Malicious JavaScript – tricks and traps

Malicious JavaScript

Along with my fellow Sophos bloggers, I’m currently attending VB2010, this year’s Virus Bulletin conference, in sunny (honestly!) Vancouver, BC.

My first trip to Vancouver was in 1999, the first time VB took place in the Pacific North West. (It was raining.)

Script-based malware was a big deal back then – Microsoft Office viruses were still an enormous problem, despite already being in decline. And malware was almost always written as a crime in its own right, rather than as a vehicle to commit further cybercrimes, as it is today.

Script malware is back. These days, of course, the most common malicious scripts are in JavaScript, the programming language of Web 2.0, not in Visual Basic for Applications (VBA), the programming language of Microsoft Office.

I’ve just listened to my friend and colleague Paul Baccas of SophosLabs UK talk about speeding up the handling of exploits embedded in PDF files (such exploits almost always rely on JavaScript), and to Rajesh Mony of Webroot talking about ways to boost throughput in scanning scripts embedded in web pages.

You might imagine that JavaScript malware should be easier to deal with than executable malware, since the former always travels in source code form, which humans are supposed to be able to read and understand with comparative ease. The latter, on the other hand, is compiled from human-readable source into pure machine code, intended to be efficient on the CPU, not readable to humans.

Don’t believe it. Acceleration of malicious script handling is of great importance, because script malware can be very tough to detect efficiently. JavaScript source code can be made almost illegible through a range of scrambling and obfuscation tricks.

Learn more about this thorny problem, and how it can be addressed, on the Sophos SecurityHub, where SophosLabs researcher Fraser Howard has just published a fascinating paper entitled Malware with your Mocha? Obfuscation and antiemulation tricks in malicious JavaScript.