Technical Stream
Technical Stream
JavaScript monitor

Abstract:

For modern browsers to implement logging of JavaScript function calls and their parameters as well as the option of modifying parameter values of the functions immediately before they are called by intercepting the relevant functions in the JavaScript interpreter.

Objective:

To protect code from static analysis, modern malware uses different techniques of code encryption. In the case of malware designed to execute in the victim’s web browser (e.g., a set of exploits), JavaScript code can be encrypted with various algorithms, both widely known and customized. Once the victim enters the infected page, a decryptor is launched that decrypts and passes control to the malicious code. With customized algorithms, several stages of decryption are possible; in which case, the web page elements may serve as the data. In this context, the dynamic analysis of suspicious web documents based on the logging of suspicious JavaScript functions with their parameters looks like a particularly attractive idea. Examples of such functions are eval () and document.write (). The interception of functions can be performed using various methods: by modifying the initial script, by modifying the script during execution, by analyzing callback events generated by a debugger or a browser, by splicing the JavaScript interpreter functions or by patching appropriate libraries in the browser process during execution.

The aim is to conduct research in order to study the options for intercepting suspicious functions in modern browsers and to create software that not only logs these functions but also modifies their settings on the fly in an environment convenient for the analyst (the workflow of the software described above is shown in Figure 1).

JavaScript Monitor

Figure 1

Data:

The researchers are provided with several obfuscated web documents and a table of functions for logging/modifying parameters.

The data is available after registration.

Requirements:

To analyze the methods for intercepting suspicious functions, to evaluate their positive and negative sides and to implement the most promising and convenient method for Microsoft Edge and Chrome browsers. The latest versions of the browsers, with the standard set of plugins, are expected to be used for testing.

Evaluation criteria:

The following criteria will be used to evaluate the solutions:

  1. Originality and scalability of the method.
  2. Scalability of the application architecture.
  3. Reliability of the detection for all the proposed suspicious functions, including those obfuscated using a variety of methods.
  4. Usability of the application for the analyst, in particular, the ability to change the parameters of functions.
Interested? Ask an expert.
Register and start now!