Browse > Article
http://dx.doi.org/10.13089/JKIISC.2012.22.4.869

An Enhanced method for detecting obfuscated Javascript Malware using automated Deobfuscation  

Ji, Sun-Ho (Graduate School of Information Security, Korea University)
Kim, Huy-Kang (Graduate School of Information Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.22, no.4, 2012 , pp. 869-882 More about this Journal
Abstract
With the growth of Web services and the development of web exploit toolkits, web-based malware has increased dramatically. Using Javascript Obfuscation, recent web-based malware hide a malicious URL and the exploit code. Thus, pattern matching for network intrusion detection systems has difficulty of detecting malware. Though various methods have proposed to detect Javascript malware on a users' web browser, the overall detection is needed to counter advanced attacks such as APTs(Advanced Persistent Treats), aimed at penetration into a certain an organization's intranet. To overcome the limitation of previous pattern matching for network intrusion detection systems, a novel deobfuscating method to handle obfuscated Javascript is needed. In this paper, we propose a framework for effective hidden malware detection through an automated deobfuscation regardless of advanced obfuscation techniques with overriding JavaScript functions and a separate JavaScript interpreter through to improve jsunpack-n.
Keywords
Javascript; Malware; Obfuscation; Intrusion Detection;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 Jsunpack-n Source, https://code.google.com/p/jsunpack-n/source/browse/#svn%2Ftrunk
2 AVTEST, http://www.av-test.org/en/statistics/malware/
3 안랩 보안통계, http://www.ahnlab.com/kr/site/securitycenter/statistics/
4 Symantec Internet Security Threat Report Volume 16, http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=threat_report_16
5 The Ultimate Deobfuscator, http://securitylabs.websense.com/content/Blogs/3198.aspx
6 Shedding Light on the NeoSploit Exploit, http://labs.m86security.com/2011/01/shedding-light-on-the-neosploit-exploit-kit/
7 Likarish, P, Eunjin Jung, Insoon Jo, "Obfuscated Malicious Javascript Detection using Classification Techniques", "Malicious and Unwanted Software (MALWARE) 2009 4th International Conference", pp. 47-54, 2009.
8 Younghan Choi, Taeghyoon Kim, Seokjin Choi, and Cheolwon Lee. "Automatic Detection for Javascript Obfuscation Attacks in Web Pages through String Pattern Analysis", In Proceedings of the 1st International Conference on Future Generation Information Technology (FGIT '09), pp. 160-172, 2009.
9 Zozzle: Low-overhead Mostly Static Javascript Malware Detection, http://research.microsoft.com/apps/pubs/?id=141930
10 Yung-Tsung Hou, Yimeng Chang, Tsuhan Chen, Chi-Sung Laih, and Chia-Mei Chen. "Malicious web content detection by machine learning", Expert Syst. Appl. 37, 1 (January 2010), pp. 55-60, 2010.   DOI   ScienceOn
11 Alexander Moshchuk, Tanya Bragin, Damien Deville, Steven D. Gribble, and Henry M. Levy, "SpyProxy: execution- based detection of malicious web content", Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, pp. 1-16, 2007.
12 Marco Cova, Christopher Kruegel, and Giovanni Vigna. "Detection and analysis of drive-by-download attacks and malicious Javascript code", In Proceedings of the 19th international conference on World wide web (WWW '10), pp. 281-290, 2010.
13 Andreas Dewald, Thorsten Holz, Felix C. Freiling, "ADSandbox: sandboxing Javascript to fight malicious websites", Proceedings of the 2010 ACM Symposium on Applied Computing, pp 1859-1864, 2010.
14 Yara-project, http://code.google.com/p/yara-project/
15 Windows Script Decoder, http://www.virtualconspiracy.com/download/scrdec18.c
16 Js-beautify, https://github.com/einars/js-beautify
17 Google Chart Tools, https://developers.google.com/chart/
18 Malware Domain List, http://www.malwaredomainlist.com/
19 CLEAN MX realtime database, http://support.clean-mx.de/clean-mx/viruses
20 Google. Safe Browsing API. http://code.google.com/apis/safebrowsing/
21 McAfee Site Advisor, http://www. siteadvisor.com/
22 신화수, 문종섭, "악성코드 은닉사이트의 분산적, 동적 탐지를 통한 감염피해 최소화 방안 연구.", 정보보호학회논문지, 21(3), 89-100, 2011년