Skip to main content
SpringerLink
Log in

Understanding Evasion Techniques that Abuse Differences Among JavaScript Implementations

  • Conference paper
  • First Online:
Web Information Systems Engineering – WISE 2017 (WISE 2017)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 10570))

Included in the following conference series:

Abstract

There is a common approach to detecting drive-by downloads using a classifier based on the static and dynamic features of malicious websites collected using a honeyclient. However, attackers detect the honeyclient and evade analysis using sophisticated JavaScript code. The evasive code indirectly identifies clients by abusing the differences among JavaScript implementations. Attackers deliver malware only to targeted clients on the basis of the evasion results while avoiding honeyclient analysis. Therefore, we are faced with a problem in that honeyclients cannot extract features from malicious websites and the subsequent classifier does not work. Nevertheless, we can observe the evasion nature, i.e., the results in accessing malicious websites by using targeted clients are different from those by using honeyclients. In this paper, we propose a method of extracting evasive code by leveraging the above differences to investigate current evasion techniques and to use them for analyzing malicious websites. Our method analyzes HTTP transactions of the same website obtained using two types of clients, a real browser as a targeted client and a browser emulator as a honeyclient. As a result of evaluating our method with 8,467 JavaScript samples executed in 20,272 malicious websites, we discovered unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will contribute to improving the analysis capabilities of conventional honeyclients.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

References

  1. Provos, N., et al.: All your iFRAMES point to Us. In: Proceedings of the USENIX Security Symposium (2008)

    Google Scholar 

  2. Lu, L., et al.: BLADE: an attack-agnostic approach for preventing drive-by malware infections. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2010)

    Google Scholar 

  3. Akiyama, M., et al.: Client honeypot multiplication with high performance and precise detection. IEICE Trans. Inf. and Syst. E98-D(4), 775–787 (2015)

    Article  Google Scholar 

  4. Kolbitsch, C., et al.: Rozzle: de-cloaking internet malware. In: Proceedings of the IEEE Symposium on Security and Privacy (SP) (2012)

    Google Scholar 

  5. Takata, Y., et al.: Website forensic investigation to identify evidence and impact of compromise. In: Proceedings of the International Conference on Security and Privacy in Communication Networks (SecureComm) (2016)

    Google Scholar 

  6. Cova, M., et al.: Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: Proceedings of the World Wide Web Conference (WWW) (2010)

    Google Scholar 

  7. Wang, J., et al.: JSDC : a hybrid approach for JavaScript malware detection and classification. In: Proceedings of the ACM Symposium on Information, Computer and Communications Security (AsiaCCS) (2015)

    Google Scholar 

  8. Rajab, M.A., et al.: Trends in circumventing web-malware detection. Google Technical report, July 2011

    Google Scholar 

  9. Kapravelos, A., et al.: Revolver: an automated approach to the detection of evasive web-based malware. In: Proceedings of the USENIX Security Symposium (2013)

    Google Scholar 

  10. Grier, C., et al.: Manufacturing compromise: the emergence of exploit-as-a-service. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2012)

    Google Scholar 

  11. Stock, B., et al.: Kizzle: a signature compiler for exploit kits. In: Proceedings of International Conference on Dependable Systems and Networks (DSN) (2016)

    Google Scholar 

  12. Lu, G., Debray, S.: Weaknesses in defenses against web-borne malware. In: Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) (2013)

    Google Scholar 

  13. Wang, D.Y., et al.: Cloak and dagger: dynamics of web search cloaking. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2011)

    Google Scholar 

  14. Zhou, Y., Xu, W.: Angler exploit kit continues to evade detection: Over 90,000 websites compromised. http://researchcenter.paloaltonetworks.com/2016/01/angler-exploit-kit-continues-to-evade-detection-over-90000-websites-compromised/

  15. Nelms, T., et al.: WebWitness: investigating, categorizing, and mitigating malware download paths. In: Proceedings of USENIX Security Symposium (2015)

    Google Scholar 

  16. Neasbitt, C., et al.: ClickMiner: towards forensic reconstruction of user-browser interactions from network traces categories and subject descriptors. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2014)

    Google Scholar 

  17. Hidayat, A.: Esprima. http://esprima.org/

  18. Ester, M., et al.: A density-based algorithm for discovering clusters in large spatial databases with noise. In: Proceedings of the International Conference on Knowledge Discovery and Data Mining (KDD) (1996)

    Google Scholar 

  19. Malware Domain List. https://www.malwaredomainlist.com/

  20. Malwarebytes: hpHosts. https://www.hosts-file.net/

  21. Gargoyle Software Inc.: HtmlUnit. http://htmlunit.sourceforge.net/

  22. Mozilla Developer Network: window.sidebar. https://developer.mozilla.org/ja/docs/Web/API/Window/sidebar

  23. Stack Overflow: Javascript Browser Quirks - array.Length. http://stackoverflow.com/questions/29053/javascript-browser-quirks-array-length

  24. Microsoft Developer Network: Special Characters (JavaScript). https://msdn.microsoft.com/en-us/library/2yfce773(v=vs.94).aspx

  25. Mozilla Developer Network: window.setTimeout. https://developer.mozilla.org/ja/docs/Web/API/WindowTimers/setTimeout

  26. Mozilla Developer Network: parseInt. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/parseInt

  27. Saxena, P., et al.: A symbolic execution framework for JavaScript. In: Proceedings of the IEEE Symposium on Security and Privacy (SP) (2010)

    Google Scholar 

  28. Sinegubko, D.: jQuery.min.php Malware Affects Thousands of Websites. https://blog.sucuri.net/2015/11/jquery-min-php-malware-affects-thousands-of-websites.html

  29. Lindorfer, M., et al.: Detecting environment-sensitive malware. In: Proceedings of the Research in Attacks, Intrusions and Defense (RAID) (2011)

    Google Scholar 

  30. Yokoyama, A., et al.: SandPrint: fingerprinting malware sandboxes to provide intelligence for sandbox evasion. In: Proceedings of the Research in Attacks, Intrusions and Defense (RAID) (2016)

    Chapter  Google Scholar 

  31. Curtsinger, C., et al.: ZOZZLE: fast and precise in-browser javascript malware detection. In: Proceedings of the USENIX Security Symposium (2011)

    Google Scholar 

  32. Canali, D., et al.: Prophiler: a fast filter for the large-scale detection of malicious web pages categories and subject descriptors. In: Proceedings of the World Wide Web Conference (WWW) (2011)

    Google Scholar 

  33. Zhang, J., et al.: Arrow: generating signatures to detect drive-by downloads. In: Proceedings of the International World Wide Web Conference (WWW) (2011)

    Google Scholar 

  34. Stringhini, G., et al.: Shady Paths: leveraging surfing crowds to detect malicious web pages categories and subject descriptors. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. NTT Secure Platform Laboratories, Tokyo, Japan

    Yuta Takata, Mitsuaki Akiyama, Takeshi Yagi & Takeo Hariu

  2. Waseda University, Tokyo, Japan

    Yuta Takata & Shigeki Goto

Authors
  1. Yuta Takata
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mitsuaki Akiyama
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Takeshi Yagi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Takeo Hariu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Shigeki Goto
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yuta Takata .

Editor information

Editors and Affiliations

  1. University of Sydney, Darlington, NSW, Australia

    Athman Bouguettaya

  2. Zhejiang University, Hangzhou, China

    Yunjun Gao

  3. Institute of Computing for Physics and Technology, Protvino, Russia

    Andrey Klimenko

  4. Nanyang Technological University, Singapore, Singapore

    Lu Chen

  5. King Abdullah University of Science and Technology, Thuwal, Saudi Arabia

    Xiangliang Zhang

  6. Institute of Computing for Physics and Technology, Protvino, Russia

    Fedor Dzerzhinskiy

  7. Shanghai Jiao Tong University, Minhang Qu, China

    Weijia Jia

  8. Institute of Computing for Physics and Technology, Protvino, Russia

    Stanislav V. Klimenko

  9. City University of Hong Kong, Kowloon, Hong Kong

    Qing Li

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Takata, Y., Akiyama, M., Yagi, T., Hariu, T., Goto, S. (2017). Understanding Evasion Techniques that Abuse Differences Among JavaScript Implementations. In: Bouguettaya, A., et al. Web Information Systems Engineering – WISE 2017. WISE 2017. Lecture Notes in Computer Science(), vol 10570. Springer, Cham. https://doi.org/10.1007/978-3-319-68786-5_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-68786-5_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-68785-8

  • Online ISBN: 978-3-319-68786-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation