[Emerging-Sigs] A modest proposal: obfuscated javascript...
David Glosser
david.glosser at gmail.com
Fri Mar 14 21:39:10 EST 2008
Thanks. From that thread:
"We've been seeing more and more obfuscated web script and according
to a recently released IBM report, the majority of exploits are taking
this path. "
Now I remember reading this last month, and I think this discussion
was in the back of my mind when I floated the idea somehow eliminating
pages containing IFRAMES and obj javascript from search engine
results and from being processed in the browser....
Say the following occurs:
1. CNN's other major web sites stop using packers and obj javascript and IFRAMES
2. google and the other search engines stop indexing pages containing
iframes and obj javascript
3. Browsers ignore iframes and obj. javascript code
Then have the BadGuys been dealt a severe blow? If the answer is
yes, then this issue is worth pursuing. (Exactly how is another
issue).
If not, then it's back to playing whack-a-mole with IPs and Domains.
On Fri, Mar 14, 2008 at 8:55 PM, dxp <dxp2532 at gmail.com> wrote:
>
> There was an interesting discussion about de-obfuscating code on the
> Focus-IDS mailing list (focus-ids at securityfocus.com).
> The thread is "Obfuscated web pages"
> (http://seclists.org/focus-ids/2008/Feb/0016.html).
>
>
>
> On Fri, 2008-03-14 at 17:49 -0400, Scott Melnick wrote:
>
> On Fri, Mar 14, 2008 at 12:20 PM, David Glosser <david.glosser at gmail.com>
> wrote:
>
> I wasn't even thinking of rules, I was thinking of "challenging" the
> googles of the world not to index these sites (and by extension sites
> which have been defaced), and "challenge" the firefox builders (and
> IE) not to have their browser process obfuscated javascript.
>
> But what about the legitimate sites that are using packers to shorten their
> code? CNN, etc. It would be too much heat for them to start X'ing them out.
>
>
>
> But IDS rules, and maybe a firefox/IE plugin would be interesting....
>
>
>
>
>
>
>
>
> A HIDS type of plugin to unpack JS and check it before executing would be
> cool. I know that some people are talking about building this into a proxy
> type IDS systems.
>
>
>
>
> Scott Melnick
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
> --
>
> -=[ dxp ]=-
> 0xA3F3C6E3
>
>
More information about the Emerging-sigs
mailing list