| |
SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc
by Lost at 9:40 pm EDT, Apr 9, 2008 |
When we got contacted by ISC reader Greg in Hungary, whose web server had been hacked and adorned with a couple of obfuscated JavaScript files, we expected a variant of the "nmidahena" injection and a closed case. JavaScript is an interpreted language, and while the obfuscation attempts we see are getting more creative, the scripts can usually still be coerced quite easily into divulging their secrets. ISC handler Lenny Zeltser teaches the SANS course on malware analysis, and ISC handler Bojan Zdrnja wrote the portion on JavaScript analysis for that course, so we are usually able to make short work of bad stuff. Not so this time. This one was something new.
|
| |
RE: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc
by Vile at 12:29 am EDT, Apr 11, 2008 |
Jello wrote: When we got contacted by ISC reader Greg in Hungary, whose web server had been hacked and adorned with a couple of obfuscated JavaScript files, we expected a variant of the "nmidahena" injection and a closed case. JavaScript is an interpreted language, and while the obfuscation attempts we see are getting more creative, the scripts can usually still be coerced quite easily into divulging their secrets. ISC handler Lenny Zeltser teaches the SANS course on malware analysis, and ISC handler Bojan Zdrnja wrote the portion on JavaScript analysis for that course, so we are usually able to make short work of bad stuff. Not so this time. This one was something new.
I have to read a lot in life. You know, signs and shit, but I must tell you, that this post is of utmost importance to a select few that speak this techie jargon like a snake-chunk spitting mongoose telling you about the price of eggs. You son of a bitch. How dare you care about this sort of shit while the Earth warms up like a pressure cooker! We'll all be in this together. WE gotta stay on the point. |
|
SANS Internet Storm Center - Advanced obfuscated JavaScript analysis
by Worthersee at 7:08 pm EDT, Apr 9, 2008 |
When we got contacted by ISC reader Greg in Hungary, whose web server had been hacked and adorned with a couple of obfuscated JavaScript files, we expected a variant of the "nmidahena" injection and a closed case. JavaScript is an interpreted language, and while the obfuscation attempts we see are getting more creative, the scripts can usually still be coerced quite easily into divulging their secrets. ISC handler Lenny Zeltser teaches the SANS course on malware analysis, and ISC handler Bojan Zdrnja wrote the portion on JavaScript analysis for that course, so we are usually able to make short work of bad stuff.
Cool example of self-defending javascript malware. |
|
|
