Friday, December 3, 2010

Detecting Obfuscated Malicious JavaScript with Snort and Razorback

Unlike most Americans, who were busy recovering from a turkey-induced coma, I spent this past weekend at the Hackers 2 Hackers Conference in Sao Paulo, Brazil. In addition to being a nice respite from the cold weather in DC, the event featured excellent speakers on topics as diverse as PDF analysis and fresh memory exploitation techniques.

One of those talks was my own, "Detecting Obfuscated Malicious JavaScript with Snort and Razorback" (PDF of slides). Given the quality of the other presentations, I doubted my work would attract much attention; however, if the number of people who've contacted me since my talk are any indication, I must have done something right.

In a nutshell, the concept that came out of my talk revolves around language-based anomaly detection. A trained analyst or JavaScript programmer has no problem looking at most malicious code and seeing it as such right away; the goal, then, is to be able to teach the computer to do the same, in the form of a Razorback module. While there's plenty to be done to make a usable detection nugget - including considering some of the excellent suggestions I've received from those who saw me speak - thus far the concept has proven itself useful enough to at least warrant further development.

That said, I'd love to get feedback from the broader community on this idea. Please take a look at my slides, and if you have any suggestions, questions, etc., post them below or email me directly at alex kirk sourcefire com. I hope to have functioning source code online at http://labs.snort.org/razorback/ by the end of 2010.
Add to Technorati Favorites Digg! This

2 comments:

Ryan Barnett said...

Is this code in Razorback yet? Took a quick look at the archive and didn't see it. I am looking at using similar detection concepts in ModSecurity to detect both inbound XSS payloads and outbound malware code.

Nigel Houghton said...

Ryan, no this code has not yet been committed to the Razorback repository. We'll try to get it in there as soon as we can.