KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

JsSandbox: A Framework for Analyzing the Behavior of Malicious JavaScript Code using Internal Function Hooking

  • Kim, Hyoung-Chun (The Attached Institute of Electronics and Telecommunications Research Institute (ETRI)) ;
  • Choi, Young-Han (The Attached Institute of Electronics and Telecommunications Research Institute (ETRI)) ;
  • Lee, Dong-Hoon (The Graduate School of Information Security, Korea University)
  • Received : 2011.10.05
  • Accepted : 2011.11.20
  • Published : 2012.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

Recently, many malicious users have attacked web browsers using JavaScript code that can execute dynamic actions within the browsers. By forcing the browser to execute malicious JavaScript code, the attackers can steal personal information stored in the system, allow malware program downloads in the client's system, and so on. In order to reduce damage, malicious web pages must be located prior to general users accessing the infected pages. In this paper, a novel framework (JsSandbox) that can monitor and analyze the behavior of malicious JavaScript code using internal function hooking (IFH) is proposed. IFH is defined as the hooking of all functions in the modules using the debug information and extracting the parameter values. The use of IFH enables the monitoring of functions that API hooking cannot. JsSandbox was implemented based on a debugger engine, and some features were applied to detect and analyze malicious JavaScript code: detection of obfuscation, deobfuscation of the obfuscated string, detection of URLs related to redirection, and detection of exploit codes. Then, the proposed framework was analyzed for specific features, and the results demonstrate that JsSandbox can be applied to the analysis of the behavior of malicious web pages.

Keywords

References

  1. J. Gregoire, "JavaScript and Visual Basic Script Threats: Different scripting language for different malicious purposes," in Proc. of 18th EICAR Annual Conference, 2009.
  2. S. Shah, "Browser Exploits: Attacks and Defense", EUSecWest, 2008.
  3. M. Egele, E. Kirda and C. Kruegel, "Mitigating drive-by download attacks: Challenges and open problems," in Proc. of iNetSec 2009 - Open Research Problems in Network Security Workshop, pp.52-62, 2009.
  4. C. Willems, T. Holz and F. Freiling, "Toward automated dynamic malware analysis using CWSandbox," IEEE Security & Privacy, vol.5, pp.32-39, Mar.2007.
  5. U. Bayer, C. Kruegel and E. Kirda, "TTanalyze: A Tool for Analyzing Malware," in Proc. of 15th EICAR Annual Conference, 2006.
  6. Norman Sandbox, http://www.norman.com.
  7. VMWare, http://www.vmware.com.
  8. F. Bellard, "QEMU, A fast and portable dynamic translator," in Proc. of USENIX Annual Technical Conference, pp.41-46, 2005.
  9. Y. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen and S. King, "Automated web patrol with strider HoneyMonkeys," in Proc. of Network and Distributed System Security Symposium, pp.35-49, 2006.
  10. COM: Component Object Model Technologies, http://www.microsoft.com/com/default.mspx
  11. R. Kawach, "NEPTUNE: Detecting Web-Based Malware via Browser and OS Instrumentation," Black Hat USA, 2010.
  12. S. Chenette, "The Ultimate Deobfuscator", ToorCon, 2008.
  13. K. Chellapilla and A. Maykov, "A Taxonomy of JavaScript redirection Spam," in Proc. of 3rd International Workshop on Adversarial Information Retrieval on Web, pp.81-88, 2007.
  14. J. Nazario, "Reverse engineering malicious JavaScript," CanSecWest, 2007.
  15. N. Provos, D. McNamee, P. Mavrommatis, K. Wang and N. Modadugu, "The Ghost in the browser analysis of web based malware," in Proc. of USENIX First Workshop on Hot Topics in Understanding Botnets, 2007.
  16. A. Ikinci, T. Holz and F. Freiling, "Monkey-Spider: Detecting malicious WebSites with low interaction Honeyclients," in Proc. of Sicherheit, Schutz und Zuverlassigkeit, 2008.
  17. B. Feinstein and D. Peck, "Caffeine Monkey: Automated collection, detection and analysis of malicious JavaScript," Black Hat USA, 2007.
  18. O. Hallaraker and G. Vigna, "Detecting malicious JavaScript code in Mozilla," in Proc. of 10th IEEE Int. Conference on Engineering of Complex Computer Systems, pp.85-94, 2005.
  19. A. Dewald, T. Holz, and F.C. Freiling, "ADSandbox: Sandboxing JavaScript to fight Malicious Websites", in Proc. of 25th Symposium on Applied Computing, pp. 1859-1864, 2010.
  20. M. Cova, C. Kruegel and G. Vigna, "Detection and analysis of drive-by-download attacks and malicious JavaScript vode," in Proc. of 19th International World Wide Web Conference, pp.281-290,2010.
  21. Decrypt JS, http://www.ukhoneynet.org/tools/decrypt-js/.
  22. Rhino: JavaScript for Java, http://www.mozilla.org/rhino/.
  23. NJS JavaScript Interpreter, http://sourceforget.net/projects/njs/.
  24. Debugging Tools for Windows, http://www.microsoft.com/whdc/devtools/debugging/default.mspx.
  25. Kolisar, "WhiteSpace: A Different approach to JavaScript obfuscation," DEFCON 16, 2008.
  26. Alexa Top 500 Sites, http://www.alexa.com/.
  27. Milw0rm, http://www.milw0rm.com/.

Cited by

  1. PBDT: Python Backdoor Detection Model Based on Combined Features vol.2021, pp.None, 2012, https://doi.org/10.1155/2021/9923234