As part of my daily ritual I start the work day with a cup of coffee, a multi-vitamin, and sit down to read a bunch of blogs and respond to email that's come in since my commute. Among the pile of blogs I subscribe to with bloglines, is the SANS Internet Storm Center Handler's Diary. . The article today called Climb a Small Mountain by Tom Liston was to be blunt, awful.
The gist of the article is that there's a piece of javascript malware that's using some basic obfuscation, and Tom goes describes the motions neccessary to decode the strings or more accurately to redirect output to his textarea. So what made the article so annoying? For starters Tom sets the tone of an arrogant twerp by decrying javascript as a language, bemoaning being bothered for such trivialities as decoding some dumb javascript. Additionally he both fails to give a full explanation of the encoding (granted it's simple string hex value -> ascii as done with a table) and gets a few things wrong.
I think that he's missed a few things. As pointed out in the PHP Security Blog javascript strings can't be accessed via subscript ( [ ] ) notation in Internet Explorer but can in other browsers interpreter. Also writing off this kind of obfuscation is stupid for yet another reason, it can be used to bypass signature based mechanisms such as IDS and AV. It may not be meant to keep you from taking it apart but it sure as hell could avoid an alert and keep an admin from taking action to clean up this crap. Furthermore, It is more interesting to note that the adversary is using this technique for something this simple it means that as far as web based malware is concerned that we may have more sophisticated threats on our hands. I'm probably being paranoid but it is interesting to consider.
Denouncing javascript as a toy langauage is dumb for many reasons. For starters large applications, such as Google Maps, are making significant use of the language. The whole web 2.0 thing which hype or not is based around the idea of the light weight refresh and use of javascript. Second, the browser is the interface of the masses, and every browser contains a javascript interpreter. Browsers aren't the only software with javascript, Adobe acrobat for one allows javascript in PDFs, as well as quicktime movies in the href tracks. A majority of the business conducted via computers will be through the web. Thus the large deployment of javascript interpreters plus the business ramifications make the toy language extremely important, such that to call it a toy is to trivialize it's role in the world. Third, the language has more programming language features than many of the popular scripting languages closures, and higher order functions.
All in all, I must say I'm quite disappointed.
0 comments:
Post a Comment