A Crypting Service for Javascript (28 Days of Hacking: Day 1)

I sat in on a security and privacy lecture recently on the design of a drive-by-download protection system by statically and dynamically analyzing JavaScript code. The system was able to protect against 100% of the drive-by-download attempts, as well as protect against polluted data (adding extra code, just like malware authors use no-ops to bypass antiviruses). So I decided to borrow a concept from malware: crypting. My approach uses a JavaScript obfuscation library running in PHP which takes a malicious JavaScript file, obfuscates it and encrypts it using AES with some information I gather from the client computer and browser. I package the encrypted JavaScript code with a loader. This ensures the malicious code only will run on the destination computer. If it is run on any other computer, the code will not do anything. To test, I wrote a simple drive-by-download script for chrome and a Cross-Site Scripting (XSS) vulnerable site.

The injection:

A short gif of the result: