research-article

Detection and analysis of drive-by-download attacks and malicious JavaScript code

Authors:

Christopher Kruegel,

Giovanni VignaAuthors Info & Claims

WWW '10: Proceedings of the 19th international conference on World wide web

Pages 281 - 290

https://doi.org/10.1145/1772690.1772720

Published: 26 April 2010 Publication History

Abstract

JavaScript is a browser scripting language that allows developers to create sophisticated client-side interfaces for web applications. However, JavaScript code is also used to carry out attacks against the user's browser and its extensions. These attacks usually result in the download of additional malware that takes complete control of the victim's platform, and are, therefore, called "drive-by downloads." Unfortunately, the dynamic nature of the JavaScript language and its tight integration with the browser make it difficult to detect and block malicious JavaScript code.

This paper presents a novel approach to the detection and analysis of malicious JavaScript code. Our approach combines anomaly detection with emulation to automatically identify malicious JavaScript code and to support its analysis. We developed a system that uses a number of features and machine-learning techniques to establish the characteristics of normal JavaScript code. Then, during detection, the system is able to identify anomalous JavaScript code by emulating its behavior and comparing it to the established profiles. In addition to identifying malicious code, the system is able to support the analysis of obfuscated code and to generate detection signatures for signature-based systems. The system has been made publicly available and has been used by thousands of analysts.

References

[1]

Andre L. IE 0day exploit domains. http://isc.sans.org/diary.html?storyid=6739, 2009.

[2]

ClamAV. Clam AntiVirus. http://www.clamav.net/.

[3]

D. De Beer. Detecting VMware with JavaScript. http://carnal0wnage.blogspot.com/2009/04/, 2009.

[4]

M. Daniel, J. Honoroff, and C. Miller. Engineering Heap Overflow Exploits with JavaScript. In Proceedings of the USENIX Workshop on Offensive Technologies, 2008.

Digital Library

[5]

D. Denning. An Intrusion-Detection Model. IEEE Transactions on Software Engineering, 13(2), February 1987.

Digital Library

[6]

M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda. Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks. In Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment, 2009.

Digital Library

[7]

B. Feinstein and D. Peck. Caffeine Monkey. http://www.secureworks.com/research/tools/caffeinemonkey.html.

[8]

S. Frei, T. Dübendorfer, G. Ollman, and M. May. Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the "insecurity iceberg". In Proceedings of DefCon 16, 2008.

[9]

Gargoyle Software Inc. HtmlUnit. http://htmlunit.sourceforge.net/.

[10]

D. Goodin. Department of Homeland Security website hacked! http://www.theregister.co.uk/2008/04/25/mass_web_attack_grows/, 2008.

[11]

D. Goodin. SQL injection taints BusinessWeek.com. http://www.theregister.co.uk/2008/09/16/businessweek_hacked/, 2008.

[12]

D. Goodin. Exploit code for potent IE zero-day bug goes wild. http://www.theregister.co.uk/2010/01/15/ie_zero_day_exploit_goes_wild/print.html, 2010.

[13]

Google. Safe Browsing API. http://code.google.com/apis/safebrowsing/.

[14]

A. Ikinci, T. Holz, and F. Freiling. Monkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients. In Proceedings of Sicherheit, Schutz und Zuverlässigkeit, April 2008.

[15]

Internet Security Systems X-Force. Mid-Year Trend Statistics. Technical report, IBM, 2008.

[16]

C. Kruegel and G. Vigna. Anomaly Detection of Web-based Attacks. In Proceedings of the ACM Conference on Computer and Communications Security, 2003.

Digital Library

[17]

C. Kruegel, G. Vigna, and W. Robertson. A Multi-model Approach to the Detection of Web-based Attacks. Journal of Computer Networks, 48(5), July 2005.

Digital Library

[18]

MITRE Corporation. Common Vulnerabilities and Exposures (CVE). http://cve.mitre.org/.

[19]

A. Moser, C. Kruegel, and E. Kirda. Exploring Multiple Execution Paths for Malware Analysis. In Proceedings of the IEEE Symposium on Security and Privacy, 2007.

Digital Library

[20]

A. Moshchuk, T. Bragin, D. Deville, S. Gribble, and H. Levy. SpyProxy: Execution-based Detection of Malicious Web Content. In Proceedings of the USENIX Security Symposium, 2007.

Digital Library

[21]

A. Moshchuk, T. Bragin, S. Gribble, and H. Levy. A Crawler-based Study of Spyware in the Web. In Proceedings of the Symposium on Network and Distributed System Security, 2006.

[22]

Mozilla.org. Rhino: JavaScript for Java. http://www.mozilla.org/rhino/.

[23]

J. Nazario. PhoneyC: A Virtual Client Honeypot. In Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2009.

Digital Library

[24]

New Zealand Honeynet Project. Know Your Enemy: Malicious Web Servers. http://www.honeynet.org/papers/mws, 2007.

[25]

C. Pederick. User Agent Switcher Firefox Plugin. https://addons.mozilla.org/en-US/firefox/addon/59.

[26]

M. Polychronakis, P. Mavrommatis, and N. Provos. Ghost Turns Zombie: Exploring the Life Cycle of Web-based Malware. In Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008.

Digital Library

[27]

N. Provos. SpyBye. http://code.google.com/p/spybye.

[28]

N. Provos, P. Mavrommatis, M. Rajab, and F. Monrose. All Your iFRAMEs Point to Us. In Proceedings of the USENIX Security Symposium, 2008.

Digital Library

[29]

N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The Ghost in the Browser: Analysis of Web-based Malware. In Proceedings of the USENIX Workshop on Hot Topics in Understanding Botnet, 2007.

Digital Library

[30]

P. Ratanaworabhan, B. Livshits, and B. Zorn. Nozzle: A Defense Against Heap-spraying Code Injection Attacks. In Proceedings of the USENIX Security Symposium, 2009.

Digital Library

[31]

M. Roesch. Snort - Lightweight Intrusion Detection for Networks. In Proceedings of the USENIX Conference on System Administration, 1999.

Digital Library

[32]

C. Seifert, I. Welch, P. Komisarczuk, C. Aval, and B. Endicott-Popovsky. Identification of Malicious Web Pages Through Analysis of Underlying DNS and Web Server Relationships. In Proceedings of the Australasian Telecommunication Networks and Applications Conference, 2008.

[33]

SkyLined. Internet Explorer IFRAME src&name parameter BoF remote compromise. http://www.edup.tudelft.nl/~bjwever/advisory_iframe.html.php, 2004.

[34]

A. Sotirov. Heap Feng Shui in JavaScript. Black Hat Europe, 2007.

[35]

A. Sotirov and M. Dowd. Bypassing Browser Memory Protections: Setting back browser security by 10 years. Black Hat, 2008.

[36]

SpamCop. SpamCop.net. http://www.spamcop.net/, 2008.

[37]

The Honeynet Project. Capture-HPC. https://projects.honeynet.org/capture-hpc.

[38]

D. Wagner and P. Soto. Mimicry Attacks on Host-Based Intrusion Detection Systems. In Proceedings of the ACM Conference on Computer and Communications Security, 2002.

Digital Library

[39]

Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. King. Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In Proceedings of the Symposium on Network and Distributed System Security, 2006.

[40]

J. Wilhelm and T. Chiueh. A Forced Sampled Execution Approach to Kernel Rootkit Identification. In Proceedings of the Symposium on Recent Advances in Intrusion Detection, 2007.

Digital Library

Cited By

Valarmathi RUma RRamkumar PVenkatesh S(2024)An Adaptive Cryptography Using OpenAI APIInnovative Machine Learning Applications for Cryptography10.4018/979-8-3693-1642-9.ch004(71-90)Online publication date: 12-Apr-2024
https://doi.org/10.4018/979-8-3693-1642-9.ch004
Mohanty SNanda SRout RKumar AAcharya APanda NAgrawal V(2024)Detection of Cyber Threats From Suspicious URLs Using Multi-Classification ApproachSustainable Science and Intelligent Technologies for Societal Development10.4018/979-8-3693-1186-8.ch007(107-129)Online publication date: 5-Jan-2024
https://doi.org/10.4018/979-8-3693-1186-8.ch007
Bae H(2024)Evaluation of Malware Classification Models for Heterogeneous DataSensors10.3390/s2401028824:1(288)Online publication date: 3-Jan-2024
https://doi.org/10.3390/s24010288
Show More Cited By

Index Terms

Detection and analysis of drive-by-download attacks and malicious JavaScript code
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Detection of Drive-by Download Attacks Using Machine Learning Approach

Drive-by download refers to attacks that automatically download malwares to user's computer without his knowledge or consent. This type of attack is accomplished by exploiting web browsers and plugins vulnerabilities. The damage may include data leakage ...
Efficient and effective realtime prediction of drive-by download attacks

Drive-by download attacks are common attack vector for compromising personal computers. While several alternatives to mitigate the threat have been proposed, approaches to realtime detection of drive-by download attacks has been predominantly limited to ...
Early detection of malicious behavior in JavaScript code
AISec '12: Proceedings of the 5th ACM workshop on Security and artificial intelligence

Malicious JavaScript code is widely used for exploiting vulnerabilities in web browsers and infecting users with malicious software. Static detection methods fail to protect from this threat, as they are unable to cope with the complexity and dynamics ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

WWW '10: Proceedings of the 19th international conference on World wide web

April 2010

1407 pages

ISBN:9781605587998

DOI:10.1145/1772690

General Chairs:
Michael Rappa
North Carolina State University, USA
,
Paul Jones
University of North Carolina at Chapel Hill, USA
,
Program Chairs:
Juliana Freire
University of Utah, USA
,
Soumen Chakrabarti
Indian Institute of Technology, India

Copyright © 2010 International World Wide Web Conference Committee (IW3C2).

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 April 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

WWW '10

WWW '10: The 19th International World Wide Web Conference

April 26 - 30, 2010

North Carolina, Raleigh, USA

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

391
Total Citations
View Citations
3,453
Total Downloads

Downloads (Last 12 months)123
Downloads (Last 6 weeks)14

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Valarmathi RUma RRamkumar PVenkatesh S(2024)An Adaptive Cryptography Using OpenAI APIInnovative Machine Learning Applications for Cryptography10.4018/979-8-3693-1642-9.ch004(71-90)Online publication date: 12-Apr-2024
https://doi.org/10.4018/979-8-3693-1642-9.ch004
Mohanty SNanda SRout RKumar AAcharya APanda NAgrawal V(2024)Detection of Cyber Threats From Suspicious URLs Using Multi-Classification ApproachSustainable Science and Intelligent Technologies for Societal Development10.4018/979-8-3693-1186-8.ch007(107-129)Online publication date: 5-Jan-2024
https://doi.org/10.4018/979-8-3693-1186-8.ch007
Bae H(2024)Evaluation of Malware Classification Models for Heterogeneous DataSensors10.3390/s2401028824:1(288)Online publication date: 3-Jan-2024
https://doi.org/10.3390/s24010288
Sun EHan JLi YHuang C(2024)A Packet Content-Oriented Remote Code Execution Attack Payload Detection ModelFuture Internet10.3390/fi1607023516:7(235)Online publication date: 2-Jul-2024
https://doi.org/10.3390/fi16070235
Jiang PXiao JLi DYu HBai YGuo YChen X(2024)Detecting Malicious Websites From the Perspective of System Provenance AnalysisIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.327761321:3(1406-1423)Online publication date: May-2024
https://doi.org/10.1109/TDSC.2023.3277613
Kumari DBhavatarini NBalaji NKumar P(2024)A Method to Detect Phishing Websites Using Distinctive URL Characteristics by Employing Machine Learning TechniqueData Analytics and Learning10.1007/978-981-99-6346-1_6(67-76)Online publication date: 20-Feb-2024
https://doi.org/10.1007/978-981-99-6346-1_6
Sarker SMelicher WStarov ODas AKapravelos A(2024)Automated Generation of Behavioral Signatures for Malicious Web CampaignsInformation Security10.1007/978-3-031-75764-8_12(226-245)Online publication date: 17-Oct-2024
https://doi.org/10.1007/978-3-031-75764-8_12
Sarker SSchulz KNahapetyan ADas AKapravelos A(2024)JSHint: Revealing API Usage to Improve Detection of Malicious JavaScriptInformation Security10.1007/978-3-031-75764-8_11(205-225)Online publication date: 17-Oct-2024
https://doi.org/10.1007/978-3-031-75764-8_11
Phung PVarghese AWang BZhao YYu C(2024)JSMBox—A Runtime Monitoring Framework for Analyzing and Classifying Malicious JavaScriptSoftware and Data Engineering10.1007/978-3-031-75201-8_8(100-122)Online publication date: 19-Oct-2024
https://doi.org/10.1007/978-3-031-75201-8_8
Song EHu TYi PWang W(2024)PDFIET: PDF Malicious Indicators Extraction Technique Through Optimized Symbolic ExecutionSecurity and Privacy in Communication Networks10.1007/978-3-031-64954-7_21(409-425)Online publication date: 15-Oct-2024
https://doi.org/10.1007/978-3-031-64954-7_21
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

ePub

View this article in ePub.

Media

Figures

Other

Tables

View Table of Contents