Javascript byte splitting (JavaScript_Byte_Splitting)

About this signature or vulnerability

Proventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature detects the transfer of a file containing JavaScript code that tries to obfuscate an escaped character.


False positives

Proventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: It is not possible to determine if the code that triggers this event is malicious, it may be well-formed obfuscated code designed to hide intellectual property.

False negatives

Proventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: When the same sequence of data triggers more serious events such as JavaScript_Shellcode_Detected or JavaScript_NOOP_Splitting occur, this event is not reported in addition to those events.

Default risk level

Low risk vulnerability  Low

Sensors that have this signature

Proventia Network IPS: XPU 29.090, Proventia Desktop: 2430, RealSecure Network: XPU 29.090, RealSecure Server Sensor: XPU 29.090, Proventia-G 1.1 and earlier: XPU 29.090, Proventia Network IDS: XPU 29.090, Proventia Network MFS: XPU 29.090, IBM Security Server Protection for Windows: 2.1.14.2430, IBM Security Server Protection for Windows: 1.0.914.2430, IBM Security Server Protection for Windows: 2.0.300.2430, Proventia Server IPS for Linux technology: 29.090, Virtual Server Protection for Vmware: 1.0

Systems affected

Microsoft Windows XP, Microsoft Windows 2000: SP4, Microsoft Windows 2003

Type

Suspicious Activity

Vulnerability description

This signature detects the construction of an escaped character string representing a no-op opcode that has been concatenated between the digits within a single byte when the obfuscating is split.

How to remove this vulnerability

No remedy available as of December 4, 2010.

References

ISS X-Force
Javascript byte splitting
http://www.iss.net/security_center/static/52914.php