Circumventing Antivirus Javascript Detection

• 2010-02-13
• javascript  
• antivirus  
• metasploit  

Some browser-based exploits using javascript are detected by antivirus engines as they often use special strings that are easy to identify, e.g. ActiveX CLSIDs or “unescape(‘%u0c0c%u0c0c’)”.

Quite often, very advanced techniques like changing

"clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"

into

"\\x63\\x6c\\x73\\x69\\x64\\x3a\\x30\\x39\\x35\\x35\\x41\\x43\\x36\\x32\\x2d\\x42\\x46\\x32\\x45\\x2d\\x34\\x43\\x42\\x41\\x2d\\x41\\x32\\x42\\x39\\x2d\\x41\\x36\\x33\\x46\\x37\\x37\\x32\\x44\\x34\\x36\\x43\\x46"

already help to get past AV detection.

More general techniques include randomly named variables, xor-encoded strings and so on. They all have in common that they are detectable if the javascript emulation engine is just good enough, as everything needed for detection is still contained in the examined code.

Some time ago, I implemented a new approach which was integrated into the metasploit framework in combination with the msvidctl_mpeg2 exploit. The detection on virustotal.com dropped to zero. Seven months later, it is still undetected. The used encryption was now integrated into the ie_aurora exploit and again the detection dropped to zero.
As zero detection on virustotal.com does not mean that no AV product will catch the exploit in a live environment (the scanners on virustotal will perform mostly static analysis), I tested the aurora exploit against two installed AV products (I’ll better not name them) - with encryption, the exploit worked and was not detected anymore.

How it works
As said before, AV detection relies on the fact that the inspected javascript contains everything needed for the exploit. The new implementation also uses an xor-encryption, yet the key is not contained within the script.
The key used by the script is transferred as part of the URL, e.g.

  http://host/exploit.html?<key>

Whereas the javascript executed within the browser can access this part of the url without any problems, many AV products just access the html file stored as temporary file on the disk and therefore cannot access the key - leading to unencryptable javascript code (with the techniques currently used).

Links
Javascript encoder module and integration into the msvidctl_mpeg2 module:
http://www.metasploit.com/redmine/projects/framework/repository/revisions/6784

The patch for the ie_aurora exploit module can be found here:
http://github.com/svent/misc/tree/master/metasploit/