Evasion Techniques: Encoded JavaScript Attacks PDF Files

Last week I kicked off a series of blogs with a discussion of how an effective IPS solution can fight obfuscation techniques by malware. This week, we’ll look at how JavaScript poses a danger when combined with PDF files.

One of the easiest and most powerful ways to customize PDF files is by using JavaScript. JavaScript in PDF files implements objects, methods, and properties that enable one to manipulate PDFs, produce database-driven PDFs, modify the appearance of PDFs, and much more. However, one effective method for evading detection systems is to use malicious JavaScript code.

Malicious JavaScript in PDFs is usually encoded in different ways to bypass detection by intrusion prevention system (IPS) engines. The highlighted portion in the packet capture below shows the garbled values that represent the injected malicious JavaScript.


What kind of detection system can spot these attacks?

There are various forms of obfuscation: Encoding can be coupled with concatenation, calculation techniques (the transformation of bytes or values), and hidden shell code in irrelevant buffers. These techniques make it hard to detect any malicious traffic in a data packet. Generally if there is no obfuscation involved, the IPS engine can perform static analysis on the traffic and find malicious patterns. If the payload is encoded, however, the static-analysis engine cannot detect the presence of malicious JavaScript because pattern matching becomes inefficient. Thus the IPS engine must perform deep parsing to decode packets and run static analysis that looks for patterns. It is also crucial for the detection engine to execute the complete JavaScript code to obtain the decoded original payload and clearly determine any malicious activity. Any security solution without these capabilities will be subject to evasion by obfuscation.

McAfee’s Network Security Platform (NSP) can decode the encoded traffic and raise an alert if the encountered pattern seems malicious.

How McAfee’s NSP detects encoded malicious JavaScript

When traffic passes through McAfee’s IPS engine, the encoded JavaScript is automatically decoded and executed by the NSP, which checks for any known malicious traffic. If NSP encounters malicious content, it alerts the administrators and stands ready to perform any action they choose. Our encoded JavaScript sample is decoded by NSP as shown below:


Decoding encoded traffic and analyzing it for malicious JavaScript is an essential feature of IPS products. McAfee’s NSP 7.x does this. More enhancements to improve detection of encoded malicious JavaScript will be added to NSP 7.5–watch for updates on this blog.

Special thanks to Chong Xu, Director of IPS Research, for his assistance with this post.



Twitter looks to add two-factor authentication to stop password hacks

Twitter is looking to add another layer of protection to its user authentication. After at least 250,000 account passwords were compromised in an attack against its service last week, Twitter apparently plans to implement two-factor authentication as an option to help users better protect their accounts—or at least it's hiring people to help do that.

In a job listing posted by Twitter this week, the company seeks software engineers to develop "user-facing security features, such as multifactor authentication and fraudulent login detection." When contacted by Ars, a representative for Twitter said the company has no specific details to share about its plans at this time.

Twitter currently uses OAuth as its authentication protocol via applications (either mobile apps or other Web services), which prevents attackers from recording and replaying session information trying to hijack open user sessions. For direct user authentication, Twitter uses secure socket layer (SSL) encryption to pass user credentials from Web browsers and other Twitter clients.

Read 3 remaining paragraphs | Comments

International Standards, Reference Models and Publications Quick Guide

Mike the Architect  Standards Header

Van Haren Publishing recently published their 2012 - 2013 Global Standards and Publications book free online for all to use. 

I look at this book as a quick guide or a primer to the landscape of standards globally. The purpose isn't to give you deep knowledge into each one of these but rather give the overall landscape of standards that you can leverage in your day to day architecture efforts. As you seen in frameworks like TOGAF where the first step in is to "Select Reference Models", this is a one list you can pull from to see if there is any reuse out there so you don't have to go into the "think tank" and reinvent a practice, standard or tool that is already been vetted in the community. 

This book does a great job pulling in emerging standards and even some of the lesser known ones as well from around the globe. Below is a list of the standards covered in the book:

  • Agile
  • Amsterdam Information Management Model (AIM)
  • ArchiMate®
  • ASL®
  • Balanced Scorecard
  • BiSL®
  • CATS CM®
  • CMMI®
  • COBIT®
  • EFQM
  • eSCM-CL
  • eSCM-SP
  • Frameworx
  • ICB®
  • ISO 9001
  • ISO 14000
  • ISO/IEC 15504
  • ISO/IEC 27000 series
  • ISO 31000
  • ISO 38500
  • ISO/IEC 20000
  • ITIL®
  • Lean management
  • M_o_R®
  • MoP™
  • MSP®
  • P3O®
  • PMBOK® Guide
  • PRINCE2®
  • SABSA®
  • Scrum
  • Six Sigma
  • SqEME®
  • TMap® NEXT
  • TOGAF®


Download the publication here:




Syrian Regime’s Opposition Gains Phishers’ Sympathy

Contributor: Avdhoot Patil

Recently, cybercriminals have been focusing on the conflict in Syria to incorporate current events in their cyber warfare. In December 2012, phishers mimicked the website of a well-known organization in the gulf with the motive of stealing a user's email login credentials. The phishing site asked users to support the Syrian opposition by casting their vote against the Syrian regime. The phishing pages were in Arabic and the phishing site was hosted on servers based in Dallas, Texas, United States.

The phishing site asked users if they wanted to criminalize the Syrian regime for the murder of innocent people. As seen in the image below, options were provided to agree or disagree. If the agree option was selected, the phishing site prompted users to select their email service provider, from a list of four popular providers, and then login in order to cast their vote.

Figure 1. Consent to criminalize Syrian regime

Figure 2. Email service provider choice

After the login credentials for the chosen email service provider had been entered, the phishing site redirected to an acknowledgement page. The acknowledgement stated that the voting process was successful and that the results would be displayed on January 1, 2013.

Figure 3. Vote acknowledgement page

Phishers relied on the sentiments of a vast number of people in Syria and the rest of the Arab world who are fighting against the Syrian regime. Phishers believe that targeting a large number of users leads to more duped users. If users fell victim to the phishing site, phishers would have successfully stolen their information for identity theft.

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages
  • Do not provide any personal information when answering an email
  • Do not enter personal information in a pop-up page or screen
  • Ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar when entering personal or financial information
  • Update your security software (such as Norton Internet Security 2012) frequently which protects you from online phishing