I was fortunate enough to attend a presentation by Daniel Peck, of CaffieneMonkey fame, on the characteristics of the javascript obfuscation attack. What struck me the most about the presentation were the graphs Mr. Peck included comparing the object characteristics of malicious scripts. While most scripts have a high number of interfacing calls (doc.write, writeln, print, alert, etc) with rather short 'string' content in their tags to direct the content loading, malicious scripts have relatively few interfacing objects with HUGE strings objects (upwards of 80-90% of the script). Over the graphs of scanned sites he showed, it seems clear this is consistent across malicious v non-malicious sites. If this statistical analysis could be integrated into a plug-in, it would make for a rudimentary, yet effective barrier to obfuscated iframes and droppers. The plug-in would have to prevent script execution based on a user-defined ratio or percentage of calls/string content.
With a skeleton plug-in and the statistical analysis code in CaffieneMonkey open source, integration of the two should be possible.
With a skeleton plug-in and the statistical analysis code in CaffieneMonkey open source, integration of the two should be possible.
No comments:
Post a Comment