Skip to main content
SpringerLink
Log in

JSLess: A Tale of a Fileless Javascript Memory-Resident Malware

  • Conference paper
  • First Online:
Information Security Practice and Experience (ISPEC 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11879))

Abstract

New computing paradigms, modern feature-rich programming languages and off-the-shelf software libraries enabled the development of new sophisticated malware families. Evidence of this phenomena is the recent growth of fileless malware attacks. Fileless malware or memory resident malware is an example of an Advanced Volatile Threat (AVT). In a fileless malware attack, the malware writes itself directly onto the main memory (RAM) of the compromised device without leaving any trace on the compromised device’s file system. For this reason, fileless malware presents a difficult challenge for traditional malware detection tools and in particular signature-based detection. Moreover, fileless malware forensics and reverse engineering are nearly impossible using traditional methods. The majority of fileless malware attacks in the wild take advantage of MS PowerShell, however, fileless malware are not limited to MS PowerShell. In this paper, we designed and implemented a fileless malware by taking advantage of new features in Javascript and HTML5. The proposed fileless malware could infect any device that supports Javascript and HTML5. It serves as a proof-of-concept (PoC) to demonstrate the threats of fileless malware in web applications. We used the proposed fileless malware to evaluate existing methods and techniques for malware detection in web applications. We tested the proposed fileless malware with several free and commercial malware detection tools that apply both static and dynamic analysis. The proposed fileless malware bypassed all the anti-malware detection tools included in our study. In our analysis, we discussed the limitations of existing approaches/tools and suggested possible detection and mitigation techniques.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Adas, H., Shetty, S., Tayib, W.: Scalable detection of web malware on smartphones. In: 2015 International Conference on Information and Communication Technology Research (ICTRC), pp. 198–201, May 2015

    Google Scholar 

  2. AL-Taharwa, I.A., et al.: RedJsod: a readable JavaScript obfuscation detector using semantic-based analysis. In: 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 1370–1375, June 2012

    Google Scholar 

  3. Arias, D.: Speedy introduction to web workers, August 2018. https://auth0.com/blog/speedy-introduction-to-web-workers/

  4. Barkly. The 2017 state of endpoint security risk (2017). https://www.barkly.com/ponemon-2018-endpoint-security-risk

  5. Blanc, G., Miyamoto, D., Akiyama, M., Kadobayashi, Y.: Characterizing obfuscated JavaScript using abstract syntax trees: experimenting with malicious scripts. In: 2012 26th International Conference on Advanced Information Networking and Applications Workshops, pp. 344–351, March 2012

    Google Scholar 

  6. Cosovan, D., Benchea, R., Gavrilut, D.: A practical guide for detecting the Java script-based malware using hidden Markov models and linear classifiers. In: 2014 16th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, pp. 236–243, September 2014

    Google Scholar 

  7. Google Developers. Introduction to service worker—web, May 2019. https://developers.google.com/web/ilt/pwa/introduction-to-service-worker

  8. Fang, Y., Huang, C., Liu, L., Xue, M.: Research on malicious JavaScript detection technology based on LSTM. IEEE Access 6, 59118–59125 (2018)

    Article  Google Scholar 

  9. Global Research and Analysis Team: KASPERSKY Lab. Fileless attack against enterprise network, White Paper (2017)

    Google Scholar 

  10. INFOSEC. Websocket security issues, December 2014. https://resources.infosecinstitute.com/websocket-security-issues/

  11. Kishore, K.R., Mallesh, M., Jyostna, G., Eswari, P.R.L., Sarma, S.S.: Browser JS guard: detects and defends against malicious JavaScript injection based drive by download attacks. In: The Fifth International Conference on the Applications of Digital Information and Web Technologies (ICADIWT 2014), pp. 92–100, February 2014

    Google Scholar 

  12. Magnusardottir, A.: Fileless ransomware: how it works & how to stop it?, June 2018. https://www.infosecurityeurope.com/en/Sessions/58302/Fileless-Ransomware-How-It-Works-How-To-Stop-It

  13. Maiorca, D., Russu, P., Corona, I., Biggio, B., Giacinto, G.: Detection of malicious scripting code through discriminant and adversary-aware API analysis. In: Armando, A., Baldoni, R., Focardi, R. (eds.) Proceedings of the First Italian Conference on Cybersecurity (ITASEC17), Venice, Italy, 17–20 January 2017. CEUR Workshop Proceedings, vol. 1816, pp. 96–105. CEUR-WS.org (2017)

    Google Scholar 

  14. Mao, J., Bian, J., Bai, G., Wang, R., Chen, Y., Xiao, Y., Liang, Z.: Detecting malicious behaviors in JavaScript applications. IEEE Access 6, 12284–12294 (2018)

    Article  Google Scholar 

  15. McAfee. Fileless malware execution with powershell is easier than you may realize, March 2017. https://www.mcafee.com/enterprise/en-us/assets/solution-briefs/sb-fileless-malware-execution.pdf

  16. Ndichu, S., Ozawa, S., Misu, T., Okada, K.: A machine learning approach to malicious JavaScript detection using fixed length vector representation. In: 2018 International Joint Conference on Neural Networks (IJCNN), pp. 1–8, July 2018

    Google Scholar 

  17. Mozilla Developer Network. Glossary: websockets (2015). https://developer.mozilla.org/en-US/docs/Glossary/WebSockets

  18. Oh, S., Bae, H., Yoon, S., Kim, H., Cha, Y.: Malicious script blocking detection technology using a local proxy. In: 2016 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), pp. 495–498, July 2016

    Google Scholar 

  19. Kaazing Corporation Peter Lubbers & Frank Greco. HTML5 websocket: a quantum leap in scalability for the web. www.websocket.org/quantum.html

  20. Shen, V.R.L., Wei, C.-S., Juang, T.T.-Y.: JavaScript malware detection using a high-level fuzzy Petri net, pp. 511–514, July 2018

    Google Scholar 

  21. Sachin, V., Chiplunkar, N.N.: SurfGuard JavaScript instrumentation-based defense against drive-by downloads. In: 2012 International Conference on Recent Advances in Computing and Software Systems, pp. 267–272, April 2012

    Google Scholar 

  22. Sayed, B., Traoré, I., Abdelhalim. A.: Detection and mitigation of malicious JavaScript using information flow control. In: 2014 Twelfth Annual International Conference on Privacy, Security and Trust, pp. 264–273, July 2014

    Google Scholar 

  23. Seshagiri, P., Vazhayil, A., Sriram, P.: AMA: static code analysis of web page for the detection of malicious scripts. Procedia Comput. Sci. 93, 768–773 (2016). Proceedings of the 6th International Conference on Advances in Computing and Communications

    Article  Google Scholar 

  24. Netsparker Security Team. DOM based cross-site scripting vulnerability, May 2019. https://www.netsparker.com/blog/web-security/dom-based-cross-site-scripting-vulnerability/

  25. TrendMicro. Analyzing the fileless, code-injecting sorebrect ransomware, June 2017. https://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-fileless-code-injecting-sorebrect-ransomware/

  26. Wang, C., Zhou, Y.: A new cross-site scripting detection mechanism integrated with HTML5 and CORS properties by using browser extensions. In: 2016 International Computer Symposium (ICS), pp. 264–269, December 2016

    Google Scholar 

  27. Wang, Y., Cai, W.-D., Wei, P.: A deep learning approach for detecting malicious JavaScript code. Secur. Commun. Netw. 9, 1520–1534 (2016)

    Article  Google Scholar 

  28. Xu, W., Zhang, F., Zhu, S.: The power of obfuscation techniques in malicious JavaScript code: a measurement study. In: 2012 7th International Conference on Malicious and Unwanted Software, pp. 9–16, October 2012

    Google Scholar 

  29. Yoon, S., Jung, J., Noh, M., Chung, K., Im, C.: Automatic attack signature generation technology for malicious JavaScript. In: Proceedings of 2014 International Conference on Modelling, Identification Control, pp. 351–354, December 2014

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computer Science, University of Windsor, Windsor, Canada

    Sherif Saad, Farhan Mahmood & William Briguglio

  2. Thompson Rivers University, Kamloops, Canada

    Haytham Elmiligi

Authors
  1. Sherif Saad
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Farhan Mahmood
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. William Briguglio
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Haytham Elmiligi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sherif Saad .

Editor information

Editors and Affiliations

  1. Multimedia University, Malacca, Malaysia

    Swee-Huay Heng

  2. University of Malaga, Malaga, Spain

    Javier Lopez

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Saad, S., Mahmood, F., Briguglio, W., Elmiligi, H. (2019). JSLess: A Tale of a Fileless Javascript Memory-Resident Malware. In: Heng, SH., Lopez, J. (eds) Information Security Practice and Experience. ISPEC 2019. Lecture Notes in Computer Science(), vol 11879. Springer, Cham. https://doi.org/10.1007/978-3-030-34339-2_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-34339-2_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-34338-5

  • Online ISBN: 978-3-030-34339-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation