What is JavaScript Obfuscation and why is it a threat?

javascript malware avg-antivirus

Solution 1:

Obfuscation is a means of "obscuring" the real meaning and intent of your javascript code. Some sites use it as an obstacle to people who want to copy/borrow their code. Other sites use it as a means to hide the actual intention of the code.

Some forms of obscuration:

  1. Automatically renaming variables to short meaningless names to make the code less readable and harder to understand.
  2. Removing all extra whitespace and line breaks so the code is one giant long line.
  3. Making parts of the code self-generating so that a first pass of the code runs to create the actual code that then runs to carry out the intended operation.
  4. Uses character codes and string manipulation combined with eval rather than normal javascript code to construct the actual code that would run.

Obscuration is not by itself evil, but it can be used to try to hide an evil intent and that is probably what AVG was objecting to. It detected so much obscuration that it couldn't tell if the javascript was attempting to do something it was trying to prevent. As such, it declared the code as unsafe by default since it can't verify that the code seems OK.

Solution 2:

Obfuscation refers to hiding the intended meaning of something.

In this case, a clearly readable JavaScript snippet, such as

window.onload = function() { alert("Hello " + username) };

can be substituted by

var _0xc5b2=["\x6F\x6E\x6C\x6F\x61\x64",
        "\x48\x65\x6C\x6C\x6F\x20"];window[_0xc5b2[0]]=
    function (){alert(_0xc5b2[1]+username);} ;

or even

eval(unescape("var%20_0xc5b2%3D%5B%22onload%22%2C%22Hello%20%22%5D%3Bwindow"+
  "%5B_0xc5b2%5B0%5D%5D%3Dfunction%20%28%29%7Balert%28_0xc5b2%5B1%5D+username"+
  "%29%3B%7D%20%3B"));

All three code snippets do the exact same thing, but only reading the first will allow you to understand its intentions easily.

Apparently, AVG attempts to understand the purpose of JavaScript code before allowing its execution. When the code is obfuscated, AVG will probably fail. Hence the warning.

That being said, some websites obfuscate their JavaScript not because of evil intentions, but to make it difficult to steal their work. Obfuscation is usually useless if used for this purpose, but the point is that obfuscation doesn't necessarily mean bad intentions.

Related

Inserting a blank line in vim?
How to disable automatic brightness setting on LG monitors?
How can I determine the current size of the ARC in ZFS, and how does the ARC relate to free or cache memory?
How are \n and \r handled differently on Linux and Windows?
Pressing tab to indent a list moves to the next table cell
sshfs is failing with "remote host has disconnected"
Hiding "speaker gallery" in Skype For Business?
Where do I get make for cygwin?
How to use Latest Python 2.7.x "The Right Way" on Ubuntu 12.04 LTS?
Are subnets always contiguous 1s? [duplicate]
How to disable flashing terminal in Mac OS
Why does Google Chrome leave running processes behind even after closing the browser?