ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection
description
Transcript of ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection
ZOZZLE: FAST AND PRECISE IN-BROWSER JAVASCRIPT
MALWARE DETECTION
Charles CurtsingerUMass at Amherst
Benjamin Livshits and Benjamin ZormMicrosoft Research
Christian SeifertMicrosoft
20th USENIX Security Symposium (August, 2011)
ZOZZLE: LOW-OVERHEAD MOSTLY STATIC JAVASCRIPT
MALWARE DETECTION
Charles CurtsingerUMass at Amherst
Benjamin Livshits and Benjamin ZormMicrosoft Research
Christian SeifertMicrosoft
Microsoft Research Technical Report (November, 2010)
A Seminar at Advanced Defense Lab 3
Outline Introduction Observation on Offline Nozzle Design Experiment Evaluation
2011/5/24
A Seminar at Advanced Defense Lab 4
Introduction In the last several years, we have seen
mass-scale exploitation of memory-based vulnerabilities migrate towards heap spraying attacks.
But many solutions are not lightweight enough to be integrated into a commercial browser.
2011/5/24
A Seminar at Advanced Defense Lab 5
About Nozzle The overhead of this runtime technique
may be 10% or higher.
This paper is based on our experience using NOZZLE for offline.
Offline scanning is also not as effective against transient malware that appears and disappears frequently.
2011/5/24
A Seminar at Advanced Defense Lab 6
About Zozzle ZOZZLE is integrated with the browser’s
JavaScript engine to collect and process JavaScript code that is created at runtime.
Our focus in this paper is on creating a very low false positive, low overhead scanner.
2011/5/24
A Seminar at Advanced Defense Lab 7
Observation on Offline Nozzle Once we determine that JavaScript is
malicious, we invested a considerable effort in examining the code by hand and categorizing it in various ways.
we investigated 169 malware samples.
2011/5/24
A Seminar at Advanced Defense Lab 8
Distribution of Different Exploit Samples
2011/5/24
A Seminar at Advanced Defense Lab 9
Transience of Detected Malicious URLs
2011/5/24
A Seminar at Advanced Defense Lab 10
Javascript eval Unfolding
2011/5/24
A Seminar at Advanced Defense Lab 11
Distribution of Context Counts
2011/5/24
A Seminar at Advanced Defense Lab 12
Design
2011/5/24
A Seminar at Advanced Defense Lab 13
Training Data Extraction and Labeling We start by augmenting the JavaScript
engine in a browser with a “deobfuscator” that extracts and collects individual fragments of JavaScript.Detours [link]jscript.dll [link]Compile function
(COlescript::Compile())
2011/5/24
A Seminar at Advanced Defense Lab 14
Feature Extraction We create features based on the
hierarchical structure of the JavaScript abstract syntax tree(AST).
2011/5/24
A Seminar at Advanced Defense Lab 15
Feature Selection χ2 test
2011/5/24
With feature Without feature
malicious A C
benign B D
%9.9983.10
22
DCBADBCA
CBAD
A Seminar at Advanced Defense Lab 16
Classifier Training Naϊve Bayesian classifier
Assume to be conditionally independent
2011/5/24
n
kikkin
n
inini
LFFFPLFFP
FFPLFFPLP
FFLP
1111
1
11
,,,,,
,,,,
,,
n
n
kiki
n
n
kikki
ni FFP
LFPLP
FFP
LFFFPLPFFLP
,,,,
,,,,,
1
1
1
111
1
A Seminar at Advanced Defense Lab 17
Naϊve Bayesian classifier
Complexity: linear time
2011/5/24
n
kikiscript
n
n
kiki
nibelspossibleLai
script
LFPLPC
FFP
LFPLPFFLPC
1
1
11
maxarg
,,maxarg,,maxarg
A Seminar at Advanced Defense Lab 18
Fast Pattern Matching
2011/5/24
A Seminar at Advanced Defense Lab 19
Fast Pattern Matching (cont.)
2011/5/24
A Seminar at Advanced Defense Lab 20
Experiment Malicious Samples
919 deobfuscated malicious context
Benign SamplesAlexa top 50 URLs7,976 contexts
2011/5/24
A Seminar at Advanced Defense Lab 21
Feature Selection hand-picked vs. automatically selected
2011/5/24
A Seminar at Advanced Defense Lab 22
Evaluation HP xw4600 workstation
Intel Core2 Duo 3.16 GHz4 GB memoryWindows 7 64-bit Enterprise
2011/5/24
A Seminar at Advanced Defense Lab 23
Effectiveness
2011/5/24
A Seminar at Advanced Defense Lab 24
Training Set Size
2011/5/24
A Seminar at Advanced Defense Lab 25
Feature Set Size
2011/5/24
A Seminar at Advanced Defense Lab 26
Comparison with Other Techniques
2011/5/24
A Seminar at Advanced Defense Lab 27
Performance: Context Size
2011/5/24
A Seminar at Advanced Defense Lab 28
Performance: Feature Set
2011/5/24
A Seminar at Advanced Defense Lab 29
THANK YOU
2011/5/24
A Seminar at Advanced Defense Lab 30
JAVASCRIPT OBFUSCATION
2011/5/24
A Seminar at Advanced Defense Lab 31
I think these is the all…
2011/5/24
unescape(“%48%65%6c%6c%6f%57%6f%72%6c%64”)
“\u0048\u0065\u006C\u006C\u006F\u0057\u006F\u0072\u006C\u0064”
document.write(“alert(‘1’)”);eval(“alert(1)”);
"H976e246l3l2o19W42o45r7l88d734".replace(/[09]/g,"")
A Seminar at Advanced Defense Lab 32
If I want to eval… <script>
Fucntion("alert(‘1')")();setTimeout("alert(‘1')“;execScript("alert(‘1')", "javascript");[].constructor.constructor('alert(1)')();window["eval"]("alert(‘1’)");
</script>
2011/5/24
A Seminar at Advanced Defense Lab 33
In the network, I find … <script>
([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])(+!+[])
</script>
2011/5/24
A Seminar at Advanced Defense Lab 34
THE END
2011/5/24