Confusing from JScript scripting

Reprint: http://www.freebuf.com/column/144897.html script virus is a kind of virus that has been in existence and has been active for a long time, which is different from that of PE virus, its low threshold, the ever-changing way of confusing encryption, easy to spread, Easy to evade detection, not for the vast number of netizens familiar with many features, are deeply attracted to a variety of malicious software makers ...

Script virus is a long-term active, and a type of virus completely different from the PE virus, the low threshold of production, the ever-changing way of confusing encryption, easy to spread, easy to evade detection, not for the vast number of netizens familiar with many features, are deeply attracted to a variety of malicious software makers ...

Small to an obscure Lnk shortcut, large to a Word document, is the carrier of the script. This article mainly takes the JS script as an example (especially JScript, the same as the same), the specific actual sample, tells the confusion way and the confusion type detection correlation knowledge, the article is limited by the sample number and the type, there are certain limitations, but the general situation should not be too big difference. This series will begin with a brief introduction to JScript and its scripts, then analyze and summarize samples with different obfuscation operations, followed by the introduction and implementation of script dynamic authentication technology, virtual execution behavior detection technology.

Objective

JScript, a scripting language developed by Microsoft, is the implementation of the ECMAScript syntax specification, initially as IE 3.0 was released in August 1996, as was the case with other scripting languages developed by Windows Scripthost (WSH) and the active Supported by Server pages, with a typical extension name of. js. The. js file on Windows runs like this (the actual suffix may also be. jse,.wsf,. wsh), and when you double-click such a file, the usual operation is to pass the agent to the host process as a parameter, and the host process is usually Wscript.exe or Cscript.exe (actual according to the registry hkey_current_user\software\microsoft\windows\currentversion\explorer\fileexts The value given in the \.js\openwithlist). The difference between WScript and Cscript is that the former runs in a window, and the latter is run on the command line. So are all JS scripts to have suffixes? Of course not, you can do this using the WScript//e:jscript file name. Do you have to ask if JScript and JavaScript are the same? Of course not! But they do belong to the same kind of language, because they are different implementations of the ECMAScript syntax, the general syntax is the same, but the implementation of their own there are many differences, the specific differences can be accessed on the Internet to understand the information.

Body

JScript did not know when Microsoft began to marginalize the technology products (perhaps the JavaScript is too strong), as the old group of Microsoft developers fade out, JScript also left people's eyes. But it is also possible that it has gained the favor of malware writers.

What is confusion

To confuse: To confuse one thing with another (this explanation comes from Baidu Encyclopedia). Since most scripting languages are based on the way the interpreter operates, it is mostly in the form of source code before entering the interpreter, so the intent of the script can be clearly known through the source code, so in order to counter the analysis, the source code is confused by various means ( Of course, it may be the normal function of the script does not want to be easily seen through the last resort. According to the monitoring data of the global non-PE samples by Golden Hill poison PA Safety Laboratory, the current confusion about JScript scripts is changed as follows:

Under the characteristics of different confusing operation, the actual sample case is analyzed and summarized, and finally, the method of detection is given for different confusion ways.

Scripting confusion

Script confusion in a variety of ways, often using coding, encryption, deformation, segmentation and other operations

Encoding: The process of converting information from one form or format to another

Encryption: Change the original structure of information by a special algorithm

Deformation: The process of altering the original form

Sharding: Typically a split operation

The above operations are commonly confused by the use of technical operations, but in practice, the vectors used for these operations are usually variables, strings, functions (or methods, collectively referred to as functions), arrays, objects, eval, etc. These different vectors are analyzed and discussed in detail with samples.

1. Confusion of variables

Variable confusion, usually for the name of the variable, the number of operations, the purpose is to remove the meaning of the variable name. The extreme cases of this kind of operation are very few, the number is very many, the name length is generally shorter (<6), the name length is generally longer (>41), the random name and so on. In general, a single, variable-specific confusion occurs in conjunction with other forms, such as:

The feature of this script is obvious, that is, the variable name is composed of E, and super, its subsequent execution of the code is as follows:

The implication is that the current environment variable is accessed through this by the order of the length of E in the variable name from low to high, and then by stitching the full code block and using eval for dynamic execution. This rule allows you to easily write out the Code restore tool (but it may be very small in scope). For the variable detection, mainly from the number of variables, name length distribution and name string characteristics of the three dimensions to detect. In the above example, it is obvious that the code is distorted, and the code block Segmentation technique is found here.

2. Obfuscation of string manipulation

strings, to a large extent, can help code readers quickly locate critical sections of code to speed up analysis. Of course, malicious scripts will also pay more attention to the protection of strings. Common confusing operations on strings are encryption, encoding, substitution, and so on. Common manipulation functions for strings are substr, substring, unescape, fromCharCode, replace, split, and regular expressions. The following code fragment uses the string decryption function Exq to decrypt the string at run time.

Of course, there are also the following kinds of string decryption through the string common operation

The value of B after the actual run is

There are more common ways to encode

From the collected samples, the use of regular expressions in the sample is also more, limited to length, here is not listed.

For string confusion, most will have the use of string manipulation functions (or regular objects), through the tracking of these functions (objects), to count the number of occurrences, can explain the characteristics of such confusion on the one hand, of course, if the syntax is not in-depth analysis, it is easy to count the number of operations in the loop to a time, It is possible to perform several operations in practice.

3. Confusion of functions, arrays, objects

There is an upper limit to the number of functions, arrays, and objects in a normal script, but confusing scripts tend to exceed this limit and become abnormal. For example, there are 1000 function declarations and function expression operations in a script, an array with an index of more than 10000, and an object that is number:string. For the confusion of arrays, see this example,

Where boql this array, the maximum index to reach 19027, manual code is generally not to achieve such a degree, it is most likely to be generated through the code. After the actual run, eval passes in the UTF code snippet as follows:

Of course, the confusion of functions is also more, such as directly as an element in the array

or return an element in the object

In general, the confusion of functions is usually combined with an object and an array. For the object, it is quite unexpected that this confusion is usually done for number,string, and it is seldom found that there is a function in it, such as the following

Like functions, the confusion of objects is mostly with the array, the core principle is code segmentation, this kind of confusing code obviously embodies this concept, as much as possible to reduce the aggregation of information, of course, this also constitutes a kind of confusion of the detection feature index too much but the actual content is very small.

4. The confusion of Eval

The Eval function can execute a piece of code dynamically, based on this feature, which can be said to be very popular with malicious scripting. It is often the concatenation of code Snippets + eval that executes a complete script and is also used to execute a piece of code. The more typical packed confusion belongs to the first case, as follows:

The code that is actually executed is in the P variable. There is also a code that executes a section of

Such confusion of Eval cannot be used as an independent feature to judge whether a script is confused, usually as an auxiliary feature.

5. Other types of confusion

There are 4 common ways to confuse, of course, many special scripts that use some other tricks to bypass detection, such as: using eval directly may be detected, then using This[e + Val] is also able to achieve the same characteristics, this is a feature of this, can access all the variables of the current environment. Alternatively, the following code may be detected as being at risk

var sh = wscript.createobject ("Wscript.Shell") sh.run (' cmd ')

But by confusing the following

var o = this[' e ' + ' Val '] ( ' th ' + ' is ') var sh = o[' WS ' + ' cript ' [' Create ' + ' Ob ' + ' ject '] ("WSC" + "ript" + "." + "ShELl") sh[' R ' + ' un '] (' C ' + ' m ' + ' d ')

Is it hard to detect? Of course, there is no absolute detection of confusion, but to a certain extent, this has not been easily determined from the static (before Code execution) features, the detection of these decisions will be described in the second chapter of this series.

Environmental testing

The behavioral characteristics of a script, sometimes affected by the current operating environment, for example, to download a file, but the link file does not exist, the usual practice is to prompt and then end, or to create a file, then to determine whether to create a successful, after the success of the remaining operations, failure is directly prompt after the end. So overall, the behavior of the script is affected by the environment. Therefore, the malicious software will also try to make environmental judgments, so as to determine whether the current environment is normal, such as whether to allow in the Avira engine, the following list of several common anti-detection techniques.

1. Time Detection

In general, the scan time for a script by the Avira engine is limited to one range, as is the case with sandboxes. A malicious script can achieve the effect of a confrontation by delaying the execution of the detector by exiting it in a time-out manner, for example:

This code appears at the forefront of the script, ensuring that it continues to run after the delay is greater than 6s.

2. Execution result detection

Now most of the detection of severe confusion script is based on virtual execution technology (see the second chapter of this series), because the engine itself is limited to the actual environment, often there are some objects, functions of the simulation is not in place, resulting in the execution of malicious script to trigger an exception (or a direct crash), resulting in process transfer, for example:

The actual Xuzydfej9 function executes the following code:

var luzpal9 = WScript.CreateObject (' Wscript.Shell ');

var pniwinosu8 = luzpal9. CreateShortcut (' \qvertyd.lnk ');

if (pniwinosu8. TargetPath = = ") return 1;

By probing whether or not the LNK file was created successfully to determine whether it is in a real environment, similar to this, there are some settings for the time to probe, in short, such collectively referred to as the execution of results detection.

3. Other

/* @cc_on conditional compilation in the form of @*/, only the host that supports JScript syntax executes, so if a virtual execution engine does not support such a syntax rule, it will skip the code directly as a/**/comment, giving the illusion of the actual behavior of the script.

At last

This article is the first of a series of articles about > from the < of JScript scripting, the main purpose of this paper is to make a brief introduction to the background of JScript, the common confusing ways and the related content of environment detection. With these introductions, we hope to give you a preliminary understanding of the current trends of JScript malicious scripts and non-PE viruses, and the subsequent articles in this series will continue to delve into the use of virtual execution techniques to detect malicious scripts. Finally, thanks for reading this article.

Confusing from JScript scripting