Security Best Practice: Protect Yourself from Javascript Character Manipulation Obfuscation (Fragus)

Vulnerability
Protection

Check Point Reference:	SBP-2011-08
Date Published:
Severity:
Source:	Exploit Pack
Protection Provided by:	Security Gateway R75
Who is Vulnerable? Web browsers
Vulnerability Description Exploit packs, such as Fragus, are toolkits used by cybercriminals to easily snare victims for their botnets. Solutions enabling security product bypass are often integrated within such tools.

Vulnerability Details
Although various security products provide coverage against many web vulnerabilities, such as ActiveX exploits, these known exploits could potentially bypass security products by using JavaScript obfuscation techniques. Several known JavaScript character manipulation techniques obfuscate known exploits so they will bypass security rules - since the exploits are being thoroughly obfuscated, IDS and IPS systems will not recognize them and thus will allow them to pass without any notification.

Protection Overview
This protection will detect and block Fragus based attacks which use the JavaScript character manipulation obfuscation.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway: R75

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > IPS Software Blade > Web Intelligence > HTTP Client Protections > Obfuscation Techniques.
2. In the right pane, double-click the following protection:

Javascript Character Manipulation Obfuscation (Fragus)

3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: Javascript character manipulation obfuscation (Fragus)

Legal Notice for Threat Center Advisories