Blog
In his talk Billy pointed out several techniques that are currently being used by malicious Web page authors to circumvent automated JavaScript de-obfuscation tools. One of his main points was that automated JavaScript de-obfuscation tools don't work like real browsers, so they are easy to detect by behavioral analysis.
Billy gave some examples of how a malicious user could detect which browser the JavaScript was being run from by using browser fingerprinting techniques and not relying on easily spoofable User Agents. Some of the techniques discussed included browser error checking, use of JavaScript in HTTP headers, network tests, use of images for back channel communication, and several others.
Two of the more interesting techniques presented in the talk were use of whitespace characters for encoding content and new IE8/JavaScript features. The use of whitespace characters for encoding was intriguing, because many JavaScript automated analysis tools strip whitespace characters out of the code so they can tokenize the code and parse it.
Another interesting point brought up in Billy's talk was the new feature in IE8 to support data URIs. This feature basically allows you to have data accessible inside of documents or via the URI, so that documents don't always need to be fetched for data; the data could be in the document already.
This data could be of any kind. For example, it might be image data, web page content data, or malicious data that’s custom encoded. This just adds another way for malicious users to hide malicious content. The overall point to take away from the talk is that malicious authors have many techniques at their disposal to try to ensure that their malicious code is seen only from inside of a real browser.
Another interesting talk on Day 2 was "How To Impress Girls with Browser Memory Protection Bypasses" by Mark Dowd and Alexander Sotirov. In this talk Mark and Alexander showed us a technique to completely bypass the memory protection features of Microsoft Vista. The technique they discussed shows a way to load whatever content is desired into any location in memory on a user's machine, using custom .NET Objects.
The technique discussed in the talk bypasses Vista's Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) defenses. This bypass of these built-in Security measures is a big step forward for writing reliable exploits for Vista. We believe that these techniques, and variations on them, will lead to PoC code shortly, and then to actual exploits.
To wrap up this year's BlackHat USA conference, we can say that the biggest buzz was around the DNS Vulnerability reported by Dan Kaminsky (Presentation Posted: http://www.doxpara.com/DMK_BO2K8.ppt). Since the vulnerability was already guessed and discussed heavily several weeks before BlackHat, the buzz around the Vulnerability didn't live up to the hype (only because of the discussions prior to the conference).
This year there also seemed to be many talks relating to the use of various file-based exploits, such as custom .NET Objects, Hibernate Files, Office Documents, and others. There also seemed to be a number of talks based around analyzing malicious content (malware, malicious web pages, and network traffic) that is specifically designed to circumvent analysis. Some of those talks were Billy Hoffman's "Circumventing Automated JavaScript Analysis Tools," Joe Stewart's "Protocols and Encryption of the Storm Botnet," and Shawn Embleton's and Sherri Sparks' "A New Breed of Rootkit: The System Management Mode (SMM) Rootkit."
Overall, BlackHat USA was what you expected it to be: a great place for researchers to discuss their research and spread their new theories.
Researchers: Moti Joseph and Ali Mesdaq
