JSDetox


Info | Installation | Docs | Samples | Screencasts


About

JSDetox is a tool to support the manual analysis of malicious Javascript code.

This page describes the most important features - Please see the samples and screencasts to get a better impression.

Features

While it does use the browser as user interface, the whole analysis/execution of the javascript code is done in the backend. As with any tool that handles malicious, unknown code, you should consider installing JSDetox into an isolated environment. It is quite easy to install on most linux distributions, so it should be easy to set up JSDetox inside a virtual machine.

Static analysis / deobfuscation

JSDetox does not only reformat/beautify code but is able to analyze it and precompute static code.

Original Code

var x = 10 * 3 + 100 - 70 / 10;

Analysis Result

var x = 123;

Please see the samples page for much more complex examples.

HTML DOM emulation

Despite "normal" obfuscation techniques, the latest Javascript malware makes use of the objects/functions only available in browsers, e.g. the "document" object.

JSDetox emulates parts of a browser, especially the document object (you can even import an HTML document that will be used for the emulation).
See the "HTML DOM emulation" or the "Analyzing the Blackhole exploit kit" sceencasts for an example.

This feature makes it possible to handle code like this:

document.write('<div id="AU4Ae">212</div>');
var OoF2wUnZ = parseInt(document.getElementById("AU4Ae").innerHTML);
if(OoF2wUnZ == 212) {
  ...

Data Analysis

JSDetox can be used to analyze shellcode embedded in Javascript malware. Most shellcode is stored in unicode sequences like this:

%u4141%u4141%u8366%ufce4%uebfc ...

The data analysis part of JSDetox can be used to parse strings like these and extract the shellcode. The obtained shellcode can be viewed as classic hexdump or disassembled code.

Many shellcodes contain data (in most cases a URL to download the real malware) that is "encrypted" with a small XOR loop - the analysis function scans for these and shows possible matches.

Watch the blackhole exploit kit sceencast for an example.