Download as PDF, PPTX
More Related Content
![[Php Camp]Owasp Php Top5+Csrf](https://cdn.slidesharecdn.com/ss_thumbnails/phpcampowasp-php-top5csrf-1222281675014347-9-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
More from Cysinfo Cyber Security Community
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
- 1.
- 2. HELLO! I am VikramKharvi Student@PESIT Intern@Deloitte-Cyber Risk Malware Analysis,Pen-Testing,Developer. You can find me at vikram984511@gmail.com 2
- 3. All about thissession Note •Will not cover intent of exploit. •Will not cover reverse engineering. •We will be interested in what malicious script does and not how it does. Getting started with analysis of malicious script. Common obfuscation techniques used by Malicious script authors. Ways to deobfuscate scripts without wasting much time. Tools that can be used to deobfuscate scripts. Find this slide @ cysinfo.com 3
- 4. Getting started with analysisof malicious web scripts
- 5. MOBILE PROJECT Show andexplain your web, app or software projects using these gadget templates. Place your screenshot here 5
- 6. Use Virtual Machinesor Sandbox before visiting malicious site. 6
- 7. ⊗ Always replaceeval() with console.log() to understand what is being executed by Javascript. ⊗ Focus on try catch method in javascript. ⊗ Check for Evercookie for persistent data. https://github.com/samyk/evercookie 7
- 8. ⊗ Flag iframes. ⊗Flag CSS where you find visibility:false; or hidden. ⊗ Check for external links. ⊗ Flag DOM in JS 8
- 9. Obfuscation Techniques • Minification •Visual Noise • Function name/keyword substitution • Obscure language features (e.g. JS tuples) • Encoding/Encryption • Multiple levels of obfuscation • JavaScript obfuscation web sites 9
- 10. Minification • Remove whitespacefrom script. • Rename variables and functions with smaller names • JSCompress.com • To reformat use beautification tool like js -beautify beautify beautify or website. or website. 10
- 11. Visual Noise Increase difficultyof reading code without changing its functionality. •Spurious comments •Dead code •Long names •String splitting •Character substitution (e.g. replace) 11
- 12. Removing Visual Noise Howto deobfuscate •Manually remove noise. •Write a script. •Extract meaningful code. 12
- 13. Character Encoding Encodings •Hex (justhex characters) •Backslash Hex (x<n>) https://www.obkb.com/dcljr/charstxt.html • Ampersand Hex(&H<n>) https://www.toptal.com/designers/htmlarrows/letters • Backslash Unicode (u<n>)https://en.wikipedia.org/wiki/List_of_Unicode_characters • Percent Unicode (%u<n>)https://en.wikipedia.org/wiki/List_of_Unicode_characters • Octal (<n>) 13
- 14. Deobfuscating Character Encoding •Normalize encoded chars to readable characters. • Didier Stevens tools (base64dump.py, numbers-to-string.py, etc.) https://remnux.org/ • Custom script 14
- 15. Deobfuscation Principles • Makethe script do work. • Don’t sweat the details. • Beautify the script • Look for anything recognizable. • Peel back the layers. 15
- 16. Tools •oledump.py: Analyse AnalyseMS Office files. •pdfid.py/pdf -parser.py: Analyze PDF files. •base64dump.py: Extract base64 and hex encoded strings •js -file/js -ascii(modified SpiderMonkey) Run JavaScript outside browser. 16
- 17. •urldecode.py •Strip_xml •Combine_strings •decode_chars.py: Decode mixedencodings. •js -beautify •Linux tools (grep, sed, awk awk, cut, etc.) More Tools 17
- 18.
- 19. 19Prevention and bestpractices ● Having a robust anti-virus or full security solution installed on their computers. ● Make sure to update the operating system with the latest security patches. ● Keeping all updates running on computer up-to-date and download updates on a regular basis as they are released to avoid vulnerabilities. ● Making it a habit to run regular full system scans to check for problems and remove them. ● Avoid clicking on links from websites of unknown origins or are embedded in the body of emails, especially in spam e-mails. ● Checking the redirection of links by hovering on top of the links, you can see where the links will redirect from the status bar. ● Installing security plugin opened by web browser, such as automatic blockage of JavaScript execution or force download activities. ● For Web administrators take a note on upgrading all web applications and monitoring them to locate any type of scripts that may have been inserted by third parties.
- 20. CREDITS Evan H Dygert DidierStevens Monnappa K A 20 Thanks
- 21. THANKS! Any questions? You canfind me at: vikram984511@gmail.com 21