Improvements in malicious scripts
The authors of malicious scripts are becoming more sophisticated. According to reports from antivirus companies, they have learned and are beginning to actively apply new tricks . If earlier scripts could be neutralized easily, simply by changing the variable eval () to alert () , now the scripts use the variable callee () to block such changes. Worse, virus writers now use information from document.referrer , document.location and location.href to decode scripts optimized for a specific site. In other words, these scripts will run only under certain conditions, which makes their detection rather difficult.
Such scripts, of course, are harder to analyze. But the good news is that this practice makes life very difficult for the intruders themselves. Now they need to create a whole set of scripts: each script for a separate referrer, for example.
SANS recommends installing a small 8-line patch for SpiderMonkey , which shows all eval () arguments before they are executed. Today it is probably the best way to search for malicious scripts.
')
Such scripts, of course, are harder to analyze. But the good news is that this practice makes life very difficult for the intruders themselves. Now they need to create a whole set of scripts: each script for a separate referrer, for example.
SANS recommends installing a small 8-line patch for SpiderMonkey , which shows all eval () arguments before they are executed. Today it is probably the best way to search for malicious scripts.
')
$ / tmp / js / src $ diff jsobj.orig jsobj.c
1256a1257
> char * c;
1366a1368,1372
>
> c = js_GetStringBytes (cx-> runtime, str);
> if (file && c) {
> printf ("File% s Line% i calls eval with the following parameter: \ n% s \ n \ n", file, line, c);
>}
Source: https://habr.com/ru/post/29198/
All Articles