Javascript Deobfucation Tools (Part 2)

In the previous article, I manually deobfuscated three malicious scripts. This time around, I’ll use publicly available tools to see which ones can tackle real-world obfuscated Javascript code.

Here’s the criteria I used to select the tools:
1. Free
2. Windows-based
3. Easy to setup and use (i.e. aimed at the novice user)

These are the tools I selected to test with:
* Creme Brulee
* Firebug – Firefox plug-in
* Google Chrome Developer Tools
* Javascript Deobfuscator – Firefox plug-in
* JSDebug
* Malzilla
* Microsoft IE8 Developer Tools
* Microsoft Script Debugger
* Rhino
* SpiderMonkey + V8
* The Mina

Other tools are available but I didn’t test them because I felt they didn’t meet the above criteria: Aptana Studio, Caffeine Monkey, DecryptJS, JSUnpack, Microsoft Script Editor, NJS Javascript Interpreter, Venkman, and Wully

I’ll be using the same malicious Javascripts from the last time. Here’s a recap:

Rather straightforward obfuscation that inserts iframes into the page.

Uses DOM to attach a script to the webpage.

Heavily obfuscated with two layers to peel off to get the browser exploits.

Creme Brulee
This tool is able to handle simple obfuscated scripts but doesn’t do so well with others. Sometimes IE would hang as it tried to process a script.

Firebug (FF plugin)
Firebug deobfuscated all three scripts but the challenge was where to find the deobfuscated code. You may need to understand the malicious script a little bit to determine where the results will end up at.

The other challenge is to pause the page load so you can get to the deobfuscated script before a malicious redirect occurs and overwrites the variables.

Google Chrome Developer Tools
Chrome has a debugger and an array of other tools built right in. Chrome was quickly able to tackle all three scripts and produce the deobfuscated scripts. This tool is arguably the most robust and flexible of them all. You may need to read through the scripts to find out which variables to look out for.

Apple’s Safari has a very similar developer tool (in terms of function and look) which is why I opted not to test it separately.

Javascript Deobfuscator (FF plugin)
This plugin captures the scripts in its own window as Firefox executes them. This tool was the easiest to use because all you need to do is run this plug-in and hit the page with Javascripts on them. It was able to handle all three scripts without any user interaction (though it didn’t fully decrypt the second sample — only the URL was displayed).

I did encounter some sluggishness and lock ups after processing multiple scripts but restarting Firefox fixed the problem.

JSDebug
This is actually an external Javascript file you need to reference in the script you are analyzing. A separate popup shows what the eval caught. It’s a clever concept but it wasn’t able to deobfuscate all three scripts. I gave it a “partial” on the third script since it only deobfuscated the first of two evals.

Malzilla
Malzilla is a great program which gives you a lot of flexibility, options, and toolkits to help you deobfuscate Javascript. Malzilla experts can leverage this tool to crack very difficult scripts but I was only interested in getting quick access to the deobfuscated script and not have to fiddle with the options.

On the last script, only one of the two layers were decrypted. You could do some cutting and pasting at that point but I wanted simple and easy.

Microsoft IE8 Developer Tools
This tool is fairly easy to use but there needs to be some understanding of the script you are working with in order to find the best place to insert breakpoints. The DOM script was only partially deobfuscated.

Microsoft Script Debugger
While not as flexible and powerful as IE8 Developer Tools, I did get the same results. And had the same challenge of finding where to place the breakpoints.

Rhino
This is a Java-based debugger that allows you to insert breakpoints to catch the deobfuscated values in the variables. As a result, you need to know a little something about the script you are trying to analyze.

SpiderMonkey + V8
SpiderMonkey for Windows works great on simple scripts, however, two of the scripts were too much. I also used Google’s V8 Javascript Engine as the backend which my colleague from KahuSecurity compiled for Windows. I ended up getting the same results.

In case you are interested, I included an external JS file which contains a one-liner seen below. This helps me to deobfuscate what I can (I still need to work on a method to take on DOM-based scripts). You can also just copy/paste this line to the top of the script you are trying to deobfuscate with SpiderMonkey or V8.

function eval(zyxyz){print(zyxyz);}document={write:print};window={write:print};

The Mina
Mina appeared to have deobfuscated two of the three scripts but since the output is limited to exactly 1,000 bytes, the results were truncated.

This tool has a lot of potential. If the startup time was reduced and the output size increased, this would be on par with IE8 Developer Tools and Script Debugger in terms of results but easier to use because you don’t have to worry about breakpoints. The C++ source code is available so if anyone wants to make a new version, I’d love to do more testing.

Here are the final results:

The results are hardly conclusive since the sample was just too small but it should give you some idea of which tools you might want to consider playing with or testing further. There probably won’t be a perfect tool that can deobfuscate everything ever created but there may be a couple of tools that work well enough in certain cases to help you with your analysis.

One other thing to consider is that some very tough obfuscated scripts can be cracked by many of these tools when in the hands of a skilled analyst. You might need to spend a lot of time with the tool to get the results you want.

Post Script
A few thoughts about this experiment…

It seems that multi-layer evals and DOM-based scripts are not easy to deobfuscate. Chrome and Firebug were the only tools that properly deobfuscated all three samples. The other Firefox plug-in, Javascript Deobfuscator, and the Microsoft debuggers were all tied at a close second.

A few of these tools require some knowledge of the script. You can’t blindly sprinkle breakpoints everywhere and hope for the best. In some cases, you will need to look for the deobfuscated code in the tool’s interface so your knowledge of the script will help you find the variables.

Most of these tools work only with a specific browser. If the script detects the browser or uses a non-standard function then your results will vary.

Debuggers, Firefox plug-ins, etc will execute potentially malicious scripts on your PC so be careful! You might want to think about disabling your network connection to prevent unwanted redirection and use a VM without Java, Flash, and Acrobat installed.

Finally, be on the look out for anti-debugging code such as the following example. This script will not give you a response if you step through the code. Of course they won’t be written this plainly and there’s dozens of different possibilities and methods.

var a = new Date().getTime();
var b = "%68%65%6C%6C%6F";
var c = new Date().getTime();
if(a==c) {
alert(unescape(b));
}

This entry was posted in Malscript, Tools and tagged , . Bookmark the permalink.