Hello, welcome to the Friday, June 12th, 2020 edition of the Sandinut Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Xavier today is talking about some of the trap doors that attackers leave behind in JavaScript code in order to make

reverse analysis more difficult.

Of course, we have talked about malware analysis reversing JavaScript quite a few times.

So a couple things that Xavier points out here is first of all, the arguments.

Dot collie dot two string method that's often used. Essentially what this does is it allows

a function to return its source code as a string. And then the attacker could check if that function was

modified by, for example, calculating a hash. Analysts often like to, for example, insert statements

to pull out certain strings that are being reassembled as part of the obfuscation process,

and modifications like this will then of course be detected. Now of course there's other ways to do this. Most modern

browsers do have developer tools and with developer tools you can set breakpoints in your JavaScript, and then you can just

watch these variables as they change, and you don't need to actually change the source code.

Well, Xavier shows how this also can get detected. Essentially, what the attacker is looking for here,

is there a console available,

which is typically enabled if you do run the code inside one of these browser-built-in

debuggers, and that's sort of how the attacker is then trying to get around this particular feature in the

browser.

And Savi actually links to some older articles by Mozilla here that go over some of these

functions.

And yes, this isn't new necessarily, but something important to keep in mind if you are analyzing JavaScript.

And recent security company that makes entire matter found sort of a neat little bug in the Windows native Facebook Messenger application.

...