7 Jan, 2019

Decoding Obfuscated JavaScript Using Google Chrome

Google Chrome's built-in developer tools give you everything you need to undo obfuscated JavaScript. If you run into some JavaScript which you think may be malicious, they can help you decipher it.
The use of JavaScript malware has grown steadily over the years, with about 50 million incidents estimated for 2018 and 32,740 web pages with malicious JavaScript detected by our public web scanners last month.
It takes advantage of browser bugs, especially in browsers that haven't been updated recently. It engages in tricks to make users accept something which they shouldn't. An infection which hits a popular site can affect a large number of clients in a short time.
What JavaScript Obfuscation Does
Malware distributors try to disguise their intentions. If a function plainly connects to a known criminal site, anti-malware software won't have a hard time catching it. For this reason, malicious JavaScript is usually obfuscated. In other words, the distributor performs various changes on the code to make it hard for both humans and machines to understand. Machines can still run it without problems, but it's hard for them to analyze it. Hard, but not impossible.

Obfuscation falls into several categories:

  • Semantic obfuscation uses meaningless names for functions and variables. The code runs the same whether a variable is called "Filename" or "x80," but the latter makes it harder to tell what it's doing.
  • Convoluted code structures, such as excessively complicated tests and illogical factoring, likewise impede understanding. They also make the code more prone to bugs.
  • Encoding tricks make the code virtually unreadable. They include concatenating strings from decimal character codes, using base64 encoding, and splitting of strings. Some code uses custom obfuscation and de-obfuscation functions.
Obfuscation isn't the same as minification. Minifying code uses some of the same techniques, but its object is to make the code as small as possible, so it will load faster. "Beautifying" tools make minified code more readable, though it's likely to have short, meaningless functions and variable names even after beautifying. Minified code is usually legitimate.

We have found that many site owners insist their site isn't infected, even after ThreatSign determines that it is. They think it's a false positive. However, when we ran a manual analysis, we found that their sites were in fact infected. The malicious code was in an unreadable form that made the problem hard to spot. Obfuscated malicious JavaScript isn't easy to detect, and it's even harder to understand.
De-Obfuscating Code with Google Chrome
Google Chrome's built-in developer tools give you everything you need to undo some kinds of obfuscation. If you run into some JavaScript which you think may be malicious, they can help you decipher it. Here's a quick explanation of what you have to do.

WARNING: Playing with potentially harmful code is dangerous! Be sure to follow every step in order. For maximum safety, run the procedure on a quarantined computer, disconnected from the Internet, running a temporary virtual machine. This explanation assumes you have some experience working with debuggers.

Step 1: Construct a safe test page. If you open an infected page, it may immediately run the malicious JavaScript. Extract a function definition which you're suspicious of, and paste it as a script into a test page. Include only function definitions, not any code that will run immediately on loading. The test page will include a button to run the function when you're ready. The example we're working with looks like this:
Step 2: Open DevTools. Launch Google Chrome, and open the test file. Next, open the DevTools console. On a Mac you do this with Command + Option + I. On Windows or Linux it's Control + Shift + I. This will open the Console panel.

Step 3: Click the Sources tab. You will see a directory of source files on the left, which in this case will consist just of the test file. In our example, it's called java.php, even though it's neither Java nor PHP. (Why not?) Find the test file and click on it. Click on {} to view the code properly.
Step 4: Set a breakpoint. Looking at the code, you can see it does something mysterious to define a variable called ptcf. It then calls eval(ptcf). That will run the variable that was just created as code, so that's where you want to set a breakpoint. Set it by clicking on the line with eval(ptcf). The code that you're testing will do something different, perhaps something harder to figure out. You may have to step through it and see what you have at each step.
Step 5: Start execution. Make sure you've set the breakpoint! Then click the "Run it" button in the test page. The JavaScript function will run, stopping in the console before calling eval. Now in the right pane, you can see the variable ptcf. Hover over it to see its value. Argh! It's still encoded! This function was obfuscated twice over!
Step 6: Go down into the function. Click on the "Step into" (not "Step over"!) button, the one with the downward-pointing arrow, to go inside the second layer of encoding.
Step 7: Set another breakpoint. You're now looking at the function that was constructed on the fly. It sets a variable called sunigl from decimal character codes. Then it sets document.location.href to the value of sunigl. It's already clear what's happening. The code will force a redirect to some URL. But we've gone this far, so let's see what this URL is. Set a breakpoint at line 4, the one which will assign the document location. Then click the "Resume script execution" button (the right-pointing triangle) to continue to there. You now see that the value is: "https[:]//ad[.]suniglasses[.]com/ad[.]html". (Brackets have been added to avoid accidentally going there. Note the use of a lookalike domain name.)
If you aren’t running in isolation from the Internet, stop right there! If that were a real malware page, continuing would take you there.
Getting Ongoing Protection
That was a fair amount of work, wasn't it? If you don't know exactly where to look, you could spend a lot of time in the console analyzing suspicious code. It's good to have that option as part of your collection of tools. For ongoing protection of your site, though, you need something that's at work all the time, keeping JavaScript malware at bay.

Signing up for Quttera's monitoring and cleanup service will let you catch malware such as this before it does any harm to users. We have a variety of plans, including our state-of-the-art Website Firewall, which constantly adapts to newly discovered threats to websites. Together with the ThreatSign monitoring and malware removal service, it ensures a high level of protection for your site. You can enjoy greater peace of mind with thorough website protection.