Languages that provide evaluation functions (‘eval’) are nothing new and programs that manipulate program code as if it were data are nothing new either. They are usually shunned except in some specific types of operations because they make code difficult to understand and maintain – exactly what a malware writer wants. A post at SANS entitiled Advanced obfuscated JavaScript analysis describes in detail a keylogger pushing JavaScript that does an exceptionally good job at masking it’s function. We can expect more of this in other languages as well.
The JavaScript is planted on compromised Web sites and when downloaded by a vulnerable client will trigger the download of a keylogger. Simple obfuscation helps prevent detection by signature-based anti-malware scanners but this malware throws in a few more tricks to slow down analysis. The most interesting include:
- Using eval and a self-referencing method (arguments.callee) in such a way that the results change if the code is changed during analysis
- Calculating a cipher key based on the code itself so any changes to the code, like changing an eval to a print, changes the cipher key.
- Checking for indications of tampering and analysis before building a URL to download the keylogger
Here is another case where dynamically generated code results in a vulnerability. The simplest examples of this are SQL injection attacks where queries are generated on the fly. The cipher key trick is reminiscent of using a hash algorithm to detect changes – nothing like using one of our techniques against us. Checking for indications of tampering and analysis is the kind of technique you’d expect in more sophisticated polymorphic viruses to detect behavior based analysis.
Even interpreted languages are capable of some pretty sophisticated obfuscation techniques. Watch for Ruby exploits,especially since Ruby on Rails has grown in popularity for database driven applications. Ruby’s error trapping mechanism has already been used to implement some complex new functionality with relatively few lines of code(pdf). Anything as useful at that won’t long go unexploited.
