JSDES: An Automated De-Obfuscation System for Malicious JavaScript

Malicious scripts used in web-based attacks have recently been reported as one of the top internet security threats. However, anti-malware solutions develop and integrate various techniques to defend against malicious scripts, attackers have been increasingly applying different counter techniques to hide their malicious intents and evade detection. One of the most popular techniques used is code obfuscation. In this research, an enhanced system is proposed to automate the process of de-obfuscating malicious JavaScript code. The proposed system was tested on real-world malicious JavaScript samples. Based on the analysis results, the cause of popularity of certain obfuscation techniques is identified. In addition, a set of improvements to the currently used malware detection techniques is proposed1.

[1]  Wei Xu,et al.  The power of obfuscation techniques in malicious JavaScript code: A measurement study , 2012, 2012 7th International Conference on Malicious and Unwanted Software.

[2]  Xiangyu Zhang,et al.  J-Force: Forced Execution on JavaScript , 2017, WWW.

[3]  Benjamin Livshits,et al.  ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection , 2011, USENIX Security Symposium.

[4]  Junji Shikata,et al.  An Efficient Method for Detecting Obfuscated Suspicious JavaScript Based on Text Pattern Analysis , 2016 .

[5]  Anu Vazhayil,et al.  AMA: Static Code Analysis of Web Page for the Detection of Malicious Scripts , 2016 .

[6]  Mark Stamp,et al.  Advanced transcriptase for JavaScript malware , 2016, 2016 11th International Conference on Malicious and Unwanted Software (MALWARE).

[7]  Byung-Ik Kim,et al.  Suspicious Malicious Web Site Detection with Strength Analysis of a JavaScript Obfuscation , 2010 .

[8]  Benjamin Livshits,et al.  NOZZLE: A Defense Against Heap-spraying Code Injection Attacks , 2009, USENIX Security Symposium.

[9]  Eunjin Jung,et al.  Obfuscated malicious javascript detection using classification techniques , 2009, 2009 4th International Conference on Malicious and Unwanted Software (MALWARE).

[10]  P. R. Lakshmi Eswari,et al.  Browser JS Guard: Detects and defends against Malicious JavaScript injection based drive by download attacks , 2014, The Fifth International Conference on the Applications of Digital Information and Web Technologies (ICADIWT 2014).

[11]  Ben Zorn,et al.  "NOFUS: Automatically Detecting" + String.fromCharCode(32) + "ObFuSCateD ".toLowerCase() + "JavaScript Code" , 2011 .

[12]  YoungHan Choi,et al.  Automatic Detection for JavaScript Obfuscation Attacks in Web Pages through String Pattern Analysis , 2009, FGIT.

[13]  Carlos Serrão,et al.  Secure and trustworthy remote javascript Execution , 2016 .

[14]  Krzysztof Kryszczuk,et al.  Detecting obfuscated JavaScripts using machine learning , 2016 .

[15]  Kangbin Yim,et al.  Malware Obfuscation Techniques: A Brief Survey , 2010, 2010 International Conference on Broadband, Wireless Computing, Communication and Applications.

[16]  Wei Xu,et al.  JStill: mostly static detection of obfuscated malicious JavaScript code , 2013, CODASPY.

[17]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[18]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[19]  Yao Wang,et al.  A deep learning approach for detecting malicious JavaScript code , 2016, Secur. Commun. Networks.

[20]  Andreas Dewald,et al.  Forschungsberichte der Fakultät IV – Elektrotechnik und Informatik C UJO : Efficient Detection and Prevention of Drive-by-Download Attacks , 2010 .

[21]  V. Sachin,et al.  SurfGuard JavaScript instrumentation-based defense against Drive-by downloads , 2012, 2012 International Conference on Recent Advances in Computing and Software Systems.

[22]  Eunjin Jung,et al.  A targeted web crawling for building malicious javascript collection , 2009, CIKM-DSMM.