charles curtsinger umass at amherst benjamin livshits and benjamin zorm microsoft research christian...

ZOZZLE: FAST AND PRECISE IN-BROWSER JAVASCRIPT

MALWARE DETECTION

Charles Curtsinger

UMass at Amherst

Benjamin Livshits and Benjamin Zorm

Microsoft Research

Christian Seifert

Microsoft

20th USENIX Security Symposium (August, 2011)

ZOZZLE: LOW-OVERHEAD MOSTLY STATIC JAVASCRIPT

MALWARE DETECTION

Charles Curtsinger

UMass at Amherst

Benjamin Livshits and Benjamin Zorm

Microsoft Research

Christian Seifert

Microsoft

Microsoft Research Technical Report (November, 2010)

A Seminar at Advanced Defense Lab 3

Outline

Introduction Observation on Offline Nozzle Design Experiment Evaluation

2011/5/24


Introduction

In the last several years, we have seen mass-scale exploitation of memory-based vulnerabilities migrate towards heap spraying attacks.

But many solutions are not lightweight enough to be integrated into a commercial browser.

2011/5/24


About Nozzle

The overhead of this runtime technique may be 10% or higher.

This paper is based on our experience using NOZZLE for offline.

Offline scanning is also not as effective against transient malware that appears and disappears frequently.

2011/5/24


About Zozzle

ZOZZLE is integrated with the browser’s JavaScript engine to collect and process JavaScript code that is created at runtime.

Our focus in this paper is on creating a very low false positive, low overhead scanner.

2011/5/24


Observation on Offline Nozzle

Once we determine that JavaScript is malicious, we invested a considerable effort in examining the code by hand and categorizing it in various ways.

we investigated 169 malware samples.

2011/5/24


Distribution of Different Exploit Samples

2011/5/24


Transience of Detected Malicious URLs

2011/5/24


Javascript eval Unfolding

2011/5/24


Distribution of Context Counts

2011/5/24


Design

2011/5/24


Training Data Extraction and Labeling We start by augmenting the JavaScript

engine in a browser with a “deobfuscator” that extracts and collects individual fragments of JavaScript.Detours [link]jscript.dll [link]Compile function

(COlescript::Compile())

2011/5/24

http://research.microsoft.com/en-us/projects/detours/

http://msdn.microsoft.com/en-us/library/Aa940697(MSDN.10).aspx


Feature Extraction

We create features based on the hierarchical structure of the JavaScript abstract syntax tree(AST).

2011/5/24


Feature Selection

χ2 test

2011/5/24

With feature Without feature

malicious A C

benign B D

%9.9983.10

22

DCBADBCA

CBAD


Classifier Training

Naϊve Bayesian classifier

Assume to be conditionally independent

2011/5/24

n

kikkin

n

inini

LFFFPLFFP

FFP

LFFPLPFFLP

1111

1

11

,,,,,

,,

,,,,

n

n

kiki

n

n

kikki

ni FFP

LFPLP

FFP

LFFFPLPFFLP

,,,,

,,,,,

1

1

1

111

1


Naϊve Bayesian classifier

Complexity: linear time

2011/5/24

n

kikiscript

n

n

kiki

nibelspossibleLai

script

LFPLPC

FFP

LFPLPFFLPC

1

1

11

maxarg

,,maxarg,,maxarg


Fast Pattern Matching

2011/5/24


Fast Pattern Matching (cont.)

2011/5/24


Experiment

Malicious Samples919 deobfuscated malicious context

Benign SamplesAlexa top 50 URLs7,976 contexts

2011/5/24


Feature Selection

hand-picked vs. automatically selected

2011/5/24


Evaluation

HP xw4600 workstationIntel Core2 Duo 3.16 GHz4 GB memoryWindows 7 64-bit Enterprise

2011/5/24


Effectiveness

2011/5/24


Training Set Size

2011/5/24


Feature Set Size

2011/5/24


Comparison with Other Techniques

2011/5/24


Performance: Context Size

2011/5/24


Performance: Feature Set

2011/5/24


THANK YOU

2011/5/24


JAVASCRIPT OBFUSCATION

2011/5/24


I think these is the all…

2011/5/24

unescape(“%48%65%6c%6c%6f%57%6f%72%6c%64”)

“\u0048\u0065\u006C\u006C\u006F\u0057\u006F\u0072\u006C\u0064”

document.write(“alert(‘1’)”);eval(“alert(1)”);

"H976e246l3l2o19W42o45r7l88d734".replace(/[09]/g,"")


If I want to eval…

<script>Fucntion("alert(‘1')")();setTimeout("alert(‘1')“;execScript("alert(‘1')", "javascript");[].constructor.constructor('alert(1)')();window["eval"]("alert(‘1’)");

</script>

2011/5/24


In the network, I find …

<script>([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+

[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])(+!+[])

</script>

2011/5/24


THE END

2011/5/24

charles curtsinger umass at amherst benjamin livshits and benjamin zorm microsoft research christian...

Documents

advanced defense lab16

advanced defense lab7

advanced defense lab12

advanced defense lab8

advanced defense lab18

advanced defense lab14

advanced defense lab6

advanced defense lab19