research-article

JSDES: An Automated De-Obfuscation System for Malicious JavaScript

Authors:
Moataz AbdelKhalek

Nile University, Egypt

Nile University, Egypt
View Profile

,
Ahmed Shosha

Nile University, Egypt

Nile University, Egypt
View Profile

ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and SecurityAugust 2017Article No.: 80Pages 1–13https://doi.org/10.1145/3098954.3107009

Published:29 August 2017Publication History

ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and Security

Pages 1–13

ABSTRACT

Malicious scripts used in web-based attacks have recently been reported as one of the top internet security threats. However, anti-malware solutions develop and integrate various techniques to defend against malicious scripts, attackers have been increasingly applying different counter techniques to hide their malicious intents and evade detection. One of the most popular techniques used is code obfuscation. In this research, an enhanced system is proposed to automate the process of de-obfuscating malicious JavaScript code. The proposed system was tested on real-world malicious JavaScript samples. Based on the analysis results, the cause of popularity of certain obfuscation techniques is identified. In addition, a set of improvements to the currently used malware detection techniques is proposed1.

References

J. Lecomte. Introducing the YUI Compressor. http://www.julienlecomte.net/blog/2007/08/13/introducing-the-yui-compressor/Google Scholar
M. Bazon. UglifyJS. http://lisperator.net/uglifyjs/Google Scholar
D. Edwards. Dean Edwards Packer. http://dean.edwards.name/packer/Google Scholar
JavaScript Obfuscator. http://javascriptobfuscator.com/Google Scholar
Online JavaScript beautifier: http://jsbeautifier.org/Google Scholar
Mozilla SpiderMonkey https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkeyGoogle Scholar
"arguments.callee" function: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/arguments/calleeGoogle Scholar
Kaspersky Security Bulletin 2015 Overall Statistics: https://securelist.com/analysis/kaspersky-security-bulletin/73038/kaspersky-security-bulletin-2015-overall-statistics-for-2015/Google Scholar
Symantec: Internet Security Threat Report https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdfGoogle Scholar
SANS: "arguments.callee" function: http://isc.sans.edu/diary.html?storyid=3231Google Scholar
SANS: dynamic JavaScript obfuscation: http://isc.sans.edu/diary.html?storyid=3219Google Scholar
SANS: a story on JavaScript deobfuscation: http://isc.sans.edu/diary.html?storyid=1519Google Scholar
SANS: JavaScript Deobfuscation Tool https://secure.dshield.org/forums/diary/JavaScript+Deobfuscation+Tool/20619/Google Scholar
SANS: More Malicious JavaScript Obfuscation https://isc.sans.edu/forums/diary/More+Malicious+JavaScript+Obfuscation/20703/Google Scholar
VirusTotal: https://www.virustotal.com/en/about/Google Scholar
Seshagiri, P., Vazhayil, A. and Sriram, P., 2016. AMA: Static Code Analysis of Web Page for the Detection of Malicious Scripts. Procedia Computer Science, 93, pp. 768--773.Google ScholarCross Ref
Wang, Y., Cai, W.D. and Wei, P.C., 2016. A deep learning approach for detecting malicious JavaScript code. Security and Communication Networks. Wiley Online Library. Google ScholarDigital Library
Kejriwal, N.G. and Judge, P., Barracuda Networks, Inc., 2014. Method for detecting malicious javascript. U.S. Patent 8,789,178.Google Scholar
Xu, W., Zhang, F. and Zhu, S., 2013, February. JStill: mostly static detection of obfuscated malicious JavaScript code. In Proceedings of the third ACM conference on Data and application security and privacy (pp. 117--128). ACM. Google ScholarDigital Library
Su, J., Yoshioka, K., Shikata, J. and Matsumoto, T., 2016, May. An efficient method for detecting obfuscated suspicious JavaScript based on text pattern analysis. In Proceedings of the 2016 ACM International on Workshop on Traffic Measurements for Cybersecurity (pp. 3--11). ACM. Google ScholarDigital Library
Kim, K., Kim, I.L., Kim, C.H., Kwon, Y., Zheng, Y., Zhang, X. and Xu, D., 2017, April. J-Force: Forced Execution on JavaScript. In Proceedings of the 26th International Conference on World Wide Web (pp. 897--906). International World Wide Web Conferences Steering Committee. Google ScholarDigital Library
Aebersold, S., Kryszczuk, K., Paganoni, S., Tellenbach, B. and Trowbridge, T., 2016, May. Detecting Obfuscated JavaScripts using Machine Learning. In The 11th International Conference on Internet Monitoring and Protection (ICIMP). IARIA.Google Scholar
Likarish, P. and Jung, E., 2009, November. A targeted web crawling for building malicious javascript collection. In Proceedings of the ACM first international workshop on Data-intensive software management and mining (pp. 23--26). ACM. Google ScholarDigital Library
Kishore, K.R., Mallesh, M., Jyostna, G., Eswari, P.R.L. and Sarma, S.S., 2014, February. Browser JS Guard: Detects and defends against Malicious JavaScript injection based drive by download attacks. In Applications of Digital Information and Web Technologies (ICADIWT), 2014 Fifth International Conference on the (pp. 92--100). IEEE.Google Scholar
Sachin, V. and Chiplunkar, N.N., 2012, April. SurfGuard JavaScript instrumentation-based defense against Drive-by downloads. In Recent Advances in Computing and Software Systems (RACSS), 2012 International Conference on (pp. 267--272). IEEE.Google Scholar
Kolisar, 2008. Whitespace: A different Approach to JavaScript Obfuscation. DEFCON 16, August, 2008. https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-kolisar.pdfGoogle Scholar
I. You and K. Yim, 2010, November. Malware obfuscation techniques: A brief survey. International Broadband, Wireless Computing, Communication and Applications (BWCCA), 2010 International Conference on (pp. 297--300). Fukuoka, 2010. IEEE. Google ScholarDigital Library
Howard, F., 2010. Malware with your Mocha. Obfuscation and antiemulation tricks in malicious JavaScript. Sophos Lab.Google Scholar
Xu, W., Zhang, F. and Zhu, S., 2012, October. The power of obfuscation techniques in malicious JavaScript code: A measurement study. In Malicious and Unwanted Software (MALWARE), 2012 7th International Conference on (pp. 9--16). IEEE. Google ScholarDigital Library
Feinstein, B., Peck, D. and SecureWorks, I., 2007. Caffeine monkey: Automated collection, detection and analysis of malicious javascript. Black Hat USA, 2007.Google Scholar
Cova, M., Kruegel, C. and Vigna, G., 2010, April. Detection and analysis of drive-by-download attacks and malicious JavaScript code. In Proceedings of the 19th international conference on World wide web (pp. 281--290). ACM. Google ScholarDigital Library
Likarish, P., Jung, E. and Jo, I., 2009, October. Obfuscated malicious javascript detection using classification techniques. In Malicious and Unwanted Software (MALWARE), 2009 4th International Conference on (pp. 47--54). IEEE.Google Scholar
Kaplan, S., Livshits, B., Zorn, B., Seifert, C. and Curtsinger, C., 2011. nofus: Automatically detecting. string. fromcharcode (32)+" obfuscated". tolowercase ()+" javascript code". Technical Report MSR-TR-2011-57, Microsoft Research.Google Scholar
Rieck, K., Krueger, T. and Dewald, A., 2010, December. Cujo: efficient detection and prevention of drive-by-download attacks. In Proceedings of the 26th Annual Computer Security Applications Conference (pp. 31--39). ACM. Google ScholarDigital Library
Kim, B.I., Im, C.T. and Jung, H.C., 2011. Suspicious malicious web site detection with strength analysis of a javascript obfuscation. International Journal of Advanced Science and Technology, 26, pp. 19--32.Google Scholar
Choi, Y., Kim, T., Choi, S. and Lee, C., 2009, December. Automatic detection for javascript obfuscation attacks in web pages through string pattern analysis. In International Conference on Future Generation Information Technology (pp. 160--172). Springer Berlin Heidelberg. Google ScholarDigital Library
Ratanaworabhan, P., Livshits, V.B. and Zorn, B.G., 2009, August. NOZZLE: A Defense Against Heap-spraying Code Injection Attacks. In USENIX Security Symposium (pp. 169--186). Google ScholarDigital Library
Curtsinger, C., Livshits, B., Zorn, B.G. and Seifert, C., 2011, August. ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection. In USENIX Security Symposium (pp. 33--48). Google ScholarDigital Library
Guarnieri, S. and Livshits, V.B., 2009, August. GATEKEEPER: Mostly StaticEnforcement of Security and Reliability Policies for JavaScript Code. In USENIX Security Symposium (Vol. 10, pp. 78--85). Google ScholarDigital Library
Serrão, C. and Rocha, D., SECURE AND TRUSTWORTHY REMOTE JAVASCRIPT EXECUTION. e-Society 2016, p.39.Google Scholar
B. Harstein., JSunpack http://jsunpack.jeek.org/Google Scholar
S. Chenette., The ultimate deobfuscator. http://securitylabs.websense.com/content/Blogs/3198.aspx.Google Scholar
JS/Nemucod https://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=JS/NemucodGoogle Scholar
P. Ferrie, Read the transcript, Virus Bulletin 2013. https://www.virusbtn.com/virusbulletin/archive/2013/05/vb201305-TranscriptGoogle Scholar
Di Troia, F., Visaggio, C.A., Austin, T.H. and Stamp, M., 2016, October. Advanced transcriptase for JavaScript malware. In Malicious and Unwanted Software (MALWARE), 2016 11th International Conference. IEEE.Google Scholar

Index Terms

JSDES: An Automated De-Obfuscation System for Malicious JavaScript
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation

Recommendations

Detecting metamorphic malwares using code graphs
SAC '10: Proceedings of the 2010 ACM Symposium on Applied Computing

Malware writers and detectors have been running an endless battle. Self-defense is the weapon most malware writers prepare against malware detectors. Malware writers have tried to evade the improved detection techniques of anti-virus(AV) products. ...
Read More
Renovo: a hidden code extractor for packed executables
WORM '07: Proceedings of the 2007 ACM workshop on Recurring malcode

As reverse engineering becomes a prevalent technique to analyze malware, malware writers leverage various anti-reverse engineering techniques to hide their code. One technique commonly used is code packing as packed executables hinder code analysis. ...
Read More
MalGene: Automatic Extraction of Malware Analysis Evasion Signature
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Automated dynamic malware analysis is a common approach for detecting malicious software. However, many malware samples identify the presence of the analysis environment and evade detection by not performing any malicious activity. Recently, an approach ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in

ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and Security
August 2017
853 pages
ISBN:9781450352574
DOI:10.1145/3098954

Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 29 August 2017
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Code Obfuscation
Malicious JavaScript
Malware Analysis
Web Attacks
Qualifiers
- research-article
- Research
- Refereed limited
Conference

Acceptance Rates
ARES '17 Paper Acceptance Rate100of191submissions,52%Overall Acceptance Rate228of451submissions,51%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 9
  Total Citations
  View Citations
- 441
  Total Downloads
- Downloads (Last 12 months)60
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

JSDES: An Automated De-Obfuscation System for Malicious JavaScript

ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Detecting metamorphic malwares using code graphs

Renovo: a hidden code extractor for packed executables

MalGene: Automatic Extraction of Malware Analysis Evasion Signature

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

JSDES: An Automated De-Obfuscation System for Malicious JavaScript

ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Detecting metamorphic malwares using code graphs

Renovo: a hidden code extractor for packed executables

MalGene: Automatic Extraction of Malware Analysis Evasion Signature

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media