() {
var abc = new Array;
eval('print (abc);');
}
func0();
----

Prior to Jsunpack, other javascript decoding solutions were:
-jsDecode
-SpiderMonkey
-The Ultimate Deobfuscator
-Malzilla

The main features of Jsunpack are:
-Safe Browser simulation
-Process ActiveX, PDF and Flash contents
-Advanced hooking techniques and evaluate multiple paths
-Can be integrated with IDS/Crawler