Saturday, February 13, 2010

Circumventing Antivirus Javascript Detection

Some browser-based exploits using javascript are detected by antivirus engines as they often use special strings that are easy to identify, e.g. ActiveX CLSIDs or "unescape('%u0c0c%u0c0c')".

Quite often, very advanced techniques like changing
"clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"
into
"\x63\x6c\x73\x69\x64\x3a\x30\x39\x35\x35\x41\x43\x36\x32\x2d\x42\x46\x32\x45\x2d\x34\x43\x42\x41\x2d\x41\x32\x42\x39\x2d\x41\x36\x33\x46\x37\x37\x32\x44\x34\x36\x43\x46"
already help to get past AV detection.


More general techniques include randomly named variables, xor-encoded strings and so on. They all have in common that they are detectable if the javascript emulation engine is just good enough, as everything needed for detection is still contained in the examined code.

Some time ago, I implemented a new approach which was integrated into the metasploit framework in combination with the msvidctl_mpeg2 exploit. The detection on virustotal.com dropped to zero. Seven months later, it is still undetected. The used encryption was now integrated into the ie_aurora exploit and again the detection dropped to zero.
As zero detection on virustotal.com does not mean that no AV product will catch the exploit in a live environment (the scanners on virustotal will perform mostly static analysis), I tested the aurora exploit against two installed AV products (I'll better not name them) - with encryption, the exploit worked and was not detected anymore.

How it works
As said before, AV detection relies on the fact that the inspected javascript contains everything needed for the exploit. The new implementation also uses an xor-encryption, yet the key is not contained within the script.
The key used by the script is transferred as part of the URL, e.g.
http://host/exploit.html?<key>
Whereas the javascript executed within the browser can access this part of the url without any problems, many AV products just access the html file stored as temporary file on the disk and therefore cannot access the key - leading to unencryptable javascript code (with the techniques currently used).

Links
Javascript encoder module and integration into the msvidctl_mpeg2 module:
http://www.metasploit.com/redmine/projects/framework/repository/revisions/6784 

The patch for the ie_aurora exploit module can be found here:
http://github.com/svent/misc/tree/master/metasploit/

53 comments:

  1. a similar method is being used with increasing frequency in various 'drive-by download' kits.

    apart from a key in the URL, these often make use of other components outside the reach of an AV product. for example, document.title, or even things like the screen resolution on the host PC.

    ReplyDelete
  2. Interesting method. I didn't use it but i read about it few days ago on http://removalbits.com/. There was detailed article about all this things and now i should try it. Thank you for good information.

    ReplyDelete
  3. Surf the Web Safely: With McAfee's unique Site Advisor rates proprietary web sites and alerts you if you are on a site that is high risk. http://antivirussuport.com/norton/norton-support-number

    ReplyDelete
  4. A few clients trust that why a programmer would hurt them, after they don't appear to be some individual United Nations organization incorporates an appallingly prestigious position inside the Technical exchange. Antivrus

    ReplyDelete
  5. As a side note, you can help your PCs execution also by altering your framework's start-up document by utilizing the 'msconfig' utility to incapacitate any pointless auto begin applications when your PC begins up. norton coupon code

    ReplyDelete


  6. Wow, amazing blog structure! How long have you been running a blog for?
    you make running a blog look easy. The total look of your website is wonderful, as smartly as the content! simply couldn’t leave your
    web site before suggesting that I actually loved the standard information an individual provides to
    your guests? I am gonna be frequenting in order to
    check out new posts.

    Feel free to visit my web blog;

    https://www.authenticcounterfeit.com
    http://counterfeitmoneyonline.net
    http://billsnbills.com

    ReplyDelete
  7. If you need to download a movie from a server that has a great many other users simultaneously requesting large files, even the fastest connections available may make little or no difference. The server needs to divide its available transmission capacity and download management time among that load of connections, thus the speed drops way off. Check Download Speed Test.

    ReplyDelete
  8. we have 8 years experienced team who can fulfil your desire nursing essay help uk requirement.

    ReplyDelete
  9. In case you are stressed over the breaks on your home relax .We are here to get it fix. In case waterproof foundation edmonton you are stressed over snow on your rooftop, we can eliminate it. We are here to clean you drain.

    ReplyDelete
  10. Your search to buy a strategic marketing paper writing service has come to an end with our academic writing company [URL=https://www.assignmentsquare.co.uk/assignment-writing-service]Assignment Writing[/URL]. Feel free to contact us at your convenience.

    ReplyDelete
  11. Fantastic job here. I really enjoyed what you had to say. Keep heading because you surely bring a new voice to this subject. Not many people would say what you've said and still make it interesting. Well, at least I'm interested. Cant wait to see more of this from you. Also, please check out about our services: https://assignmenthelp.us/ thanks.

    Math Assignment Help
    College Assignment Help
    Do My Assignment
    Finance Assignment Help Online
    ENGL V01A assessment answers
    FELM4026 assessment answers
    LS311-5 assessment answers
    BUS303 assessment answers

    ReplyDelete
  12. I am always looking forward to read the neat and clean quote. For this purpose, I found your content slogan effective and impressive. If we make to amicable environment to do work prosperity, then you attach with quotation of Assignment Help. In fact, it would be really helpful for you. Not only for you, but other people can access great knowledge with you.

    ReplyDelete
  13. Thanks for such wonderful blog that looks pretty different, I would suggest you please make a proper plan for your blog and start professional blogging as a career, psychology assignment writing help One day you would be smart enough to earn some money, wishing you a best of luck my friend, Thanks a lot for your nice support and love.

    ReplyDelete
  14. Ignou projects are the most significant problem for all Ignou students particularly when they are working. The language barrier and the difficult subjects always make students anxious. The hectic schedule adds to the difficulty of tackling difficult projects and assignments. Ignou synopsis knows that project work is difficult when students do not understand the subject well. Thus, with the help of an expert, students will assist them in figuring out the puzzle of completing the IGNOU MARD Project.

    ReplyDelete
  15. merkur casino 2021 - Shootercasino
    Merkur 메리트카지노 Blackjack: This is where a slot machine 온카지노 is born: dafabet for playing against real dealers. You'll win up to $25,000! Merkur Blackjack: If your

    ReplyDelete
  16. Menemukan Selera Terbaik Dalam Olahraga
    Berikut adalah 5 cara membentuk otot perut di gym. Lari merupakan cara yang paling simple dan paling efektif untuk membentuk otot perut. Lari terus-menerus dan sering sehingga otot perut Anda menjadi kuat dan sehat.

    ReplyDelete
  17. Cóinbase Pro also gives advanced trading and chatting options to its users. Although it is also very safe and secure to use Cóinbase pro for doing trade, selling, or buying Crypto and transaction of your virtual money. Coinbase Pro Login

    ReplyDelete
  18. Crypto Exchange is one of the best platforms for you if you are looking for a place to invest in the overgrowing wave of online currencies. crypto.com exchange | coinbase wallet | trust wallet |

    ReplyDelete
  19. MetaMask equips you with a key vault, secure login, token wallet, and token exchange—everything you need to manage your digital assets. metamask login | metamask wallet | metamask extension |

    ReplyDelete
  20. The easiest and most secure crypto wallet. Earn interest on your crypto. Lend out your crypto assets to earn interest: compare different rates, easily deposit your crypto, and view balances on. coinbase pro login | coinbase login | gate.io |

    ReplyDelete
  21. FTX Offers a Fairer, Faster Trading Environment. Perpetual Contracts. FTX users are located around the world in over 70 countries and regions. ftx exchange | Spookyswap | coinspot login | aol mail login |

    ReplyDelete
  22. Thanks for sharing this information guide for all master card users. Bitstamp Login | Blockchain Login | Cricut.com/Setup | Blockchain Login

    ReplyDelete
  23. Oh my godness, It was the best experience I`ve ever had :) pronhub.com | xnxx | pronhub | xnxx.com

    ReplyDelete
  24. MetaMask is a Crypto Wallet and Your Gateway to Web3 Buy, store and send tokens globally Explore blockchain applications at lightening speed Choose what to share and what to keep.
    Binance.com Login | MetaMask Wallet

    ReplyDelete
  25. Uphold login is the only digital money platform you need to make easy and instant transactions across 30+ supported currencies, including eight top cryptocurrencies. gemini login |
    gemini login |
    metamask wallet |
    metamask wallet |
    metamask login |
    metamask login |
    uphold login |
    uphold login |
    uphold login |
    blockchain login |

    ReplyDelete
  26. If we are going to talk about murals, it is a harsh reality that there are people who do not appreciate artworks like this. I fell bad, but there is less that I can do; I want them to realize that murals are beautiful and worth appreciating. But I simply don't know where to start. Sometimes, I think of writing as my way to influence people to appraiser things that should be appreciated. I don't help with essay writing know if that is going to be effective, but I want to give it a try.

    ReplyDelete
  27. Your Blog is very nice. Wish to see much more like this. Thanks for sharing your information :) Disneyplus.com login/begin

    ReplyDelete
  28. Hiring a qualified and experienced Java programming assignment help relieve you of your load while also assisting you in producing an accurate and professional assessment paper that will earn you an A. However, it is totally up to you whether you choose any religion writing service to relieve you of all of your worries while also guaranteeing a high-quality assessment or simply wind up with a low-impacting paper.

    ReplyDelete
  29. MetáMask Login is the stage that is a worldwide local area of engineers and fashioners which has been committed for making our globe an extraordinary spot with blockchain innovation.
    metamask login | metamask login | metamask login | metamask login

    ReplyDelete
  30. Moment we're going to bandy the process to useCrypto.com Login account on Apple bias. You can fluently pierce theCrypto.com account on your iOS bias by getting its mobile operation from the App Store.

    crypto.com login |
    crypto.com login |
    crypto.com login |
    gemini login |
    gemini login |
    gemini login

    ReplyDelete
  31. We’ll learn everything related to MetáMask Login Chrome that you need to know. So, if you’re new to the MetáMask Chrome extension. metamask login | kucoin login | crypto com log in |

    ReplyDelete
  32. Thanks for the great post you posted. I like the way you describe the unique content. The points you raise are valid and reasonable. I am a tech support expert telling you about.
    binance us login
    Ledger wallet
    Etoro Login

    ReplyDelete
  33. Scholars can easily choose an online paper help service because thousands of authors are available. It is a wonderful service in one way, as sharing valuable stuff via the internet demonstrates our technological advancement.

    ReplyDelete
  34. QuickBooks Error 400 user may face while login their financial institution website to download bank feeds or reconcile bank transactions But technically the issue behind the error 400 is internet not working or server is unavailable But It can also crop up due to the error in QuickBooks/ Browser. Thus we have shared a full dedicated article on How to fix Error code 400 in QuickBooks. For further disscussion or query you can contact us 800-579-9430.

    ReplyDelete

  35. A blockchain is a growing list of records, called blocks, that are linked together using cryptography.
    Exodus wallet |
    Coinbase wallet |
    Bitcoin wallet |
    Safemoon wallet |
    Blochain wallet |

    ReplyDelete
  36. It's a very powerful article. I really like this post. Thank you so much for sharing this.
    phantom wallet | kraken login

    ReplyDelete


  37. Kraken login was founded back in 2011 and talking about the performance then it is going good just after the launch of this platform.
    kraken login ,

    Uphold login is a cloud-based digital platform that provides financial services to users worldwide.
    uphold login

    ReplyDelete
  38. MetaMask Login , without a doubt, is a popular Ethereum trading wallet that has been used by the mostERC-20 token traders without any issue.
    metamask login | metamask login

    ReplyDelete
  39. This is very educational content and written well for a change. It's nice to see that some people still understand how to write a quality post Visit: Uniswap Exchange

    ReplyDelete




  40. KuCoin is one of the most used crypto exchanges by Bitcoin and Ethereum traders. To access numerous crypto currencies on the KuCoin login exchange,
    you need to do the following.Get your KuCoin account ready by setting up your profile on its website or app.
    metmasklog
    kucoinexchange

    ReplyDelete

  41. This blog was very informative to everyone, thanks to share this post, and best of luck with your future article and posts Visit:
    Metamask Login /
    Kucoin Login /
    uphold Login /
    gemini login /
    Phantom wallet /
    kraken login /
    uniswap exchange /
    blockchain login /
    trezor wallet /

    ReplyDelete
  42. Get your Ethereum Wallet ready with the help of the quick MetaMask to sign up procedure. The fastest way to set up a new
    MetaMask login account is as follow.

    ReplyDelete
  43. As long as you have your seed phrase or the private key, you can access your MetaMask account on any device. But, in the absence of a private key, this task could not be completed even if you do remember your MetaMask login password. So, before you initiate this process, make sure you have access to the secret recovery phrase and then go ahead with applying the steps listed right here in this post

    ReplyDelete

  44. Some cryptocurrencies, like SpookySwap, can only be purchased with another cryptocurrency on decentralized exchanges. To buy SpookySwap, you’ll need to first purchase Ethereum (ETH) and then use ETH to buy SpookySwap. Spookyswap | Yoroi Wallet | Cex.io Login | Binance Wallet | Binance Wallet

    ReplyDelete

  45. Phantom is a mobile and web crypto wallet that has been specially developed to manage SOL tokens. People can easily set up and access this wallet to send, receive and withdraw SOL tokens. Phantom Wallet | With a Trezor wallet by your side, you can easily move crypto in and out of it. In case you believe that some crypto funds need to be moved out of your wallet, then what you can do is follow the easy set of instructions that I am going to list in this article. Trezor Wallet

    ReplyDelete