[Emerging-Sigs] A modest proposal: obfuscated javascript...

Fri Mar 14 11:20:48 EST 2008

I wasn't even thinking of rules, I was thinking of "challenging" the
googles of the world not to index these sites (and by extension sites
which have been defaced),   and "challenge" the firefox builders (and
IE) not to have their browser process obfuscated javascript.

But IDS rules, and maybe a firefox/IE plugin would be interesting....

On Fri, Mar 14, 2008 at 9:16 AM, Jart Armin <jart351 at googlemail.com> wrote:
> Hi David,
>
>  On the whole agree with you wholeheartedly, points:
>
>  1. iFrame - in recent discussion inside StopBadWare - it was noted
>  Google's API now combs for iFrames 0,0,0 , as now mostly discouraged
>  for conventional use, if they spot one on general search patterns, the
>  site it now automatically placed in a more 'in depth' search pattern
>  analysis list.
>
>
>  2. As a big Ajax / Rico / G Gadget and other stuff fan;
>
>  (a)  Even some stuff I have ended up mauling about it can look pretty
>  obfuscated, resultant inline Web 2.0, Joomla / CMS module code does
>  this.
>
>  (b) Try looking at most web sites using Google's own Urchin SEO code
>  with inline Jscripts. Early days I thought it must have been hacked
>  , talk about obfuscated!!!
>
>
>  But......
>
>  For me there are 3 areas of obfuscated Js there is no excuse for -
>  except exploits and this would also pick up 'bad' ad-network code (all
>  spyware or adware anyway) as well , which I am all in favor of.
>
>  3. Only bad use:
>
>  (a) Obfuscated URLs - as only used in XSS exploits - if you think
>  about is what possible legit use can there be for an ob.. URL?
>
>  (b) Any Jscript using the now familiar browser get around e.g.
>  <scr+ipt....... and attempts to kid IE the code is Visual Basic e.g.
>  MSvbasic=<scr+ipt...
>
>  (c) Also any reference like e.g. (unescape("%3Cscript%3Eif%28TG
>  %21%3D1%29%7Bfunction%20xo%28Rw%29%7Breturn%20Rw%7Dtry%7Bvar%20sF%3D -
>  never seen an escape or unescape calls with Hex used for anything
>  except exploits.
>
>
>  So there could be rules to block these?
>
>
>  Jart
>
>
>
>
>
>
>
>
>  On Fri, Mar 14, 2008 at 12:00 PM, David Glosser <david.glosser at gmail.com> wrote:
>  > Had a crazy idea - what if a war was declared on obfuscated javascript?
>  >
>  >  If the majority of malware uses obfuscated javascript in some way,
>  >  what if google and other search engines stop indexing pages containing
>  >  obfuscated javascript?
>  >
>  >  What if browsers ignore obfuscated javascript  (or maybe just process
>  >  it for local intranet zones)?  What effect would that have on malware?
>  >
>  >  (Same thing could be said for IFRAMES....   google stops indexing
>  >  pages with IFRAMES, browsers ignore it).
>  >
>