ABSTRACT
Malicious scripts used in web-based attacks have recently been reported as one of the top internet security threats. However, anti-malware solutions develop and integrate various techniques to defend against malicious scripts, attackers have been increasingly applying different counter techniques to hide their malicious intents and evade detection. One of the most popular techniques used is code obfuscation. In this research, an enhanced system is proposed to automate the process of de-obfuscating malicious JavaScript code. The proposed system was tested on real-world malicious JavaScript samples. Based on the analysis results, the cause of popularity of certain obfuscation techniques is identified. In addition, a set of improvements to the currently used malware detection techniques is proposed1.
- J. Lecomte. Introducing the YUI Compressor. http://www.julienlecomte.net/blog/2007/08/13/introducing-the-yui-compressor/Google Scholar
- M. Bazon. UglifyJS. http://lisperator.net/uglifyjs/Google Scholar
- D. Edwards. Dean Edwards Packer. http://dean.edwards.name/packer/Google Scholar
- JavaScript Obfuscator. http://javascriptobfuscator.com/Google Scholar
- Online JavaScript beautifier: http://jsbeautifier.org/Google Scholar
- Mozilla SpiderMonkey https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkeyGoogle Scholar
- "arguments.callee" function: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/arguments/calleeGoogle Scholar
- Kaspersky Security Bulletin 2015 Overall Statistics: https://securelist.com/analysis/kaspersky-security-bulletin/73038/kaspersky-security-bulletin-2015-overall-statistics-for-2015/Google Scholar
- Symantec: Internet Security Threat Report https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdfGoogle Scholar
- SANS: "arguments.callee" function: http://isc.sans.edu/diary.html?storyid=3231Google Scholar
- SANS: dynamic JavaScript obfuscation: http://isc.sans.edu/diary.html?storyid=3219Google Scholar
- SANS: a story on JavaScript deobfuscation: http://isc.sans.edu/diary.html?storyid=1519Google Scholar
- SANS: JavaScript Deobfuscation Tool https://secure.dshield.org/forums/diary/JavaScript+Deobfuscation+Tool/20619/Google Scholar
- SANS: More Malicious JavaScript Obfuscation https://isc.sans.edu/forums/diary/More+Malicious+JavaScript+Obfuscation/20703/Google Scholar
- VirusTotal: https://www.virustotal.com/en/about/Google Scholar
- Seshagiri, P., Vazhayil, A. and Sriram, P., 2016. AMA: Static Code Analysis of Web Page for the Detection of Malicious Scripts. Procedia Computer Science, 93, pp. 768--773.Google ScholarCross Ref
- Wang, Y., Cai, W.D. and Wei, P.C., 2016. A deep learning approach for detecting malicious JavaScript code. Security and Communication Networks. Wiley Online Library. Google ScholarDigital Library
- Kejriwal, N.G. and Judge, P., Barracuda Networks, Inc., 2014. Method for detecting malicious javascript. U.S. Patent 8,789,178.Google Scholar
- Xu, W., Zhang, F. and Zhu, S., 2013, February. JStill: mostly static detection of obfuscated malicious JavaScript code. In Proceedings of the third ACM conference on Data and application security and privacy (pp. 117--128). ACM. Google ScholarDigital Library
- Su, J., Yoshioka, K., Shikata, J. and Matsumoto, T., 2016, May. An efficient method for detecting obfuscated suspicious JavaScript based on text pattern analysis. In Proceedings of the 2016 ACM International on Workshop on Traffic Measurements for Cybersecurity (pp. 3--11). ACM. Google ScholarDigital Library
- Kim, K., Kim, I.L., Kim, C.H., Kwon, Y., Zheng, Y., Zhang, X. and Xu, D., 2017, April. J-Force: Forced Execution on JavaScript. In Proceedings of the 26th International Conference on World Wide Web (pp. 897--906). International World Wide Web Conferences Steering Committee. Google ScholarDigital Library
- Aebersold, S., Kryszczuk, K., Paganoni, S., Tellenbach, B. and Trowbridge, T., 2016, May. Detecting Obfuscated JavaScripts using Machine Learning. In The 11th International Conference on Internet Monitoring and Protection (ICIMP). IARIA.Google Scholar
- Likarish, P. and Jung, E., 2009, November. A targeted web crawling for building malicious javascript collection. In Proceedings of the ACM first international workshop on Data-intensive software management and mining (pp. 23--26). ACM. Google ScholarDigital Library
- Kishore, K.R., Mallesh, M., Jyostna, G., Eswari, P.R.L. and Sarma, S.S., 2014, February. Browser JS Guard: Detects and defends against Malicious JavaScript injection based drive by download attacks. In Applications of Digital Information and Web Technologies (ICADIWT), 2014 Fifth International Conference on the (pp. 92--100). IEEE.Google Scholar
- Sachin, V. and Chiplunkar, N.N., 2012, April. SurfGuard JavaScript instrumentation-based defense against Drive-by downloads. In Recent Advances in Computing and Software Systems (RACSS), 2012 International Conference on (pp. 267--272). IEEE.Google Scholar
- Kolisar, 2008. Whitespace: A different Approach to JavaScript Obfuscation. DEFCON 16, August, 2008. https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-kolisar.pdfGoogle Scholar
- I. You and K. Yim, 2010, November. Malware obfuscation techniques: A brief survey. International Broadband, Wireless Computing, Communication and Applications (BWCCA), 2010 International Conference on (pp. 297--300). Fukuoka, 2010. IEEE. Google ScholarDigital Library
- Howard, F., 2010. Malware with your Mocha. Obfuscation and antiemulation tricks in malicious JavaScript. Sophos Lab.Google Scholar
- Xu, W., Zhang, F. and Zhu, S., 2012, October. The power of obfuscation techniques in malicious JavaScript code: A measurement study. In Malicious and Unwanted Software (MALWARE), 2012 7th International Conference on (pp. 9--16). IEEE. Google ScholarDigital Library
- Feinstein, B., Peck, D. and SecureWorks, I., 2007. Caffeine monkey: Automated collection, detection and analysis of malicious javascript. Black Hat USA, 2007.Google Scholar
- Cova, M., Kruegel, C. and Vigna, G., 2010, April. Detection and analysis of drive-by-download attacks and malicious JavaScript code. In Proceedings of the 19th international conference on World wide web (pp. 281--290). ACM. Google ScholarDigital Library
- Likarish, P., Jung, E. and Jo, I., 2009, October. Obfuscated malicious javascript detection using classification techniques. In Malicious and Unwanted Software (MALWARE), 2009 4th International Conference on (pp. 47--54). IEEE.Google Scholar
- Kaplan, S., Livshits, B., Zorn, B., Seifert, C. and Curtsinger, C., 2011. nofus: Automatically detecting. string. fromcharcode (32)+" obfuscated". tolowercase ()+" javascript code". Technical Report MSR-TR-2011-57, Microsoft Research.Google Scholar
- Rieck, K., Krueger, T. and Dewald, A., 2010, December. Cujo: efficient detection and prevention of drive-by-download attacks. In Proceedings of the 26th Annual Computer Security Applications Conference (pp. 31--39). ACM. Google ScholarDigital Library
- Kim, B.I., Im, C.T. and Jung, H.C., 2011. Suspicious malicious web site detection with strength analysis of a javascript obfuscation. International Journal of Advanced Science and Technology, 26, pp. 19--32.Google Scholar
- Choi, Y., Kim, T., Choi, S. and Lee, C., 2009, December. Automatic detection for javascript obfuscation attacks in web pages through string pattern analysis. In International Conference on Future Generation Information Technology (pp. 160--172). Springer Berlin Heidelberg. Google ScholarDigital Library
- Ratanaworabhan, P., Livshits, V.B. and Zorn, B.G., 2009, August. NOZZLE: A Defense Against Heap-spraying Code Injection Attacks. In USENIX Security Symposium (pp. 169--186). Google ScholarDigital Library
- Curtsinger, C., Livshits, B., Zorn, B.G. and Seifert, C., 2011, August. ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection. In USENIX Security Symposium (pp. 33--48). Google ScholarDigital Library
- Guarnieri, S. and Livshits, V.B., 2009, August. GATEKEEPER: Mostly StaticEnforcement of Security and Reliability Policies for JavaScript Code. In USENIX Security Symposium (Vol. 10, pp. 78--85). Google ScholarDigital Library
- Serrão, C. and Rocha, D., SECURE AND TRUSTWORTHY REMOTE JAVASCRIPT EXECUTION. e-Society 2016, p.39.Google Scholar
- B. Harstein., JSunpack http://jsunpack.jeek.org/Google Scholar
- S. Chenette., The ultimate deobfuscator. http://securitylabs.websense.com/content/Blogs/3198.aspx.Google Scholar
- JS/Nemucod https://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=JS/NemucodGoogle Scholar
- P. Ferrie, Read the transcript, Virus Bulletin 2013. https://www.virusbtn.com/virusbulletin/archive/2013/05/vb201305-TranscriptGoogle Scholar
- Di Troia, F., Visaggio, C.A., Austin, T.H. and Stamp, M., 2016, October. Advanced transcriptase for JavaScript malware. In Malicious and Unwanted Software (MALWARE), 2016 11th International Conference. IEEE.Google Scholar
Index Terms
- JSDES: An Automated De-Obfuscation System for Malicious JavaScript
Recommendations
Detecting metamorphic malwares using code graphs
SAC '10: Proceedings of the 2010 ACM Symposium on Applied ComputingMalware writers and detectors have been running an endless battle. Self-defense is the weapon most malware writers prepare against malware detectors. Malware writers have tried to evade the improved detection techniques of anti-virus(AV) products. ...
Renovo: a hidden code extractor for packed executables
WORM '07: Proceedings of the 2007 ACM workshop on Recurring malcodeAs reverse engineering becomes a prevalent technique to analyze malware, malware writers leverage various anti-reverse engineering techniques to hide their code. One technique commonly used is code packing as packed executables hinder code analysis. ...
MalGene: Automatic Extraction of Malware Analysis Evasion Signature
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityAutomated dynamic malware analysis is a common approach for detecting malicious software. However, many malware samples identify the presence of the analysis environment and evade detection by not performing any malicious activity. Recently, an approach ...
Comments