Saturday, February 13, 2010

Circumventing Antivirus Javascript Detection

Some browser-based exploits using javascript are detected by antivirus engines as they often use special strings that are easy to identify, e.g. ActiveX CLSIDs or "unescape('%u0c0c%u0c0c')".

Quite often, very advanced techniques like changing
"clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"
into
"\x63\x6c\x73\x69\x64\x3a\x30\x39\x35\x35\x41\x43\x36\x32\x2d\x42\x46\x32\x45\x2d\x34\x43\x42\x41\x2d\x41\x32\x42\x39\x2d\x41\x36\x33\x46\x37\x37\x32\x44\x34\x36\x43\x46"
already help to get past AV detection.


More general techniques include randomly named variables, xor-encoded strings and so on. They all have in common that they are detectable if the javascript emulation engine is just good enough, as everything needed for detection is still contained in the examined code.

Some time ago, I implemented a new approach which was integrated into the metasploit framework in combination with the msvidctl_mpeg2 exploit. The detection on virustotal.com dropped to zero. Seven months later, it is still undetected. The used encryption was now integrated into the ie_aurora exploit and again the detection dropped to zero.
As zero detection on virustotal.com does not mean that no AV product will catch the exploit in a live environment (the scanners on virustotal will perform mostly static analysis), I tested the aurora exploit against two installed AV products (I'll better not name them) - with encryption, the exploit worked and was not detected anymore.

How it works
As said before, AV detection relies on the fact that the inspected javascript contains everything needed for the exploit. The new implementation also uses an xor-encryption, yet the key is not contained within the script.
The key used by the script is transferred as part of the URL, e.g.
http://host/exploit.html?<key>
Whereas the javascript executed within the browser can access this part of the url without any problems, many AV products just access the html file stored as temporary file on the disk and therefore cannot access the key - leading to unencryptable javascript code (with the techniques currently used).

Links
Javascript encoder module and integration into the msvidctl_mpeg2 module:
http://www.metasploit.com/redmine/projects/framework/repository/revisions/6784 

The patch for the ie_aurora exploit module can be found here:
http://github.com/svent/misc/tree/master/metasploit/

16 comments:

  1. a similar method is being used with increasing frequency in various 'drive-by download' kits.

    apart from a key in the URL, these often make use of other components outside the reach of an AV product. for example, document.title, or even things like the screen resolution on the host PC.

    ReplyDelete
  2. Interesting method. I didn't use it but i read about it few days ago on http://removalbits.com/. There was detailed article about all this things and now i should try it. Thank you for good information.

    ReplyDelete
  3. Surf the Web Safely: With McAfee's unique Site Advisor rates proprietary web sites and alerts you if you are on a site that is high risk. http://antivirussuport.com/norton/norton-support-number

    ReplyDelete
  4. A few clients trust that why a programmer would hurt them, after they don't appear to be some individual United Nations organization incorporates an appallingly prestigious position inside the Technical exchange. Antivrus

    ReplyDelete
  5. As a side note, you can help your PCs execution also by altering your framework's start-up document by utilizing the 'msconfig' utility to incapacitate any pointless auto begin applications when your PC begins up. norton coupon code

    ReplyDelete


  6. Wow, amazing blog structure! How long have you been running a blog for?
    you make running a blog look easy. The total look of your website is wonderful, as smartly as the content! simply couldn’t leave your
    web site before suggesting that I actually loved the standard information an individual provides to
    your guests? I am gonna be frequenting in order to
    check out new posts.

    Feel free to visit my web blog;

    https://www.authenticcounterfeit.com
    http://counterfeitmoneyonline.net
    http://billsnbills.com

    ReplyDelete
  7. If you need to download a movie from a server that has a great many other users simultaneously requesting large files, even the fastest connections available may make little or no difference. The server needs to divide its available transmission capacity and download management time among that load of connections, thus the speed drops way off. Check Download Speed Test.

    ReplyDelete
  8. we have 8 years experienced team who can fulfil your desire nursing essay help uk requirement.

    ReplyDelete
  9. In case you are stressed over the breaks on your home relax .We are here to get it fix. In case waterproof foundation edmonton you are stressed over snow on your rooftop, we can eliminate it. We are here to clean you drain.

    ReplyDelete
  10. Your search to buy a strategic marketing paper writing service has come to an end with our academic writing company [URL=https://www.assignmentsquare.co.uk/assignment-writing-service]Assignment Writing[/URL]. Feel free to contact us at your convenience.

    ReplyDelete
  11. Fantastic job here. I really enjoyed what you had to say. Keep heading because you surely bring a new voice to this subject. Not many people would say what you've said and still make it interesting. Well, at least I'm interested. Cant wait to see more of this from you. Also, please check out about our services: https://assignmenthelp.us/ thanks.

    Math Assignment Help
    College Assignment Help
    Do My Assignment
    Finance Assignment Help Online
    ENGL V01A assessment answers
    FELM4026 assessment answers
    LS311-5 assessment answers
    BUS303 assessment answers

    ReplyDelete
  12. I am always looking forward to read the neat and clean quote. For this purpose, I found your content slogan effective and impressive. If we make to amicable environment to do work prosperity, then you attach with quotation of Assignment Help. In fact, it would be really helpful for you. Not only for you, but other people can access great knowledge with you.

    ReplyDelete
  13. Thanks for such wonderful blog that looks pretty different, I would suggest you please make a proper plan for your blog and start professional blogging as a career, psychology assignment writing help One day you would be smart enough to earn some money, wishing you a best of luck my friend, Thanks a lot for your nice support and love.

    ReplyDelete
  14. Ignou projects are the most significant problem for all Ignou students particularly when they are working. The language barrier and the difficult subjects always make students anxious. The hectic schedule adds to the difficulty of tackling difficult projects and assignments. Ignou synopsis knows that project work is difficult when students do not understand the subject well. Thus, with the help of an expert, students will assist them in figuring out the puzzle of completing the IGNOU MARD Project.

    ReplyDelete
  15. merkur casino 2021 - Shootercasino
    Merkur 메리트카지노 Blackjack: This is where a slot machine 온카지노 is born: dafabet for playing against real dealers. You'll win up to $25,000! Merkur Blackjack: If your

    ReplyDelete