Malicious JavaScript – tricks and traps

Filed Under: Malware, Spam

Along with my fellow Sophos bloggers, I'm currently attending VB2010, this year's Virus Bulletin conference, in sunny (honestly!) Vancouver, BC.

My first trip to Vancouver was in 1999, the first time VB took place in the Pacific North West. (It was raining.)

Script-based malware was a big deal back then – Microsoft Office viruses were still an enormous problem, despite already being in decline. And malware was almost always written as a crime in its own right, rather than as a vehicle to commit further cybercrimes, as it is today.

Script malware is back. These days, of course, the most common malicious scripts are in JavaScript, the programming language of Web 2.0, not in Visual Basic for Applications (VBA), the programming language of Microsoft Office.

I've just listened to my friend and colleague Paul Baccas of SophosLabs UK talk about speeding up the handling of exploits embedded in PDF files (such exploits almost always rely on JavaScript), and to Rajesh Mony of Webroot talking about ways to boost throughput in scanning scripts embedded in web pages.

You might imagine that JavaScript malware should be easier to deal with than executable malware, since the former always travels in source code form, which humans are supposed to be able to read and understand with comparative ease. The latter, on the other hand, is compiled from human-readable source into pure machine code, intended to be efficient on the CPU, not readable to humans.

Don't believe it. Acceleration of malicious script handling is of great importance, because script malware can be very tough to detect efficiently. JavaScript source code can be made almost illegible through a range of scrambling and obfuscation tricks.

Learn more about this thorny problem, and how it can be addressed, on the Sophos SecurityHub, where SophosLabs researcher Fraser Howard has just published a fascinating paper entitled Malware with your Mocha? Obfuscation and antiemulation tricks in malicious JavaScript.

, , , , , , , ,

You might like

One Response to Malicious JavaScript – tricks and traps

  1. Simply a awesome way of explanation

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog