Abstract
There is a common approach to detecting drive-by downloads using a classifier based on the static and dynamic features of malicious websites collected using a honeyclient. However, attackers detect the honeyclient and evade analysis using sophisticated JavaScript code. The evasive code indirectly identifies clients by abusing the differences among JavaScript implementations. Attackers deliver malware only to targeted clients on the basis of the evasion results while avoiding honeyclient analysis. Therefore, we are faced with a problem in that honeyclients cannot extract features from malicious websites and the subsequent classifier does not work. Nevertheless, we can observe the evasion nature, i.e., the results in accessing malicious websites by using targeted clients are different from those by using honeyclients. In this paper, we propose a method of extracting evasive code by leveraging the above differences to investigate current evasion techniques and to use them for analyzing malicious websites. Our method analyzes HTTP transactions of the same website obtained using two types of clients, a real browser as a targeted client and a browser emulator as a honeyclient. As a result of evaluating our method with 8,467 JavaScript samples executed in 20,272 malicious websites, we discovered unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will contribute to improving the analysis capabilities of conventional honeyclients.
References
Provos, N., et al.: All your iFRAMES point to Us. In: Proceedings of the USENIX Security Symposium (2008)
Lu, L., et al.: BLADE: an attack-agnostic approach for preventing drive-by malware infections. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2010)
Akiyama, M., et al.: Client honeypot multiplication with high performance and precise detection. IEICE Trans. Inf. and Syst. E98-D(4), 775–787 (2015)
Kolbitsch, C., et al.: Rozzle: de-cloaking internet malware. In: Proceedings of the IEEE Symposium on Security and Privacy (SP) (2012)
Takata, Y., et al.: Website forensic investigation to identify evidence and impact of compromise. In: Proceedings of the International Conference on Security and Privacy in Communication Networks (SecureComm) (2016)
Cova, M., et al.: Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: Proceedings of the World Wide Web Conference (WWW) (2010)
Wang, J., et al.: JSDC : a hybrid approach for JavaScript malware detection and classification. In: Proceedings of the ACM Symposium on Information, Computer and Communications Security (AsiaCCS) (2015)
Rajab, M.A., et al.: Trends in circumventing web-malware detection. Google Technical report, July 2011
Kapravelos, A., et al.: Revolver: an automated approach to the detection of evasive web-based malware. In: Proceedings of the USENIX Security Symposium (2013)
Grier, C., et al.: Manufacturing compromise: the emergence of exploit-as-a-service. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2012)
Stock, B., et al.: Kizzle: a signature compiler for exploit kits. In: Proceedings of International Conference on Dependable Systems and Networks (DSN) (2016)
Lu, G., Debray, S.: Weaknesses in defenses against web-borne malware. In: Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) (2013)
Wang, D.Y., et al.: Cloak and dagger: dynamics of web search cloaking. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2011)
Zhou, Y., Xu, W.: Angler exploit kit continues to evade detection: Over 90,000 websites compromised. http://researchcenter.paloaltonetworks.com/2016/01/angler-exploit-kit-continues-to-evade-detection-over-90000-websites-compromised/
Nelms, T., et al.: WebWitness: investigating, categorizing, and mitigating malware download paths. In: Proceedings of USENIX Security Symposium (2015)
Neasbitt, C., et al.: ClickMiner: towards forensic reconstruction of user-browser interactions from network traces categories and subject descriptors. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2014)
Hidayat, A.: Esprima. http://esprima.org/
Ester, M., et al.: A density-based algorithm for discovering clusters in large spatial databases with noise. In: Proceedings of the International Conference on Knowledge Discovery and Data Mining (KDD) (1996)
Malware Domain List. https://www.malwaredomainlist.com/
Malwarebytes: hpHosts. https://www.hosts-file.net/
Gargoyle Software Inc.: HtmlUnit. http://htmlunit.sourceforge.net/
Mozilla Developer Network: window.sidebar. https://developer.mozilla.org/ja/docs/Web/API/Window/sidebar
Stack Overflow: Javascript Browser Quirks - array.Length. http://stackoverflow.com/questions/29053/javascript-browser-quirks-array-length
Microsoft Developer Network: Special Characters (JavaScript). https://msdn.microsoft.com/en-us/library/2yfce773(v=vs.94).aspx
Mozilla Developer Network: window.setTimeout. https://developer.mozilla.org/ja/docs/Web/API/WindowTimers/setTimeout
Mozilla Developer Network: parseInt. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/parseInt
Saxena, P., et al.: A symbolic execution framework for JavaScript. In: Proceedings of the IEEE Symposium on Security and Privacy (SP) (2010)
Sinegubko, D.: jQuery.min.php Malware Affects Thousands of Websites. https://blog.sucuri.net/2015/11/jquery-min-php-malware-affects-thousands-of-websites.html
Lindorfer, M., et al.: Detecting environment-sensitive malware. In: Proceedings of the Research in Attacks, Intrusions and Defense (RAID) (2011)
Yokoyama, A., et al.: SandPrint: fingerprinting malware sandboxes to provide intelligence for sandbox evasion. In: Proceedings of the Research in Attacks, Intrusions and Defense (RAID) (2016)
Curtsinger, C., et al.: ZOZZLE: fast and precise in-browser javascript malware detection. In: Proceedings of the USENIX Security Symposium (2011)
Canali, D., et al.: Prophiler: a fast filter for the large-scale detection of malicious web pages categories and subject descriptors. In: Proceedings of the World Wide Web Conference (WWW) (2011)
Zhang, J., et al.: Arrow: generating signatures to detect drive-by downloads. In: Proceedings of the International World Wide Web Conference (WWW) (2011)
Stringhini, G., et al.: Shady Paths: leveraging surfing crowds to detect malicious web pages categories and subject descriptors. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Takata, Y., Akiyama, M., Yagi, T., Hariu, T., Goto, S. (2017). Understanding Evasion Techniques that Abuse Differences Among JavaScript Implementations. In: Bouguettaya, A., et al. Web Information Systems Engineering – WISE 2017. WISE 2017. Lecture Notes in Computer Science(), vol 10570. Springer, Cham. https://doi.org/10.1007/978-3-319-68786-5_22
Download citation
DOI: https://doi.org/10.1007/978-3-319-68786-5_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-68785-8
Online ISBN: 978-3-319-68786-5
eBook Packages: Computer ScienceComputer Science (R0)