- Using eval and a self-referencing method (arguments.callee) in such a way that the results change if the code is changed during analysis
- Calculating a cipher key based on the code itself so any changes to the code, like changing an eval to a print, changes the cipher key.
- Checking for indications of tampering and analysis before building a URL to download the keylogger
Here is another case where dynamically generated code results in a vulnerability. The simplest examples of this are SQL injection attacks where queries are generated on the fly. The cipher key trick is reminiscent of using a hash algorithm to detect changes – nothing like using one of our techniques against us. Checking for indications of tampering and analysis is the kind of technique you’d expect in more sophisticated polymorphic viruses to detect behavior based analysis.
Even interpreted languages are capable of some pretty sophisticated obfuscation techniques. Watch for Ruby exploits,especially since Ruby on Rails has grown in popularity for database driven applications. Ruby’s error trapping mechanism has already been used to implement some complex new functionality with relatively few lines of code(pdf). Anything as useful at that won’t long go unexploited.