Blog

Obfuscation in JavaScript is certainly nothing new to malicious code authors, who typically use various obfuscation techniques to get around intrusion detection systems (IDS) that primarily rely on signatures for detection.

Here is a screenshot of some obfuscated malicious JavaScript code embedded in a HTML page:

Let's talk about a neat way of decoding JavaScript obfuscations on the fly in Microsoft Internet Explorer 7 -- by tapping directly into the heart of the language itself: the interpreter.

We have blogged about JavaScript deobfuscation before by overwriting document.write within spidermonkey's JavaScript interpreter. ( [1], [2] ), but today we're going to show you how you can do it by hooking the code responsible for the document.write in IE7.

The basic idea here is that as heavily obfuscated as the code may be, the interpreter has to eventually deobfuscate it all in order to execute the underlying malicious code. In this obfuscated malicious JavaScript sample above, we observed that during execution, the deobfuscation routine eventually makes a call to document.write. Thus, let's try hook into the document.write method (in assembly) and see if we can obtain anything of interest.

We fire up IDA Pro, open up mshtml.dll, and say yes when prompted if we would like symbols. Looking on the Names tab, we quickly spot: CDocument__write(int,SAFEARRAY *psa) at .text:775E524A (MSHTML Version 7.600 IE7)

The function is passed the parameter SAFEARRAY *psa that looks like this:

Buffer PWSTR is a pointer to the deobfuscated content that will be written to the HTML page. Knowing this, we can now monitor Buffer in real-time to detect the underlying malicious JavaScript code, no matter how complex the obfuscation may be.

Security Researcher: Moti Joseph, mjoseph | at | websense.com