[ad_1]
JavaScript obfuscation continues to be a popular methodology amongst cyberattackers for sneaking previous defenses to ship a broad vary of payloads. Nonetheless, even an excellent methodology for flagging the presence of JavaScript packer obfuscation shouldn’t be a foolproof methodology of detection as a result of a small variety of web sites use obfuscation for professional functions, too, analysis exhibits.
Or Katz, principal lead safety researcher at Akamai, this week printed a sneak peek into the outcomes of analysis he’ll be presenting on the upcoming SecTor 2021 convention, the place he’ll talk about what he calls a “lazy” however high-performance and cost-effective methodology for detecting widespread JavaScript packer templates.
Within the run-up to this speak, Katz analyzed over 30,000 benign and malicious JavaScript information. Of the ten,000 that have been malicious, Katz discovered 26% exhibited indicators and patterns of getting used certainly one of 5 packer functionalities profiled by his software. They spanned a variety of malicious file sorts, together with malware droppers, phishing pages, cryptominer malware, and Magecart scams.
The one-in-four prevalence charge of obfuscation places a strong quantity to the rising ease with which attackers apply software-packing strategies to their malicious code to make it more durable to learn, debug, and, consequently, be analyzed and detected by cybersecurity instruments.
“It is clearly a extensively used method, and it’s so simple to do right this moment. There are on-line providers the place you may put in your supply code and the service will create obfuscated code,” Katz says. “It is a problem for us defenders as a result of these aren’t text-based or hash-based information that we will simply discover and detect. We now have to do far more intensive work on them to raised perceive what actually occurred behind the scenes on these information.”
Katz will go extra in-depth at SecTor 2021 about how his tooling aids the method, although his submit this week highlights how related 4 extensively totally different payload samples look once they undergo the identical distinctive packer performance.
Whereas packers aren’t something new, Katz believes they deserve continued remark and monitoring as a result of they nonetheless work so nicely for adversaries — not solely to evade detection however to purchase the unhealthy guys time throughout assaults, as strategies for analyzing and detecting these information are historically time-consuming.
“Going over obfuscated code takes extra computational assets and extra human assets. In that sense, that may result in longer life spans for these scams and better success charges and extra income for them,” he says.
This was the drive behind the creation of his tooling and why he believes it is well worth the look — with the caveat, in fact, that like most detection strategies in safety, it is no silver bullet. One of many fascinating findings he plans to debate in his presentation is the truth that obfuscation shouldn’t be essentially an computerized crimson flag for an internet site.
“Wanting on the benign aspect of issues, I used to be capable of see that obfuscation is getting used for professional web sites. That shocked me a bit as a result of I didn’t anticipate that,” he says, explaining that 0.5% of professional web sites use the method to cover code performance on their websites.
Digging into these, he discovered that obfuscation is regularly used for quite a lot of legitimate causes, together with to hide client-side performance, disguise code developed by a third-party supplier, or disguise delicate data like e mail addresses.
[ad_2]