Using JSDetox to Analyze and Deobfuscate Javascript

Published: 2012-06-25
Last Updated: 2012-06-25 22:49:12 UTC
by Guy Bruneau (Version: 1)
2 comment(s)

Last week Daniel published the diary Run, Forest! If you are using Snort IDS and running some of the Blackhole signatures from Emerging Threats, you most likely noticed they trigger on Blackhole regularly. Using JSDetox, you can finally view the content of these scripts. All you need is a copy of the script and install JSDetox on a Linux system (mine is running on Slackware).

Steps to Decode Java Obfuscated Script

1- Copy the code into the Code Analysis window and select Analyze.


 

2- The script will then be formatted in the Code Formatted window.

 


 

3- Select Execute, then select Show Code and Send to Analyze to show the script in its actual deobfuscated form.

 

The final result is quite similar to the Wepawet report in Daniel's diary.


[1] http://www.relentless-coding.com/projects/jsdetox
[2] https://isc.sans.edu/diary.html?storyid=13540
[3] http://wepawet.iseclab.org/view.php?hash=e89cfa2fa6a91f90cfeb125c10c1f0f&t=1340389400&type=js
[4] http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-current_events.rules
[5] http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/
 

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

2 comment(s)

Comments

Yay!

I think that's the code I submitted.

Also, thanks for introducing me to JSDetox, this will come in handy.
Guy on our team wrote this about two weeks ago, does all of this for you on a web page: http://deobfuscatejavascript.com/

Diary Archives