• Welcome to Tux Reports: Where Penguins Fly. We hope you find the topics varied, interesting, and worthy of your time. Please become a member and join in the discussions.

Proposal: Add hooking interface to JavaScript engine

T

Tosal

Flightless Bird
Hi!

As an anti-malware company we have seen a lot of Java-Script malware in the
past few months. Unfortunately most of this malware is obfuscated and makes
it hard to detect.

The idea now is to have a callback or a hook for an IE extension which
allows us to intercept some important Java Script functions like eval and
document.write during (before) or post execution. This would allow AV vendors
to plug-in an AV engine which now should have the plain JS code for scanning.
We know that this could have some impact on JS performance. However, if the
hook is set for only some specific functions it would be acceptable in our
opinion.

Refer to http://securitylabs.websense.com/content/Blogs/3198.aspx for an IE
example - they did this already (the dirty way, however).
Refer to http://adblockplus.org/blog/deobfuscating-javascript for an FF
example. However, the FF implementation is too slow.


--
--------------
Tosal

----------------
This post is a suggestion for Microsoft, and Microsoft responds to the
suggestions with the most votes. To vote for this suggestion, click the "I
Agree" button in the message pane. If you do not see the button, follow this
link to open the suggestion in the Microsoft Web-based Newsreader and then
click "I Agree" in the message pane.

http://www.microsoft.com/communitie...&dg=microsoft.public.internetexplorer.general
 
R

rob^_^

Flightless Bird
Hi Tosal,

Adding that functionality would only increase the attack vector footprint. A
savvy hacker could use vulnerabilities in your IE Addon to their advantage.

IE Enhanced security mode disables active scripting by default in the
internet zone.

Many legitimate web sites use design patterns that look similar to
techniques in use by known malware sites. Deception is and always will
probably be the #1 reason for getting 'infected'.

Regards.

"Tosal" <Tosal@discussions.microsoft.com> wrote in message
news:58A4C5CB-00BD-4D10-9B41-0F190D4EF295@microsoft.com...
> Hi!
>
> As an anti-malware company we have seen a lot of Java-Script malware in
> the
> past few months. Unfortunately most of this malware is obfuscated and
> makes
> it hard to detect.
>
> The idea now is to have a callback or a hook for an IE extension which
> allows us to intercept some important Java Script functions like eval and
> document.write during (before) or post execution. This would allow AV
> vendors
> to plug-in an AV engine which now should have the plain JS code for
> scanning.
> We know that this could have some impact on JS performance. However, if
> the
> hook is set for only some specific functions it would be acceptable in our
> opinion.
>
> Refer to http://securitylabs.websense.com/content/Blogs/3198.aspx for an
> IE
> example - they did this already (the dirty way, however).
> Refer to http://adblockplus.org/blog/deobfuscating-javascript for an FF
> example. However, the FF implementation is too slow.
>
>
> --
> --------------
> Tosal
>
> ----------------
> This post is a suggestion for Microsoft, and Microsoft responds to the
> suggestions with the most votes. To vote for this suggestion, click the "I
> Agree" button in the message pane. If you do not see the button, follow
> this
> link to open the suggestion in the Microsoft Web-based Newsreader and then
> click "I Agree" in the message pane.
>
> http://www.microsoft.com/communitie...&dg=microsoft.public.internetexplorer.general
 
You must log in or register to reply here.
Top