Detecting Malicious Javascript

Majority of malicious websites which attempt to exploit browser based vulnerabilities to install spyware/malware utilize various obfuscation methods to hide their code.

A typical "Drive-by" download consists of a victim visiting, or being redirected to, an attacker's webpage which serves obfuscated/encrypted code for the browser to execute.

Following is a Snort IDS signature which attempts to detect this obfuscated code:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL Malicious script"; flow:established,from_server; content:"("; pcre:"/(\x27|\x22)[\w/@=+%!\\-]{500}/iR"; sid:1000;)

This signature has been successfully tested against the following exploit toolkits:

- Icepack
- Mpack (all variations: regular, obfuscated, and XOR encrypted)
- Firepack 0.18
- Neosploit (various builds of version 1 and 2)

Comments, suggestions, criticism, and optimizations regarding the signature are welcomed.


Anonymous said...

wht does [\w/@=+%!\\-]{ do here?

-=[ dxp ]=- said...

Read the source Luke: PCRE.org