The authors of malicious scripts are becoming more sophisticated. According to reports from antivirus companies, they have learned and are beginning to actively apply
new tricks . If earlier scripts could be neutralized easily, simply by changing the variable
eval () to
alert () , now the scripts use the variable
callee () to block such changes. Worse, virus writers now use information from
document.referrer ,
document.location and
location.href to decode scripts optimized for a specific site. In other words, these scripts will run only under certain conditions, which makes their detection rather difficult.
Such scripts, of course, are harder to analyze. But the good news is that this practice makes life very difficult for the intruders themselves. Now they need to create a whole set of scripts: each script for a separate referrer, for example.
SANS recommends installing a small 8-line patch for
SpiderMonkey , which shows all
eval () arguments before they are executed. Today it is probably the best way to search for malicious scripts.
')
$ / tmp / js / src $ diff jsobj.orig jsobj.c
1256a1257
> char * c;
1366a1368,1372
>
> c = js_GetStringBytes (cx-> runtime, str);
> if (file && c) {
> printf ("File% s Line% i calls eval with the following parameter: \ n% s \ n \ n", file, line, c);
>}