[Emerging-Sigs] A modest proposal: obfuscated javascript...
Jart Armin
jart351 at googlemail.com
Fri Mar 14 08:16:51 EST 2008
Hi David,
On the whole agree with you wholeheartedly, points:
1. iFrame - in recent discussion inside StopBadWare - it was noted
Google's API now combs for iFrames 0,0,0 , as now mostly discouraged
for conventional use, if they spot one on general search patterns, the
site it now automatically placed in a more 'in depth' search pattern
analysis list.
2. As a big Ajax / Rico / G Gadget and other stuff fan;
(a) Even some stuff I have ended up mauling about it can look pretty
obfuscated, resultant inline Web 2.0, Joomla / CMS module code does
this.
(b) Try looking at most web sites using Google's own Urchin SEO code
with inline Jscripts. Early days I thought it must have been hacked
, talk about obfuscated!!!
But......
For me there are 3 areas of obfuscated Js there is no excuse for -
except exploits and this would also pick up 'bad' ad-network code (all
spyware or adware anyway) as well , which I am all in favor of.
3. Only bad use:
(a) Obfuscated URLs - as only used in XSS exploits - if you think
about is what possible legit use can there be for an ob.. URL?
(b) Any Jscript using the now familiar browser get around e.g.
<scr+ipt....... and attempts to kid IE the code is Visual Basic e.g.
MSvbasic=<scr+ipt...
(c) Also any reference like e.g. (unescape("%3Cscript%3Eif%28TG
%21%3D1%29%7Bfunction%20xo%28Rw%29%7Breturn%20Rw%7Dtry%7Bvar%20sF%3D -
never seen an escape or unescape calls with Hex used for anything
except exploits.
So there could be rules to block these?
Jart
On Fri, Mar 14, 2008 at 12:00 PM, David Glosser <david.glosser at gmail.com> wrote:
> Had a crazy idea - what if a war was declared on obfuscated javascript?
>
> If the majority of malware uses obfuscated javascript in some way,
> what if google and other search engines stop indexing pages containing
> obfuscated javascript?
>
> What if browsers ignore obfuscated javascript (or maybe just process
> it for local intranet zones)? What effect would that have on malware?
>
> (Same thing could be said for IFRAMES.... google stops indexing
> pages with IFRAMES, browsers ignore it).
>
More information about the Emerging-sigs
mailing list