Automatic Browser Script Deobfuscation and Analysis

Jose Nazario, Ph.D., Senior Security Researcher, Arbor Networks, USA

Browser scripts have become a major client-side exploit delivery mechanism to much effect in 2006 and beyond, with obfuscated scripts becoming a dominant form. Scripts are encoded to prevent detection or analysis. With their frequency and complexity rising, we have developed a set of tools to rapidly analyze both JavaScript and VisualBasic Script. We can decode them and characterize their exploits using a client side tool we dubbed "Norberto", which has been redeveloped into a client-side honeypot, "PhoneyC". This talk will discuss the code features we exploited to analyze the malicious scripts and provide information on how the tools operate.