A one liner definition of obfuscation from wikipedia:
In software development, obfuscation is the deliberate act of creating obfuscated code, i.e. source or machine code that is difficult for humans to understand.
Obfuscated JavaScript code is a widely used technique to hide initial functionality of a given script. There is nothing malicious in obfuscation itself. Its valid use can be to protect intellectual property of a developer or a company implemented given script or library; to compress code; to decrease size of downloaded web page; and etc.
Due to its popularity there are plenty of free online obfuscators that easily translate simple JavaScript code to something unreadable and mostly impossible for human understanding.
Let's run a simple example:
We have a simple JavaScript snippet. All that it does is showing the message window with string “Obfuscated string”
We can have something like this:
var a="Obfuscated string";
function msg(m){ alert(m);}
msg(a);
Passing this script through freely available online obfuscators http://javascriptobfuscator.com/ and http://javascriptcompressor.com/ gives us two cpmpletely different outputs:
var _0x86eb=["\x4F\x62\x66\x75\x73\x63\x61\x74\x65\x64\x20\x73\x74\x72\x69\x6E\x67"]; var a=_0x86eb[0];function msg(_0x988dx3){alert(_0x988dx3);} ;msg(a);
and
eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('3 0="4 5";6 1(2){7(2)}1(0);',8,8,'a|msg|m|var|Obfuscated|string|function|alert'.split('|'),0,{}))
Not we can go futher and pass the output of the first obfuscator through the second one which will give us result even more far different from the original script:
eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('1 4=["\\9\\c\\i\\k\\2\\7\\8\\3\\b\\l\\d\\2\\3\\e\\f\\g\\h"];1 a=4[0];j 5(a){6(a)};5(a);',22,22,'|var|x73|x74|_0x86eb|msg|alert|x63|x61|x4F||x65|x62|x20|x72|x69|x6E|x67|x66|function|x75|x64'.split('|'),0,{}))
This far, without any special skills required, we have converted original source code to something completely not related and "unreadable". Our intellectual property is safe and unless, of course, a group of hackers will spent time dedicated to deobfuscation (there are no 100% proof targets as history shows).
Unfortunately, JavaScript obfuscation is used not only for legal and legitimate purposes. Almost every exploit kit (for example http://en.wikipedia.org/wiki/Blackhole_exploit_kit) utilizes JavaScript obfuscation algorithms in order bypass antivirus protection and invisibly inject malware into victim PC or touch devices.
While analysing the malware distributed via the web, Quttera's researches come across such techniques in vast majority of the compromised websites cases. Interesting attacks are covered, in education purposes only, on Quttera Blog because we believe it can help online community and website owners.
Worth mentioning website malware cases have been collected during past few months with public online Website Malware Scanner. Explanation of execution flow of JavaScript threats detected:
http://pastebin.com/uMX957TZ
http://pastebin.com/LapfSMUV
http://pastebin.com/6ByZH4GT
http://pastebin.com/VPkKXeMJ
http://pastebin.com/wzx4dvwd
Looking at the analysis we can see that the target of all these threats is to inject hidden iframe, which finally redirects visitors browser to malware distribution server. Successful attack results in silently installed malware on PC or touch devices that were used to visit infected web site.
Fairly, there are few integral parts playing a major role in this puzzle. First of all JavaScript itself is simple and very rich language that provides possibility for dynamic generation and execution of script code using eval
and unescape
methods. This fact backed with all modern obfuscation techniques make it simply impossible to detect such payload using pattern-based engines utilized by antiviruses.
Antiviruses are still an essential part of the secure perimeter as they capable to prevent accessing links to known infected web servers that distribute malware. Obviously, the remaining issue here is that thousands of new web servers hacked and compromised day by day while it take some amount of time until such web servers get listed in antivirus blacklist.