Using HTML5 to prevent detection of drive-by-download web malware

The Web is experiencing an explosive growth in the last years. New technologies are introduced at a very fast pace with the aim of narrowing the gap between web-based applications and traditional desktop applications. The results are web applications that look and feel almost like desktop applications while retaining the advantages of being originated from the Web. However, these advancements come at a price. The same technologies used to build responsive, pleasant, and fully featured web applications can also be used to write web malware able to escape detection systems. In this article, we present new obfuscation techniques, on the basis of some of the features of the upcoming HTML5 standard, which can be used to deceive malware detection systems. The proposed techniques have been experimented on a reference set of obfuscated malware. Our results show that the malware rewritten using our obfuscation techniques goes undetected while being analyzed by a large number of detection systems. The same detection systems were able to correctly identify the same malware in its original unobfuscated form. We also provide some hints about how the existing malware detection systems can be modified in order to cope with these new techniques. Copyright © 2014 John Wiley & Sons, Ltd.

[1]  Yi-Chun Yeh,et al.  BrowserGuard: A Behavior-Based Solution to Drive-by-Download Attacks , 2011, IEEE Journal on Selected Areas in Communications.

[2]  Angelos Stavrou,et al.  PyTrigger: A System to Trigger & Extract User-Activated Malware Behavior , 2013, 2013 International Conference on Availability, Reliability and Security.

[3]  Benjamin G. Zorn,et al.  Zozzle: Low-overhead Mostly Static JavaScript Malware Detection , 2010 .

[4]  Dong Hoon Lee,et al.  JsSandbox: A Framework for Analyzing the Behavior of Malicious JavaScript Code using Internal Function Hooking , 2012, KSII Trans. Internet Inf. Syst..

[5]  Christopher Krügel,et al.  Mitigating Drive-By Download Attacks: Challenges and Open Problems , 2009, iNetSeC.

[6]  J. Shane Culpepper,et al.  Efficient and effective realtime prediction of drive-by download attacks , 2014, J. Netw. Comput. Appl..

[7]  Zhenkai Liang,et al.  Automatically Identifying Trigger-based Behavior in Malware , 2008, Botnet Detection.

[8]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[9]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[10]  Zhenkai Liang,et al.  Heap Taichi: exploiting memory allocation granularity in heap-spraying attacks , 2010, ACSAC '10.

[11]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[12]  Benjamin Livshits,et al.  Rozzle: De-cloaking Internet Malware , 2012, 2012 IEEE Symposium on Security and Privacy.

[13]  Benjamin Livshits,et al.  NOZZLE: A Defense Against Heap-spraying Code Injection Attacks , 2009, USENIX Security Symposium.

[14]  Jose Nazario,et al.  PhoneyC: A Virtual Client Honeypot , 2009, LEET.

[15]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[16]  Eunjin Jung,et al.  Obfuscated malicious javascript detection using classification techniques , 2009, 2009 4th International Conference on Malicious and Unwanted Software (MALWARE).

[17]  Giovanni Vigna,et al.  Prophiler: a fast filter for the large-scale detection of malicious web pages , 2011, WWW.

[18]  Wenke Lee,et al.  ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads , 2011, WWW.

[19]  Christopher Krügel,et al.  Escape from Monkey Island: Evading High-Interaction Honeyclients , 2011, DIMVA.

[20]  P. Saxena,et al.  The Emperor ’ s New APIs : On the ( In ) Secure Usage of New Client-side Primitives , 2010 .

[21]  Thorsten Holz,et al.  IceShield: Detection and Mitigation of Malicious Websites with a Frozen DOM , 2011, RAID.

[22]  Andreas Dewald,et al.  Cujo: efficient detection and prevention of drive-by-download attacks , 2010, ACSAC '10.

[23]  Vinod Yegneswaran,et al.  BLADE: an attack-agnostic approach for preventing drive-by malware infections , 2010, CCS '10.

[24]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[25]  Alexander Aiken,et al.  Understanding the behavior of database operations under program control , 2012, OOPSLA '12.

[26]  Aarti Gupta,et al.  DTAM: dynamic taint analysis of multi-threaded programs for relevancy , 2012, SIGSOFT FSE.

[27]  Wouter Joosen,et al.  BuBBle: A Javascript Engine Level Countermeasure against Heap-Spraying Attacks , 2010, ESSoS.

[28]  Laurent Mounier,et al.  Offline taint prediction for multi-threaded applications. , 2013 .

[29]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).