350 likes | 670 Views
Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft. ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection. 20 th USENIX Security Symposium (August, 2011). Charles Curtsinger UMass at Amherst
E N D
Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection 20th USENIX Security Symposium (August, 2011)
Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft Zozzle: Low-overhead Mostly Static JavaScript Malware Detection Microsoft Research Technical Report (November, 2010)
Outline • Introduction • Observation on Offline Nozzle • Design • Experiment • Evaluation A Seminar at Advanced Defense Lab
Introduction • In the last several years, we have seen mass-scale exploitation of memory-based vulnerabilities migrate towards heap spraying attacks. • But many solutions are not lightweight enough to be integrated into a commercial browser. A Seminar at Advanced Defense Lab
About Nozzle • The overhead of this runtime technique may be 10% or higher. • This paper is based on our experience using NOZZLE for offline. • Offline scanning is also not as effective against transient malware that appears and disappears frequently. A Seminar at Advanced Defense Lab
About Zozzle • ZOZZLE is integrated with the browser’s JavaScript engine to collect and process JavaScript code that is created at runtime. • Our focus in this paper is on creating a very low false positive, low overhead scanner. A Seminar at Advanced Defense Lab
Observation on Offline Nozzle • Once we determine that JavaScript is malicious, we invested a considerable effort in examining the code by hand and categorizing it in various ways. • we investigated 169 malware samples. A Seminar at Advanced Defense Lab
Distribution of Different Exploit Samples A Seminar at Advanced Defense Lab
Transience of Detected Malicious URLs A Seminar at Advanced Defense Lab
Javascripteval Unfolding A Seminar at Advanced Defense Lab
Distribution of Context Counts A Seminar at Advanced Defense Lab
Design A Seminar at Advanced Defense Lab
Training Data Extraction and Labeling • We start by augmenting the JavaScript engine in a browser with a “deobfuscator” that extracts and collects individual fragments of JavaScript. • Detours [link] • jscript.dll [link] • Compile function (COlescript::Compile()) A Seminar at Advanced Defense Lab
Feature Extraction • We create features based on the hierarchical structure of the JavaScript abstract syntax tree(AST). A Seminar at Advanced Defense Lab
Feature Selection • χ2 test A Seminar at Advanced Defense Lab
Classifier Training • Naϊve Bayesian classifier • Assume to be conditionally independent A Seminar at Advanced Defense Lab
Naϊve Bayesian classifier • Complexity: linear time A Seminar at Advanced Defense Lab
Fast Pattern Matching A Seminar at Advanced Defense Lab
Fast Pattern Matching (cont.) A Seminar at Advanced Defense Lab
Experiment • Malicious Samples • 919 deobfuscated malicious context • Benign Samples • Alexa top 50 URLs • 7,976 contexts A Seminar at Advanced Defense Lab
Feature Selection • hand-picked vs. automatically selected A Seminar at Advanced Defense Lab
Evaluation • HP xw4600 workstation • Intel Core2 Duo 3.16 GHz • 4 GB memory • Windows 7 64-bit Enterprise A Seminar at Advanced Defense Lab
Effectiveness A Seminar at Advanced Defense Lab
Training Set Size A Seminar at Advanced Defense Lab
Feature Set Size A Seminar at Advanced Defense Lab
Comparison with Other Techniques A Seminar at Advanced Defense Lab
Performance: Context Size A Seminar at Advanced Defense Lab
Performance: Feature Set A Seminar at Advanced Defense Lab
Thank you A Seminar at Advanced Defense Lab
Javascript Obfuscation A Seminar at Advanced Defense Lab
I think these is the all… unescape(“%48%65%6c%6c%6f%57%6f%72%6c%64”) document.write(“alert(‘1’)”); eval(“alert(1)”); "H976e246l3l2o19W42o45r7l88d734".replace(/[09]/g,"") “\u0048\u0065\u006C\u006C\u006F\u0057\u006F\u0072\u006C\u0064” A Seminar at Advanced Defense Lab
If I want to eval… • <script> • Fucntion("alert(‘1')")(); • setTimeout("alert(‘1')“; • execScript("alert(‘1')", "javascript"); • [].constructor.constructor('alert(1)')(); • window["eval"]("alert(‘1’)"); • </script> A Seminar at Advanced Defense Lab
In the network, I find … • <script> • ([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])(+!+[]) • </script> A Seminar at Advanced Defense Lab
The END A Seminar at Advanced Defense Lab