JavaScript Code Obfuscation Techniques For Malware Delivery

JavaScript Code Obfuscation

JavaScript code obfuscation techniques play a key role in delivering a malicious payload when an attackers want to target their users and they achieve this by hiding their code so that it could evade the detection of anti-virus software. JavaScript-based attacks have been reported as the top Internet security threats in the recent years and have become a major mechanism for web-based malware delivery. Attackers usually take the advantage of the dynamic nature of JavaScript to create highly obfuscated code to thwart the defense mechanisms that are in place.

The nature of the JavaScript code is such that it makes possible to create a variety of obfuscation techniques.  For example, the characters in the string can be encoded in various ways e.g., using % encoding (a as %61, b as %62, …), Unicode (a as \u0061, b as \u0062, …), Base-64, etc. Also identifying malicious JavaScript code is not easy since benign web pages also use code obfuscation techniques to protect intellectual property.

In order to understand the code obfuscation techniques briefly, let’s just first classify the obfuscation techniques into the following four categories namely:-

Randomization Obfuscation

Randomization obfuscation is a technique where attackers randomly insert or change some elements of the JavaScript code without changing the semantics of the code. Some of the techniques include removing white spaces, changing the variable names that will look gibberish to you. Sometimes attackers also combine two or more randomization techniques to avoid detection.

Data Obfuscation

Data obfuscation is a form of data masking where the data is purposely scrambled so that it becomes very difficult for a person to understand the semantics of the code. Attackers usually achieve this by converting a variable or constant into one or several variables or constants. They also adopt other techniques like string splitting and keyword substitution.

String splitting is a technique where it converts a string into the concatenation of several substrings. String splitting is usually used along with document.write() or eval() functions to execute the concatenated strings in a browser.

Encoding Obfuscation

Normally 3 methods are used to encode the original code. The first way is to convert the given code into the escaped ASCII characters, Unicode or hexadecimal representations. The second method is to use the customized encoding function to create an obfuscated code and attach a decoding function to decode it during an execution. The last would be to use an encryption and decryption methods to the JavaScript obfuscation. JS.Encode is a method created by Microsoft to encode JavaScript code.

Logic Structure Obfuscation

This type of obfuscation technique manipulate the execution paths of the JavaScript codes by changing the logic structure without affecting the original semantics. Attackers usually achieve this by adding other instructions that are independent of the functionality and the other method they employ is to add or change some of the conditional branches such as if …else, switch… case, for, while etc..

Attackers mostly use a combination of above-mentioned techniques so as to evade the detection by the antiviruses plus by employing this method they can generate highly obfuscated JavaScript code which actually becomes difficult to decode.