 Our next speaker is a little nervous and has a lack of imagination, so if you could all strip down to your underwear, we can save that step. It's my pleasure to introduce Kolasar. Thank you. Okay. This is white space. It's a different approach to JavaScript obfuscation. This came about through my work. I deal with a lot of obfuscated JavaScript dealing with incidents, people's machines getting infected, and I kept seeing the same things over and over and over again. And, is that better? And I started noticing patterns, people using the same techniques, same things, and I noticed things that seemed to show up in every single piece of obfuscated JavaScript. So, because I got tired of seeing these, my first thought was, what would make my job more difficult? So, I went about the process of figuring it out, and basically this is what I came up with. Well, I just answered what it is. So, what I'm going to do is I'm going to talk about white space, basically what it is, which I kind of discovered. I'm going to go a brief survey of current JavaScript obfuscation methods, just in case you're not familiar. I'll show what I consider the telltale indicators of JavaScript obfuscation. These are the things that when I manually search through it, and when automated processes go through to try to detect IDS IPSs, this is what they look for to say, all right, obfuscated JavaScript, check it down. And then I'll detail the components of the approach, and we'll go for a demo. So, the first question, of course, is what is white space? Peter will be happy. Basically, again, I apologize for repeating. It hides, basically it hides the telltale indicators of obfuscation. And again, it's not detectable by the standard JavaScript obfuscation methods, detection methods, automated and manual. Now, is anybody, how many people here are familiar with obfuscated JavaScript? Okay, for those who aren't familiar with it, what they do is basically, they encode the JavaScript. I'll give examples of it in the talk, and it's basically, they do it to hide what they're trying to do. Usually they try to hide things like exploit code and generally hidden iframes, iframes with the size set to 0011. So then they can pull the source from a malicious site and infect your machine. This is probably the most common sample of obfuscated JavaScript you're going to see. The top one is just ASCII encoded values. And if you were to decode that, that's an iframe with a bunch of other stuff in there. The bottom one is unicode, same thing. And they'll do this because when people look at it, their eyes glaze over. They don't know what it is and they figured, ah, it's probably okay. And they'll let it run on their machine. Another very common method is they will use an XOR. So if somebody looks in and says, okay, I recognize the first values as an iframe, I know my ASCII codes. That's fine. They'll do this. It's not familiar. But then again, if you recognize the ASCII codes, you can probably forget this one out. Another method that's commonly used is they'll do XORing with characters as opposed to the ASCII codes. And probably the simplest one is when they just split the strings to confuse people so they can't understand it. They don't know what's happening. Then we get into encryption. This actually has real math. Kind of an actual algorithm that's involved in processing and hiding the data. And another thing which is simple, but this is more to confuse the people looking at it manually, is they'll use non-obvious valuable names, functions against the people looking at it. They read it. They don't understand it. So what this boils down, if you look through the samples, the telltale indicators. We have val, unescape, document write, and probably the biggest giveaway is a large block of meaningless text, basically all the encoding, and everything that they do to try to hide what they're trying to do on your machine. You can see some samples here. And this is from the slides earlier. So we have the val, the unescape, document write, and on the bottom, like I said, a large block of basically garbage meaningless text. So what I do to get around this so it can't be detected, is I take advantage of the fact that JavaScript is object-oriented. I walk through the objects, I enumerate to retrieve the methods, so we don't have anything in the script that says document write, a val, unescape, and I use white space to encode the iframe and the data that I want to have. That eliminates the large chunk of meaningless text. So in this approach, we start with, of course, this object. We iterate through to find the methods. In this case, I'm looking for, first, the document, and the way I go through this is we know in this object there are a limited number of objects that are eight characters, and there's only one that has a d as the first character and this d as the last. So that gives me a reference to the document object. From that, the document object, I go for the right method of the document object using the same method. If there are any questions, please feel free to shut up. From there, then the next thing we have to do is do a get element by ID. This allows me to access the data on the page itself and inner HTML in order to grab the HTML on the page. So from this point after this, the next part is, of course, encoding and decoding what we want to do, the hidden iframe or the malicious code in white space. So I reduce the binary, use tabs for zeros, spaces for ones, and we read through the document. The bottom line is actually a call, as you see, through this document, get element by ID. And in this proof of concept, I have a name tag. Obviously that can be eliminated easily by modifying your code. And then I retrieve the data, split it by line. Again, all the function calls are at least the inner HTML. It's not there. Nothing that should trigger either an automatic or manual search through the code. And this is the code that actually decodes the white space and creates the string that in this example here will have an iframe that hits another page. It's going to be the quickest talk in DEF CON history. And this here is my call to document write. This is the key. Your val would look like that. Your unescape of val. And this is, like I said, normally, obviously, it's not going to be commented, but normally you'd have a document write and these are the things that people search for. This is what is in the code that I have. And I'm not going to see it, hopefully. Obviously there are limitations. This is JavaScript. You have to push the decode, the decryption code onto the client machine. So they do have it to look at. There may be ways around this. I don't know any, but... And I'm going to show just a quick demo of what it does. Before I jump to the demo, I just want to say thanks to a few people. The... I'll just leave the person on the bottom list. The guy in the middle helped me with the code that... The demo code that's going to obfuscate the JavaScript. And you'll see that in a second. And the guy on top has just helped me through all this stuff and my career at this company. So I would be morally wrong to not thank him. So we'll go to the demo. Now that... In this case, this page here, this is from a hidden iFrame that's pulled off the system. Obviously, it could be remote. If we take a look at the source, you'll see that this is the normal body, normal part of the HTML. And this is my code. Obviously, this page has been shortened for the demo if it's in a large web page. This would blend in. If you look at the jagged edges here, that's the white space. That's where the iFrame is encoded. And then, of course, we have this to do it. And this is... You put whatever you want in here. This is the code. This is your decoding code. Or actually, with minor modification, this could be any code, and it will modify it. It'll encode the white space on this code. And that's, again, shortest talk in DefCon history. But we have any questions or... I apologize for running through it. Yeah. I don't know. I didn't see his. What's the... I know I heard something that he puts... He encodes some stuff with white space. I'm not sure if he does the iteration through the object methods to get... Okay. Actually, it was tough. I talked to one... I talked to a number of vendors. We had one specifically that our company uses. I worked with them. And it took them a while. I don't know what they're detecting. It'll work, but I'm not quite sure. Because if you look at the sample again, what this does, this particular one, and the way I have it set, is it basically puts one character per line, so you have a large chunk of white space. If you have a large amount of code that you're hiding your iframe in, you can put one bit on each line. So it becomes a lot harder to detect. You're not looking at... each string of combination of tabs and spaces at the end of a line. You could just have one tab at the end of one line, a space at the end of another, and encode it that way. So I'm not sure how they would detect it. That would work. Unfortunately... Oh, I'm sorry. I was asked if you could detect the difference in what the code does by stripping out the extraneous white space. And that would actually break it. Unfortunately, right now, nobody does that. Nobody seems to want to. That's the simplest solution to this, but nobody seems to want to alter the pages as they bring them in to run it. No, actually it's not. It's pure... I'm not even doing a Caesar shift. It's pure asking and coding. I have tabs for zero, spaces for one. I'm not changing the characters. Yeah, it's not complicated. Oh, thank you. I thought you were questioning it. I'm being defensive. I apologize. I've never spoken to a crowd a tenth of this size. So if I'm shaking visibly, rush the stage when I faint. Sorry. Correct. They don't right now. Well, possibly through a custom interpreter, you could, but IPS and IDS systems at this point don't seem to do that. They seem to, because of the speed concerns, they're getting hundreds or thousands of hits, especially if you're in a large-sized company, just to keep the machines running as fast as possible. So they can't spend a lot of time. I know we're talking milliseconds versus hundreds of milliseconds, but if you've got a company that's got 40,000 employees and you know at least half of them are surfing the Internet at any one given time, they can't go through all this at that level, or they don't currently because of performance reasons. So this, as I said, this does get passed, the ones that we've tested it with. Yes, I've seen where they'll pull, like random bits of code, or they'll put, they'll have the large chunk of data, but they'll like assemble it by pulling random pieces. So basically a more complex version of, wrong slide. I don't have the slides up. The one where I had it split up into different, where I had them concatenate at the end. Basically a more complex version. I've even seen ones which I wasn't going to put up here. There's a well-known kit called Neosploit, which actually will use, reference the decryption code as part of the key. So you can't alter it, or do anything to it because then it breaks entirely. You'll never see what it does. Oh yeah, I use Spider Monkey and I love it. It's a similar thing, but yes, doing it manually, if somebody is manually trying to reverse it and using the correct tools, they'll be able to see it. But what this was meant to hide obviously was somebody going through. Because I know for those of us who do it, if you page through, you can open up a massive HTML page and you basically page down as fast as you can, and you're going to see that big chunk of text. I mean, you catch it, you may not react into one or two clicks later, but I mean, those of you who've done it, you know what I'm talking about, and it just flies by and it's like, okay, that's it, you're back up, there it is. You know what you're looking for. So this evades that, and as you said, the automatic methods. If you do it manually who are trying, they know there's something there and they're not going to give up because they can't see it, they should be able to find it. But again, the automated tools don't use them. Did everybody hear that? Okay, what you're saying is a very good point. As opposed, I think, and correct me if I'm wrong, I think what you're saying is as opposed to putting the white space at the end of the lines, you could actually, if the document itself contains tabs, you can convert those tabs to spaces inside the body of the document. Inside the body of the code, correct? Yes, that is another possibility. I'm playing with other things along that lines, maybe slightly tweaking characters, swapping like a greater man for less than and swapping the conditionals and things like that. There are a ton of different ways. I'm sorry, I couldn't hear that. Yep, yes, there's Yes, and that's probably the IDS and IPS systems won't catch that. That may look like somebody looking at it visually, but generally people put up their web page, their code, and they're done. They put the page up, they say, oh, it works, thank god. And then they run away and do something else. So, any other? Well, sorry, good. Actually, some of them do. But that's a recent development. A lot of them are just now starting to come out with obfuscated JavaScript signatures. So, most of them didn't have them. They're starting to get them now. Hopefully, they'll be doing more. This is when you ask why I did this. This was partly out of boredom, because I kept seeing the same stuff over and over again. But the other part was because the vendors right now are doing they're looking for the same stuff, basically the telltale indicators that I was talking about. And if they don't start thinking along different lines, somebody's going to come up with this stuff. I mean, I'm not a genius. This isn't rocket science. This is just, I came across this and hopefully we can get the vendors to start detecting this stuff and start thinking along these lines and have someone else say, well, what could be worse? What could make it harder for us to detect it and start figuring that out proactively before the guys that are trying to infect my mother's machine that makes her afraid to use the internet before they start figuring that out. Oh, I think we're done. Thank you.