Over 25% of JavaScript code is now obfuscated by a software packaging method known as ‘packers,’ which allow attackers to evade signature-based detection.
Packers are utilities that make it difficult for antivirus to detect malicious code by making that code ‘obfuscated,’ thus unreadable and non-debuggable.
JavaScript packers aren’t new threats. In 2008, they became a popular alternative to JavaScript libraries due to their ability to reduce the number of bytes downloaded each page.
“Computer hackers have taken advantage of the acceptance of these packers as suboptimal network optimization tactics and are using them as a way to evade and bypass security controls on the gateway and at the host,” SecureWorks noted.
According to a security and content delivery network provider Akamai, some of the most popular websites in the world are displaying obfuscated JavaScript due to business reasons. But it notes that packers are still a major issue for businesses, helping to spread phishing pages and malware.
At a conference in November, researchers will present a new technique that will allow firms to identify JavaScript before it gets obfuscated, “regardless of the original code.”
Instead of having a signature or hash, JavaScript code is detected using techniques that the packer introduces, Akamai revealed ahead of the conference.
To demonstrate how it can profile packers, Akamai analyzed four malicious JavaScript fragments. The company found four different types of code. It detected two snippets were for phishing, one was a dropper, and another one was a Magecart scammer.
“These four examples are the output of the same unique packer functionality being used to obfuscate any given JavaScript code,” Akamai explains. “By profiling packers and their functionality, we evaluated 30,000 benign and malicious JavaScript files and were able to see that at least 25% of the malicious files used one of five profiled packer functionalities.”
According to the research conducted by Akamai, 0.5% of the top 20,000 websites on Alexa.com use packer obfuscation techniques. The company argues that obfuscation isn’t a strong enough signal for detecting packers, and machine learning will need to learn to tell malicious code from benign.