Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Using JSDetox to Analyze and Deobfuscate Javascript - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Using JSDetox to Analyze and Deobfuscate Javascript

Last week Daniel published the diary Run, Forest! If you are using Snort IDS and running some of the Blackhole signatures from Emerging Threats, you most likely noticed they trigger on Blackhole regularly. Using JSDetox, you can finally view the content of these scripts. All you need is a copy of the script and install JSDetox on a Linux system (mine is running on Slackware).

Steps to Decode Java Obfuscated Script

1- Copy the code into the Code Analysis window and select Analyze.


 

2- The script will then be formatted in the Code Formatted window.

 


 

3- Select Execute, then select Show Code and Send to Analyze to show the script in its actual deobfuscated form.

 

The final result is quite similar to the Wepawet report in Daniel's diary.


[1] http://www.relentless-coding.com/projects/jsdetox
[2] https://isc.sans.edu/diary.html?storyid=13540
[3] http://wepawet.iseclab.org/view.php?hash=e89cfa2fa6a91f90cfeb125c10c1f0f&t=1340389400&type=js
[4] http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-current_events.rules
[5] http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/
 

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Guy

411 Posts
ISC Handler
Yay!

I think that's the code I submitted.

Also, thanks for introducing me to JSDetox, this will come in handy.
Yinette

12 Posts Posts
Guy on our team wrote this about two weeks ago, does all of this for you on a web page: http://deobfuscatejavascript.com/
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!