Websense.com / Security Labs / Blogs / Malicious JavaScript using HTML Elements to Store Content

Archived Blog

Malicious JavaScript using HTML Elements to Store Content

10.15.2008 - 12:00 PM

Here at Websense Security Labs, we have recently started to see a new trend in malicious JavaScript: Web pages using form elements to store obfuscated malicious code. This fairly new tactic is increasingly being used by authors of malicious code. As an aside, it has also been included in the My Poly Sploits v.1.0 exploit toolkit.The My Poly Sploits administration interface:


Back to the point: authors of malicious Web pages are using form elements as a way to store, obfuscate, and fragment their malicious content. The way this generally works is that a small amount of JavaScript code handles the deobfuscation, while the actual malicious content is not included in inside the JavaScript tags (as it traditionally would be). The malware authors instead put the content inside an INPUT element.

JavaScript deobfuscation code (formatted):


INPUT element with obfuscated malicious content:


As you can see above, the authors of the malicious code store content in the VALUE attribute of the INPUT element. The JavaScript deobfuscation code (shown above) then retrieves the content and deobfuscates it. The code then attempts several of the exploits included in the My Poly Sploits toolkit.

For some time, we have been seeing malware authors expand their horizons in obfuscation and evasion. This new trend just adds one more layer of possible obfuscation. It will be interesting to see how malware authors try to evolve this technique as they have other obfuscation techniques. One possibility could be using multiple elements with different attributes to distribute malicious content in fragments across a page.

Security Researcher: Ali Mesdaq

Bookmark This Post: