Saturday, February 13, 2010

Circumventing Antivirus Javascript Detection

Some browser-based exploits using javascript are detected by antivirus engines as they often use special strings that are easy to identify, e.g. ActiveX CLSIDs or "unescape('%u0c0c%u0c0c')".

Quite often, very advanced techniques like changing
"clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"
into
"\x63\x6c\x73\x69\x64\x3a\x30\x39\x35\x35\x41\x43\x36\x32\x2d\x42\x46\x32\x45\x2d\x34\x43\x42\x41\x2d\x41\x32\x42\x39\x2d\x41\x36\x33\x46\x37\x37\x32\x44\x34\x36\x43\x46"
already help to get past AV detection.


More general techniques include randomly named variables, xor-encoded strings and so on. They all have in common that they are detectable if the javascript emulation engine is just good enough, as everything needed for detection is still contained in the examined code.

Some time ago, I implemented a new approach which was integrated into the metasploit framework in combination with the msvidctl_mpeg2 exploit. The detection on virustotal.com dropped to zero. Seven months later, it is still undetected. The used encryption was now integrated into the ie_aurora exploit and again the detection dropped to zero.
As zero detection on virustotal.com does not mean that no AV product will catch the exploit in a live environment (the scanners on virustotal will perform mostly static analysis), I tested the aurora exploit against two installed AV products (I'll better not name them) - with encryption, the exploit worked and was not detected anymore.

How it works
As said before, AV detection relies on the fact that the inspected javascript contains everything needed for the exploit. The new implementation also uses an xor-encryption, yet the key is not contained within the script.
The key used by the script is transferred as part of the URL, e.g.
http://host/exploit.html?<key>
Whereas the javascript executed within the browser can access this part of the url without any problems, many AV products just access the html file stored as temporary file on the disk and therefore cannot access the key - leading to unencryptable javascript code (with the techniques currently used).

Links
Javascript encoder module and integration into the msvidctl_mpeg2 module:
http://www.metasploit.com/redmine/projects/framework/repository/revisions/6784 

The patch for the ie_aurora exploit module can be found here:
http://github.com/svent/misc/tree/master/metasploit/

32 comments:

  1. a similar method is being used with increasing frequency in various 'drive-by download' kits.

    apart from a key in the URL, these often make use of other components outside the reach of an AV product. for example, document.title, or even things like the screen resolution on the host PC.

    ReplyDelete
  2. Interesting method. I didn't use it but i read about it few days ago on http://removalbits.com/. There was detailed article about all this things and now i should try it. Thank you for good information.

    ReplyDelete
  3. A few clients trust that why a programmer would hurt them, after they don't appear to be some individual United Nations organization incorporates an appallingly prestigious position inside the Technical exchange. Antivrus

    ReplyDelete
  4. As a side note, you can help your PCs execution also by altering your framework's start-up document by utilizing the 'msconfig' utility to incapacitate any pointless auto begin applications when your PC begins up. norton coupon code

    ReplyDelete
  5. we have 8 years experienced team who can fulfil your desire nursing essay help uk requirement.

    ReplyDelete
  6. Your search to buy a strategic marketing paper writing service has come to an end with our academic writing company [URL=https://www.assignmentsquare.co.uk/assignment-writing-service]Assignment Writing[/URL]. Feel free to contact us at your convenience.

    ReplyDelete
  7. Thanks for such wonderful blog that looks pretty different, I would suggest you please make a proper plan for your blog and start professional blogging as a career, psychology assignment writing help One day you would be smart enough to earn some money, wishing you a best of luck my friend, Thanks a lot for your nice support and love.

    ReplyDelete
  8. merkur casino 2021 - Shootercasino
    Merkur 메리트카지노 Blackjack: This is where a slot machine 온카지노 is born: dafabet for playing against real dealers. You'll win up to $25,000! Merkur Blackjack: If your

    ReplyDelete
  9. The easiest and most secure crypto wallet. Earn interest on your crypto. Lend out your crypto assets to earn interest: compare different rates, easily deposit your crypto, and view balances on. coinbase pro login | coinbase login | gate.io |

    ReplyDelete
  10. Thanks for sharing this information guide for all master card users. Bitstamp Login | Blockchain Login | Cricut.com/Setup | Blockchain Login

    ReplyDelete
  11. Oh my godness, It was the best experience I`ve ever had :) pronhub.com | xnxx | pronhub | xnxx.com

    ReplyDelete
  12. Uphold login is the only digital money platform you need to make easy and instant transactions across 30+ supported currencies, including eight top cryptocurrencies. gemini login |
    gemini login |
    metamask wallet |
    metamask wallet |
    metamask login |
    metamask login |
    uphold login |
    uphold login |
    uphold login |
    blockchain login |

    ReplyDelete
  13. If we are going to talk about murals, it is a harsh reality that there are people who do not appreciate artworks like this. I fell bad, but there is less that I can do; I want them to realize that murals are beautiful and worth appreciating. But I simply don't know where to start. Sometimes, I think of writing as my way to influence people to appraiser things that should be appreciated. I don't help with essay writing know if that is going to be effective, but I want to give it a try.

    ReplyDelete
  14. Your Blog is very nice. Wish to see much more like this. Thanks for sharing your information :) Disneyplus.com login/begin

    ReplyDelete
  15. QuickBooks Error 400 user may face while login their financial institution website to download bank feeds or reconcile bank transactions But technically the issue behind the error 400 is internet not working or server is unavailable But It can also crop up due to the error in QuickBooks/ Browser. Thus we have shared a full dedicated article on How to fix Error code 400 in QuickBooks. For further disscussion or query you can contact us 800-579-9430.

    ReplyDelete
  16. Great article. This is very useful. Great article. keep it up. Thank you for sharing the wonderful information. Very correct job! This is definitely something I am looking for again and I am so happy to be back! Also, I am a blogger and my assignment service uk blog is about security or below, please visit my blog and read a very exciting blog.

    ReplyDelete
  17. You made some really good points there. I looked on the web for more info about the issue and found most people will go along with your views on this site.

    https://petespest.com/pest-control-services/
    "
    fire ant removal"

    ReplyDelete
  18. Disney + is compatible with almost every gadget. Despite the fact that the installation is almost identical, the variations are so little that one must pay attention. When it comes to installing Disney, we’ll concentrate on the process of activating Disneyplus.com/begin on any device first.

    ReplyDelete
  19. Here is The Top BestYoutube to Mp3 converters Now Available on the Internet. The best YT to Mp3 Converters with help of these you can easily convert any YT video to mp3 in many qualities.

    ReplyDelete
  20. https://www.theguidezilla.com/cbssports-com-roku/
    CBS Sports Headquarters is a streaming video sports channel operated by CBS Sports and ViacomCBS Streaming of ViacomCBS. All users must create a CBS Sports account to access the content. In this guide, we are going to learn about how to activate www.cbssports.com/roku on your device.
    cbssports.com/roku

    ReplyDelete
  21. NBC stands for National Broadcasting Company, and it is one of the most popular commercial broadcast TV networks in the US. NBC is a flagship product of NBCUniversal and a subsidiary of Comcast.
    nbc.com/activate

    ReplyDelete
  22. This comment has been removed by the author.

    ReplyDelete
  23. Hello Everyone,
    Stoma Dentals offers dental implants in Gurgaon services that permanently solve missing teeth. Their experienced dentists use the latest technology to ensure a comfortable and efficient treatment process. Dental implants are artificial tooth roots surgically placed into the jawbone, providing a stable foundation for a replacement tooth or bridge. Stoma Dentals' implant services include thorough consultation, implant placement, and follow-up care to ensure the success and longevity of the implants.

    ReplyDelete
  24. I will appreciate it if you keep giving more information because I am grateful to you for the kind article you shared. I read all your articles and will read them further. Your article is very important to me because of gathering ideas for my site. bayelsa state college of nursing admission portal

    ReplyDelete

  25. MyEtherWallet (MEW) is a free, open-source, client-side interface for generating Ethereum wallets & more. Interact with the Ethereum blockchain easily Buy crypto with just a few taps. Buy Ether right inside MEW wallet using your bank card or Apple Pay. Own your funds: you are in full control.

    ReplyDelete
  26. The TronLink offers a simple-to-use interface incorporated with highly responsive client service, making the wallet perfect for new cryptocurrency investors.

    TronLink Wallet

    ReplyDelete
  27. MetaMask is a Chrome extension for Ethereum-based blockchain interactions. It serves as a digital wallet allowing users to manage cryptocurrencies, access decentralized apps, and securely execute transactions. It enhances the user experience within the blockchain ecosystem by simplifying interactions and providing a convenient interface.
    Metamask Chrome Extension
    Download Metamask Chrome Extension

    ReplyDelete
  28. This comment has been removed by the author.

    ReplyDelete
  29. This comment has been removed by the author.

    ReplyDelete
  30. This comment has been removed by the author.

    ReplyDelete