Thursday, January 8, 2015

De-Obfuscating Malicious Code encoded with JJEncode

Tools like an IDS, browser, etc are getting better at picking up malicious Javascript and client-side code and blocking it or preventing it from running. Thus attackers have become accustomed to this and restore to Obfuscating their malicious code or making it unreadable. This presents problems now because the tools cannot easily see into the obfuscated code (especially if it's randomized or if it's a new obfuscation method the tool doesn't know about).

One such way attackers do that is with jjencode. For example you can encode for free online here.

You could start with plain text code like this

alert('hello world');

and end up with disgusting looking code like this (that performs the same task!)

$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"('\\"+$.__$+$.$_$+$.___+$.$$$_+(![]+"")[$._$_]+(![]+"")[$._$_]+$._$+"\\"+$.$__+$.___+"\\"+$.__$+$.$$_+$.$$$+$._$+"\\"+$.__$+$.$$_+$._$_+(![]+"")[$._$_]+$.$$_$+"');"+"\"")())();



If you are one of the good guys, this makes your job difficult because you can't just read and understand code with your naked eye anymore, you have to first de-obfuscate it.

One way to do so for jjencode is to get the jjdecoder python library from github

Then save the obfuscating disgusting looking javascript to a file like 'input.js' and run the following command

C:\Python27>python.exe jjdecoder_test.py input.js

and boom, it outputs the cleaner easier to read code.

Good luck!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment