Sophos Cloud Optix
Malware authors and software-protectionists alike go to great lengths to obfuscate and contort their code in an attempt to hide or obscure its true nature [2]. The assumption being that it is difficult for human or machine to make sense of the code, extending analysis time and giving the bad guys a free run.
For the most part, such obfuscations (in particular JavaScript) are relatively easy to unravel because they are static transformations [3]. The more complex encrypted forms require some form of script emulator (or your browser of choice) and a skillfully inserted alert() instead of eval(), however a new form akin to the one-time-pad concept is now being deployed.
Such [quasi] one-time encryptors function by generating and encrypting the content on-demand while at the same time choosing a key which is a function of the download environment, such as the referer or the last modified time. When the script is rendered it has all the necessary information to correctly decode. However when that script is submitted by the customer for analysis, the environment has long been destroyed making the script nearly impossible to decode.
Thus examining the script on Friday 13th (13/11/2009) at 11:08:23 yields (poorly) decrypted content which does not render.
yet behold, on (every) 47th second of the 7th day of each month the script correctly decodes revealing its secrets – here, deciding whether to serve a (quite likely malicious) PDF, or Flash element.
Static offline analysis of such scripts is easily thwarted, however any scanning engine which has access to the HTTP data stream should be able to cope since it has all the relevant contextual data required at the time of rendering.
Brute-forcing aside, the only real way to tackle this problem is to use “Just in time” detection (otherwise known as on-access), failing that, NoScript remains your best protection.