Journal of the Korea Society of Computer and Information (한국컴퓨터정보학회논문지)

Korean Society of Computer Information (한국컴퓨터정보학회)
권호 표지
DOI QR코드

DOI QR Code

A Discovery System of Malicious Javascript URLs hidden in Web Source Code Files

  • Park, Hweerang (Air Force Operation Command) ;
  • Cho, Sang-Il (Air Force Cyber Operations Center) ;
  • Park, Jungkyu (Dept. of National Defense Science, Korea National Defense University) ;
  • Cho, Youngho (Dept. of National Defense Science, Korea National Defense University)
  • Received : 2019.04.02
  • Accepted : 2019.05.08
  • Published : 2019.05.31
Download PDF
⟨ Previous Next ⟩

Abstract

One of serious security threats is a botnet-based attack. A botnet in general consists of numerous bots, which are computing devices with networking function, such as personal computers, smartphones, or tiny IoT sensor devices compromised by malicious codes or attackers. Such botnets can launch various serious cyber-attacks like DDoS attacks, propagating mal-wares, and spreading spam e-mails over the network. To establish a botnet, attackers usually inject malicious URLs into web source codes stealthily by using data hiding methods like Javascript obfuscation techniques to avoid being discovered by traditional security systems such as Firewall, IPS(Intrusion Prevention System) or IDS(Intrusion Detection System). Meanwhile, it is non-trivial work in practice for software developers to manually find such malicious URLs which are hidden in numerous web source codes stored in web servers. In this paper, we propose a security defense system to discover such suspicious, malicious URLs hidden in web source codes, and present experiment results that show its discovery performance. In particular, based on our experiment results, our proposed system discovered 100% of URLs hidden by Javascript encoding obfuscation within sample web source files.

Keywords

CPTSCQ_2019_v24n5_27_f0001.png 이미지

Fig. 1. Executing drive-by download attacks by using malicious URL hidden in web source codes

CPTSCQ_2019_v24n5_27_f0002.png 이미지

Fig. 2. An example of hidden malicious URL generated by Javascript encoding obfuscation

CPTSCQ_2019_v24n5_27_f0003.png 이미지

Fig. 3. Timeline showing when hidden malicious URLs can be injected into an software(source code) during its SDLC(Software Development Life Cycle)

CPTSCQ_2019_v24n5_27_f0004.png 이미지

Fig. 4. The design architecture of our proposed system

CPTSCQ_2019_v24n5_27_f0005.png 이미지

Fig. 5. Main Page View of Our Proposed System

CPTSCQ_2019_v24n5_27_f0006.png 이미지

Fig. 6. An example of discovery result (Sample 2)

CPTSCQ_2019_v24n5_27_f0007.png 이미지

Fig. 7. Discovery Execution Time (Sample 1 ~ 6)

CPTSCQ_2019_v24n5_27_f0008.png 이미지

Fig. 8. Discovery Execution Time (# of files : 10 ~ 100)

Table 1. Test Result of Hidden, Malicious URL Discovery

CPTSCQ_2019_v24n5_27_t0001.png 이미지

References

  1. G Davanzo, E Medvet and A Bartoli, "Anomaly detection technique for a web defacement monitoring service," Expert Systems with Applications(ESWA), Vol. 38, No. 10, pp.12521-12530, 2011. https://doi.org/10.1016/j.eswa.2011.04.038
  2. S. Khattak, NR. Ramay, KR Khan, AA. Syed, and SA. Khayam, "A Taxonomy of Botnet Behavior, Detection, and Defense," IEEE Communications Survey & Tutorials, Vol. 16, No. 2, pp.898-924, Second Quarter 2014. https://doi.org/10.1109/SURV.2013.091213.00134
  3. Porras, Phillip, Hassen Saidi, and Vinod Yegneswaran, "A multi-perspective analysis of the storm (peacomm) worm. Technical report, Computer Science Laboratory," SRI International, 2007.
  4. D. Dagon, "Botnet Detection and Response - The network is the infection," Copperative Association for Internet Data Analysis DNS-OARC Workshop, July, Vol. 25, 2005.
  5. D. Dagon et al, "A taxonomy of botnet structures," Twenty-Third Annual Computer Security Applications Conferenece ACSAC 2007, Vol. 36, pp. 325-339, 2007.
  6. W Xu, F Zhang and S Zhu, "The Power of Obfuscation Techniques in Malicious Javascript Code: A Measurement Study," Proceedings of International Conference on Malicious and Unwanted Software, pp.9-16, Oct. 2012.
  7. W Xu, F Zhang and S Zhu, "JStill : Mostly Static Detection of Obfuscated Malicious Javascript Code," Proceedings of the third ACM conference on Data and application security and privacy, pp.117-128, Feb. 2013.
  8. Mavrommatis, Niels Provos Panayiotis, and Moheeb Abu Rajab Fabian Monrose. "All your iframes point to us," Proceedings of USENIX Security Symposium. pp.1-16. 2008.
  9. C Curtsinger, B Livshits, BG Zorn and C Seifert, "Zozzle: Fast and Precise In-Browser Javascript Malware Detection," Proceedings of USENIX Security Symposium, pp.33-48, Aug. 2011.
  10. ChromeDriver, http://chromedriver.chromium.org/home.
  11. JW Ratcliff and DE Metzener, "Pattern matching : The gestalt approach," Dr. Dobb's Journal, 13(7) 1998.
  12. N-gram, https://pypi.org/project/ngram.
  13. Zohn-H, http://www.zone-h.org.
  14. Pyhton, https://www.python.org.
  15. Selenium Webdriver, https://www.seleniumhq.org/projects/webdriver.