Thursday, May 26, 2016


I'll be moving to a new position over the next few months, from intrusion analyst to penetration tester. As I make the transition to Red Team, I'll be posting articles and some of what I'm learning (but NetSec is ALWAYS learning something new) as well as Blue Team/intrusion analyst content.

Using Splunk To Monitor Tor

Great article by Xavier Mertens on the Internet Storm Center Handler Diaries about how to automate Splunk to keep track of Tor traffic. Article is here.

Tuesday, May 24, 2016

Heavy Obfuscation != Malicious

Malicious actors use obfuscation to evade detection, but programmers use it also for various reasons, like restricting reuse or bypassing ad blockers. Obfuscation should increase your attention to an alert, but it's not always indicative of hostile activity.

Here's an example.

IDS triggered on a rule for a common exploit kit, specifically on an eval statement. The code was:
(function(){var z="";var b="2866756e6374696f6e28297b66756e6374696f6e20682865297b7472797b636f6f6b696541727261793d5b5d3b666f722876617220623d2f5e5c733f696e6361705f7365735f2f2c643d646f63756d656e742e636f6f6b69652e73706c697428225c78336222292c633d303b633c642e6c656e6774683b632b2b296b65793d645b635d2e73756273747228302c645b635d2e696e6465784f6628225c7833642229292c76616c75653d645b635d2e73756273747228645b635d2e696e6465784f6628225c78336422292b312c645b635d2e6c656e677468292c622e74657374286b657929262628636f6f6b696541727261795b636f6f6b696541727261792e6c656e6774685d3d76616c7565293b636f6f6b6965733d636f6f6b696541727261793b646967657374733d417272617928636f6f6b6965732e6c656e677468293b666f7228623d303b623c636f6f6b6965732e6c656e6774683b622b2b297b666f722876617220673d652b636f6f6b6965735b625d2c633d643d303b633c672e6c656e6774683b632b2b29642b3d672e63686172436f646541742863293b646967657374735b625d3d647d7265733d652b225c7832635c7836345c7836395c7836375c7836355

;for(var i=0;ieval(eval('String.fromCharCode('+z+')'));})();

Changing the eval to print, and running it through Rhino, we get this:

[jstebelton@bwyissrv05 ~]$ rhino 10
(function(){function h(e){try{cookieArray=[];for(var b=/^\s?incap_ses_/,d=document.cookie.split("\x3b"),c=0;cres;g=new Date;g.setTime(g.getTime()+2E4);document.cookie="\x5f\x5f\x5f\x75\x74\x6d\x76\x63\x3d"+e+("\x3b\x20\x65\x78\x70\x69\x72\x65\x73\x3d"+g.toGMTString())+"\x3b\x20\x70\x61\x74\x68\x3d\x2f"}function l(e){for(var b=[],d=0;d"\x3d"+k)}break;case "\x76\x61\x6c\x75\x65":try{b[b.length]=encodeURIComponent(c+"\x3d"+eval(c).toString())}catch(h){b[b.length]=encodeURIComponent(c+"\x3d"+h)}break;case "\x70\x6c\x75\x67\x69\x6e\x73":try{p=navigator.plugins;pres="";for(a in p)pres+=(p[a].description+"\x20").substring(0,20);b[b.length]=encodeURIComponent("\x70\x6c\x75\x67\x69\x6e\x73\x3d"+pres)}catch(l){b[b.length]=encodeURIComponent("\x70\x6c\x75\x67\x69\x6e\x73\x3d"+l)}break;case "\x70\x6c\x75\x67\x69\x6e":try{for(i in a=navigator.plugins,a)if(f=a[i].filename.split("\x2e"),2==f.length){b[b.length]=encodeURIComponent("\x70\x6c\x75\x67\x69\x6e\x3d"+f[1]);break}}catch(m){b[b.length]=
encodeURIComponent("\x70\x6c\x75\x67\x69\x6e\x3d"+m)}}}return b=b.join()}var m=[["\x6e\x61\x76\x69\x67\x61\x74\x6f\x72","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"],["\x6e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x76\x65\x6e\x64\x6f\x72","\x76\x61\x6c\x75\x65"],["\x6f\x70\x65\x72\x61","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"],["\x41\x63\x74\x69\x76\x65\x58\x4f\x62\x6a\x65\x63\x74","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"],["\x6e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x61\x70\x70\x4e\x61\x6d\x65","\x76\x61\x6c\x75\x65"],["\x70\x6c\x61\x74\x66\x6f\x72\x6d","\x70\x6c\x75\x67\x69\x6e"],["\x77\x65\x62\x6b\x69\x74\x55\x52\x4c","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"],["\x6e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x70\x6c\x75\x67\x69\x6e\x73\x2e\x6c\x65\x6e\x67\x74\x68\x3d\x3d\x30","\x76\x61\x6c\x75\x65"],["\x5f\x70\x68\x61\x6e\x74\x6f\x6d","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"]];try{h(l(m)),document.createElement("\x69\x6d\x67").src="\x2f\x5f\x49\x6e\x63\x61\x70\x73\x75\x6c\x61\x5f\x52\x65\x73\x6f\x75\x72\x63\x65\x3f\x53\x57\x4b\x4d\x54\x46\x53\x52\x3d\x31\x26\x65\x3d"+Math.random()}catch(n){img=document.createElement("\x69\x6d\x67"),img.src="\x2f\x5f\x49\x6e\x63\x61\x70\x73\x75\x6c\x61\x5f\x52\x65\x73\x6f\x75\x72\x63\x65\x3f\x53\x57\x4b\x4d\x54\x46\x53\x52\x3d\x31\x26\x65\x3d"+

We have hex encoding as the output of the function, so we can use a hex decoder to get the final output:

encodeURIComponent("plugin="+m)}}}return b=b.join()}var m=[["navigator","exists_boolean"],["navigator.vendor","value"],["opera","exists_boolean"],["ActiveXObject","exists_boolean"],["navigator.appName","value"],["platform","plugin"],["webkitURL","exists_boolean"],["navigator.plugins.length==0","value"],["_phantom","exists_boolean"]];try{h(l(m)),document.createElement("img").src="/_Incapsula_Resource?SWKMTFSR=1&e="+Math.random()}catch(n){img=document.createElement("img"),img.src="/_Incapsula_Resource?SWKMTFSR=1&e="+

Incapsula is a DDoS protection security vendor.

Tuesday, May 10, 2016

Excellent Manual Javascript Deobfuscation Walk through

Security Researcher Aditya K Sood posted an excellent walk through of manual Javascript Obfuscation on his log, Malware At Stake (

Saturday, April 7, 2012

JavaScript Obfuscation - Manual Armor (1)

Recently, we came across a similar set of obfuscated JavaScripts that are being used continuously in conjunction with automate Browser Exploits Packs (BEPs) such as BlackHole etc. There are several variations of this type of obfuscated JavaScript. Our team prefer to do obfuscation manually because sometimes automated tools are not good enough to perform the deobfuscation. In this post, we are going to discuss about the methodology that  we prefer to follow at SecNiche labs. Let's take a look at the obfuscated JavaScript shown below

The methodology  goes like this:

Step1: Beautify Your JavaScript: 
The very first (basic) step is to beautify the obfuscated JavaScript. For analysis perspective, beautifying the
code such as appropriate indentation makes it very easy to decipher the initial structures in the JavaScript. 
Always do this step before proceeding further.

Step 2: Divide and Rule
This strategy works perfectly fine while analyzing obfuscated JavaScripts. The motive behind this step is to a
analyze the code in small snippet for better grasp.

Applying step 1 and step 2 to the given JavaScript code,  we get part 1 of the code as follows

and part 2 of the code as follows

In part 2, to interpret the given code as single string , one has to use characters ["" +]. Even for doing 
automated analysis, these parameters are required to be tuned so that appropriate interpretation of the string 
can be done. Check the string passed to variable "n".

Step 3: Extract the Logic 
On the modular code (divided code snippets), try to apply the logic step by step (top to bottom). When we
compute the value of "h" we get : h=-2*Math.log(Math.E);   //     h = -2      //

The next logic is to compute the value of "n" first. We have the n="[string]".split("a"), which means we have 
to split the string. By default, split function actually dissects the string n by a delimiter ",". We tweak the code
a bit as presented below:

On executing this code in JavaScript interpreter we get the output as follows,

At this point, we successfully unwraps some part of code by having the value of h and n. Now, we have to 
dissect the loop present in the part 2 as follows

for(i=0;-n.length<-i br="" i="">        {


To compute the code finally, we need to unwrap the logic used in the loop. Step 4 involves the automation of 
the code.

Step4: Automating the Process - Python
In step 4, we need to automate the process to get the next value of the string. On understanding the logic, we
write a following python script to compute the loop

The code actually multiply the every single value by 2 and build up the new string. So, we are almost at the 
end. So we need to build up the final code as presented below

So here we have the final script as follows
A good methodology always  helps to attain the target.

Blog Archive