A Postmortem Forensic Analysis for a JavaScript Based Attack

Nowadays, users and corporates are more and more connected to the web. User accesses her/his sensitive business/non-business applications using a web browser. There are numerous browsers’ based attacks and many of them are implemented using JavaScript. One of these attacks is Drive-by-Download. Security researchers introduced several tools and techniques to detect and/or prevent this serious attack. Few address the browser forensics to identify the attack traces/evidences and reconstruct the executed events of a downloaded malicious content. In this study, we introduce a postmortem forensic methodology that investigates a web browser subjected to Drive-by-Download attack. We develop a Firefox browser extension (FEPFA) to delve into the malicious URLs. The developed system is tested on malicious web pages and successfully identifies the digital evidences of the attack. The majority of the collected evidences were non-volatile evidences that could assist forensic investigator in the postmortem analysis.

[1]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[2]  Dong Xuan,et al.  JSGuard: Shellcode Detection in JavaScript , 2012, SecureComm.

[3]  Benjamin Livshits,et al.  NOZZLE: A Defense Against Heap-spraying Code Injection Attacks , 2009, USENIX Security Symposium.

[4]  Fabio Massacci,et al.  Anatomy of Exploit Kits - Preliminary Analysis of Exploit Kits as Software Artefacts , 2013, ESSoS.

[5]  Narasimha Shashidhar,et al.  Do private and portable web browsers leave incriminating evidence?: a forensic analysis of residual artifacts from private and portable web browsing sessions , 2013, 2013 IEEE Security and Privacy Workshops.

[6]  Christopher Krügel,et al.  PExy: The Other Side of Exploit Kits , 2014, DIMVA.

[7]  Wenke Lee,et al.  ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads , 2011, WWW.

[8]  Dimitris Gritzalis,et al.  Security Busters: Web browser security vs. rogue sites , 2015, Comput. Secur..

[9]  Pavel Laskov,et al.  Static detection of malicious JavaScript-bearing PDF documents , 2011, ACSAC '11.

[10]  Christopher Krügel,et al.  FlashDetect: ActionScript 3 Malware Detection , 2012, RAID.

[11]  Giovanni Vigna,et al.  Prophiler: a fast filter for the large-scale detection of malicious web pages , 2011, WWW.

[12]  Christopher Krügel,et al.  Revolver: An Automated Approach to the Detection of Evasive Web-based Malware , 2013, USENIX Security Symposium.

[13]  J. Shane Culpepper,et al.  Efficient and effective realtime prediction of drive-by download attacks , 2014, J. Netw. Comput. Appl..

[14]  Marco Balduzzi,et al.  Automatic Extraction of Indicators of Compromise for Web Applications , 2016, WWW.

[15]  Paolo Milani Comparetti,et al.  EvilSeed: A Guided Approach to Finding Malicious Web Pages , 2012, 2012 IEEE Symposium on Security and Privacy.

[16]  Wei Meng,et al.  Understanding Malvertising Through Ad-Injecting Browser Extensions , 2015, WWW.

[17]  Michael Ligh,et al.  Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code , 2010 .

[18]  Sangjin Lee,et al.  Advanced evidence collection and analysis of web browser activity , 2011, Digit. Investig..

[19]  Christopher Krügel,et al.  Shellzer: A Tool for the Dynamic Analysis of Malicious Shellcode , 2011, RAID.

[20]  Benjamin Livshits,et al.  Rozzle: De-cloaking Internet Malware , 2012, 2012 IEEE Symposium on Security and Privacy.

[21]  Vinod Yegneswaran,et al.  BLADE: an attack-agnostic approach for preventing drive-by malware infections , 2010, CCS '10.

[22]  Sangjin Lee,et al.  Analysis Framework to Detect Artifacts of Portable Web Browser , 2012, ITCS.