Obfuscating Scripts
First Published: X-Force Monthly Magazine

In recent years there has been a marked shift in the number of attacks that have centered upon compromise of the desktop through web browser vulnerabilities.  The attacks typically rely upon the user navigating to a website or, more often, a specially constructed web page which has been designed to exploit a vulnerability within the web browser or any plug-ins it may have installed.

Web browser vulnerabilities have been increasing each year and, due to the browsers relative sophistication and tight integration with other applications, are likely to become more important as a source of system compromise for the next couple of years.  We’ve already observed numerous 0-day vulnerabilities in Microsoft’s Internet Explorer and Mozilla’s Firefox since the beginning of the year, and there have been numerous plug-in vulnerabilities such as Apple’s Quicktime and Real’s RealPlayer which are easily exploitable via the browser using code embedded within the pages HTML.

In most cases these vulnerabilities have been discovered using fuzzers which use an automatic trial and error method of changing variables within the HTML page until they identify a bug that causes the browser or plug-in to misbehave.  The advantages of using fuzzers are that they require marginal development skills and, once a vulnerability has been identified, the discoverer already has the ‘proof-of-concept’ exploit code.

Since exploitation of the vulnerabilities is relatively easy, the most difficult problem facing the attacker is persuading users to browse to their infected web site or page.  The traditional vectors such as spam emails and seeded URL’s in popular web forums of bulletin boards are still as popular as ever and are still fooling many potential victims.  However, the attackers are getting more ingenious in where they place with exploit code and which exploit they choose to use. 

One trend has been for the attackers to embed multiple exploits within a single scripted web page which automatically identifies the web browser being used and cycles through the different exploits until it finds one that works and then install a bot or piece of spyware.  Some of these pages contain over 20 different exploits.

To increase the number of potential victims, there has also been a tendency towards using HTML page content that is automatically embedded within lots of websites such as web banners and page hit counters.  Several popular hit counters have already been identified as containing embedded attacks.

To protect against these vulnerabilities, the majority of defensive mechanisms have focused on regular expression matching to identify exploit code embedded within the HTML page.  In fact most traditional anti-virus signature-based engines have been fairly successful in stopping well know exploit material once it propagates around the Internet – assuming that users keep it up to date.

Unfortunately, the latest advances in web browser attacks have included the adoption of scripting languages to purposefully obfuscate the attack and thereby bypass these traditional defenses.  In these attacks the attacker takes the exploit code and encodes it in such a way that it is only after the web browser has executed an embedded script that the real exploit is dynamically built and subsequently executed to compromise the host.  By doing it this way the attacker can use a near infinite number of permutations for encoding, and thereby obfuscating, their attack – easily bypassing signature engines.

To defeat these obfuscated attacks, more sophisticated defensive technologies must exist on the host itself.  Core defensive technologies include those that provide a true virtualization of the scripting language (so that the code can be executed in a ‘safe’ environment and its behaviors monitored), heuristics engines capable of identifying shellcode or probable binary content embedded within an HTML page (so that the exploit payload can be identified) and, as a last resort, memory monitoring applications or stack canaries capable of identifying and stopping any buffer overflow exploits currently in progress.

Given the frequency at which web browser or plug-in vulnerabilities are being discovered and the relative ease in which it is possible to exploit or obfuscate them, it is unlikely that exploitation will decrease anytime soon.  If you’ve ever likely to browse dodgy or even mildly suspicious web sites, now would be a good time to double check your host-based defenses.

    Copyright 2001-2007 © Gunter Ollmann