29

AVG was recently telling me that a webpage was blocked because of JavaScript Obfuscation.

Why was the webpage blocked and what exactly does that mean?

Dennis
  • 48,917
  • 12
  • 130
  • 149
L84
  • 3,811
  • 22
  • 56
  • 85
  • See also: [How, exactly, does a Facebook worm work?](http://webapps.stackexchange.com/questions/15011/how-exactly-does-a-facebook-worm-work/15013#15013) – slhck Apr 28 '12 at 18:18

2 Answers2

38

Obfuscation is a means of "obscuring" the real meaning and intent of your javascript code. Some sites use it as an obstacle to people who want to copy/borrow their code. Other sites use it as a means to hide the actual intention of the code.

Some forms of obscuration:

  1. Automatically renaming variables to short meaningless names to make the code less readable and harder to understand.
  2. Removing all extra whitespace and line breaks so the code is one giant long line.
  3. Making parts of the code self-generating so that a first pass of the code runs to create the actual code that then runs to carry out the intended operation.
  4. Uses character codes and string manipulation combined with eval rather than normal javascript code to construct the actual code that would run.

Obscuration is not by itself evil, but it can be used to try to hide an evil intent and that is probably what AVG was objecting to. It detected so much obscuration that it couldn't tell if the javascript was attempting to do something it was trying to prevent. As such, it declared the code as unsafe by default since it can't verify that the code seems OK.

jfriend00
  • 651
  • 5
  • 10
  • That is what I thought but wanted to verify. Thanks for the clarification. – L84 Apr 28 '12 at 18:20
  • IF AVG is blocking access to a well known, reputable web site, you can probably override it. I wouldn't suggest that if you don't know the sites rep. – uSlackr Apr 28 '12 at 18:21
  • 4
    Some sites use js compression so it load faster (well amost everybody), the code will look obfuscated. – jcubic Apr 28 '12 at 20:50
  • 9
    `1` and `2` are also done by javascript compressors. Compressors obfuscate the code as a side-effect, but that is not their main purpose; their main-purpose is to make the javascript smaller, to reduce bandwidth. – BlueRaja - Danny Pflughoeft Apr 28 '12 at 20:59
  • 5. It is also used to compress JS files for faster downloads. Yahoo's done it since they've been on the web, and Google's tools for creating web applications also do it (like GMail and Calendar). – Chloe Apr 29 '12 at 00:56
  • @Chloe - a side effect of compression is some obfuscation (names are shortened to their shortest possible names, whitespace removed, etc...), but compression doesn't have a goal of making the code hard to read. – jfriend00 Apr 29 '12 at 01:03
  • It all boils down to this simple axiom: you can't use a computer to detect human intent reliably. But this is pretty ridiculous. There isn't a JS library out there that doesn't come with a minified/compressed version. It's a pretty pervasive practice. Just look at the JS loaded by this very page. – Alexios Apr 29 '12 at 11:45
  • @Alexios - who said that AVG was objecting to minification - I rather doubt that because as you say, it would be objecting to most production web sites. It's probably objecting to one of the other forms of obscuration that is less likely to have a practical purpose and more likely to have a deceptive purpose. – jfriend00 Apr 29 '12 at 15:38
  • @jcubic - I believe the point that jfriend00 makes is minifying or compressing a code will look obfuscated but AVG can read it normally and can tell there is no threat. It is when a code is hard to read that AVG throws warning flags. – L84 Apr 29 '12 at 16:29
13

Obfuscation refers to hiding the intended meaning of something.

In this case, a clearly readable JavaScript snippet, such as

window.onload = function() { alert("Hello " + username) };

can be substituted by

var _0xc5b2=["\x6F\x6E\x6C\x6F\x61\x64",
        "\x48\x65\x6C\x6C\x6F\x20"];window[_0xc5b2[0]]=
    function (){alert(_0xc5b2[1]+username);} ;

or even

eval(unescape("var%20_0xc5b2%3D%5B%22onload%22%2C%22Hello%20%22%5D%3Bwindow"+
  "%5B_0xc5b2%5B0%5D%5D%3Dfunction%20%28%29%7Balert%28_0xc5b2%5B1%5D+username"+
  "%29%3B%7D%20%3B"));

All three code snippets do the exact same thing, but only reading the first will allow you to understand its intentions easily.

Apparently, AVG attempts to understand the purpose of JavaScript code before allowing its execution. When the code is obfuscated, AVG will probably fail. Hence the warning.

That being said, some websites obfuscate their JavaScript not because of evil intentions, but to make it difficult to steal their work. Obfuscation is usually useless if used for this purpose, but the point is that obfuscation doesn't necessarily mean bad intentions.

Dennis
  • 48,917
  • 12
  • 130
  • 149
  • 3
    Though as I've often found, deobfusticating code has often shown me it hides evilly coded javascript not worth stealing. It's a sign the programmer spends more time worrying about theft than proper programming technique and can't even get the obfustication right so it's easily cracked. The only people who put time into making code really hard to deobfusticate are malware programmers, which is why AVG flags it as a really good reason to avoid the site. – Fiasco Labs Apr 28 '12 at 19:24
  • 2
    AVG is a machine, not a human. Obviously, a machine can understand the code, which is how that code does the same thing. Moreover, people don't usually look at Javascript when they surf. This is simply a case of "guilt by association". Some Javascript which is dangerous uses certain patterns of obfuscation. Therefore, other Javascript with similar patterns is suspicious. – Kaz Apr 28 '12 at 22:00
  • @Kaz: It was just an example, but there are more sophisticated methods of obfuscation that require a JavaScript engine to be understood. Malware scanners usually search for certain patterns instead of executing the scripts, for performance reasons. – Dennis Apr 28 '12 at 22:07
  • being theoretically worthless and practically worthless are different - theoretically, obfuscating code is useless, agreed. But, if the cost of deobfuscating is similar to the cost of creating novel code (or even, the cost becomes high enough to deter lazy thieves), then obfuscation to prevent wanton theft could be beneficial. – Ronald Apr 28 '12 at 22:23
  • Exactly, so what is at issue is not obfuscation *per se*, but the code's similarity to known malicious code. – Kaz Apr 28 '12 at 22:31
  • @Ronald: If you're code isn't worth deobfuscating, there probably was no reason to obfuscate it in the first place. – Dennis Apr 28 '12 at 22:37
  • @Kaz: Yes, but the *I can't test this code against known patterns, so I'll assume it's evil.* approach just begs for false positives. – Dennis Apr 28 '12 at 22:40
  • @FiascoLabs, those aren't the only people. I learned a new term called code golf, which tries to make a program as short as possible. See http://codegolf.stackexchange.com/ – Chloe Apr 29 '12 at 01:04