charles curtsinger umass at amherst benjamin livshits and benjamin zorm microsoft research christian...

ZOZZLE: FAST AND PRECISE IN-BROWSER JAVASCRIPT

MALWARE DETECTION

Charles Curtsinger

UMass at Amherst

Benjamin Livshits and Benjamin Zorm

Microsoft Research

Christian Seifert

Microsoft

20th USENIX Security Symposium (August, 2011)

ZOZZLE: LOW-OVERHEAD MOSTLY STATIC JAVASCRIPT

MALWARE DETECTION

Charles Curtsinger

UMass at Amherst

Benjamin Livshits and Benjamin Zorm

Microsoft Research

Christian Seifert

Microsoft

Microsoft Research Technical Report (November, 2010)

A Seminar at Advanced Defense Lab 3

Outline

Introduction Observation on Offline Nozzle Design Experiment Evaluation

2011/5/24

A Seminar at Advanced Defense Lab 4

Introduction

In the last several years, we have seen mass-scale exploitation of memory-based vulnerabilities migrate towards heap spraying attacks.

But many solutions are not lightweight enough to be integrated into a commercial browser.

2011/5/24

A Seminar at Advanced Defense Lab 5

About Nozzle

The overhead of this runtime technique may be 10% or higher.

This paper is based on our experience using NOZZLE for offline.

Offline scanning is also not as effective against transient malware that appears and disappears frequently.

2011/5/24

A Seminar at Advanced Defense Lab 6

About Zozzle

ZOZZLE is integrated with the browser’s JavaScript engine to collect and process JavaScript code that is created at runtime.

Our focus in this paper is on creating a very low false positive, low overhead scanner.

2011/5/24

A Seminar at Advanced Defense Lab 7

Observation on Offline Nozzle

Once we determine that JavaScript is malicious, we invested a considerable effort in examining the code by hand and categorizing it in various ways.

we investigated 169 malware samples.

2011/5/24

A Seminar at Advanced Defense Lab 8

Distribution of Different Exploit Samples

2011/5/24

A Seminar at Advanced Defense Lab 9

Transience of Detected Malicious URLs

2011/5/24

A Seminar at Advanced Defense Lab 10

Javascript eval Unfolding

2011/5/24

A Seminar at Advanced Defense Lab 11

Distribution of Context Counts

2011/5/24

A Seminar at Advanced Defense Lab 12

Design

2011/5/24

A Seminar at Advanced Defense Lab 13

Training Data Extraction and Labeling We start by augmenting the JavaScript

engine in a browser with a “deobfuscator” that extracts and collects individual fragments of JavaScript.Detours [link]jscript.dll [link]Compile function

(COlescript::Compile())

2011/5/24

A Seminar at Advanced Defense Lab 14

Feature Extraction

We create features based on the hierarchical structure of the JavaScript abstract syntax tree(AST).

2011/5/24

A Seminar at Advanced Defense Lab 15

Feature Selection

χ2 test

2011/5/24

With feature Without feature

malicious A C

benign B D

%9.9983.10

22

DCBADBCA

CBAD

A Seminar at Advanced Defense Lab 16

Classifier Training

Naϊve Bayesian classifier

Assume to be conditionally independent

2011/5/24

n

kikkin

n

inini

LFFFPLFFP

FFP

LFFPLPFFLP

1111

1

11

,,,,,

,,

,,,,

n

n

kiki

n

n

kikki

ni FFP

LFPLP

FFP

LFFFPLPFFLP

,,,,

,,,,,

1

1

1

111

1

A Seminar at Advanced Defense Lab 17

Naϊve Bayesian classifier

Complexity: linear time

2011/5/24

n

kikiscript

n

n

kiki

nibelspossibleLai

script

LFPLPC

FFP

LFPLPFFLPC

1

1

11

maxarg

,,maxarg,,maxarg

A Seminar at Advanced Defense Lab 18

Fast Pattern Matching

2011/5/24

A Seminar at Advanced Defense Lab 19

Fast Pattern Matching (cont.)

2011/5/24

A Seminar at Advanced Defense Lab 20

Experiment

Malicious Samples919 deobfuscated malicious context

Benign SamplesAlexa top 50 URLs7,976 contexts

2011/5/24

A Seminar at Advanced Defense Lab 21

Feature Selection

hand-picked vs. automatically selected

2011/5/24

A Seminar at Advanced Defense Lab 22

Evaluation

HP xw4600 workstationIntel Core2 Duo 3.16 GHz4 GB memoryWindows 7 64-bit Enterprise

2011/5/24

A Seminar at Advanced Defense Lab 23

Effectiveness

2011/5/24

A Seminar at Advanced Defense Lab 24

Training Set Size

2011/5/24

A Seminar at Advanced Defense Lab 25

Feature Set Size

2011/5/24

A Seminar at Advanced Defense Lab 26

Comparison with Other Techniques

2011/5/24

A Seminar at Advanced Defense Lab 27

Performance: Context Size

2011/5/24

A Seminar at Advanced Defense Lab 28

Performance: Feature Set

2011/5/24

A Seminar at Advanced Defense Lab 29

THANK YOU

2011/5/24

A Seminar at Advanced Defense Lab 30

JAVASCRIPT OBFUSCATION

2011/5/24

A Seminar at Advanced Defense Lab 31

I think these is the all…

2011/5/24

unescape(“%48%65%6c%6c%6f%57%6f%72%6c%64”)

“\u0048\u0065\u006C\u006C\u006F\u0057\u006F\u0072\u006C\u0064”

document.write(“alert(‘1’)”);eval(“alert(1)”);

"H976e246l3l2o19W42o45r7l88d734".replace(/[09]/g,"")

A Seminar at Advanced Defense Lab 32

If I want to eval…

<script>Fucntion("alert(‘1')")();setTimeout("alert(‘1')“;execScript("alert(‘1')", "javascript");[].constructor.constructor('alert(1)')();window["eval"]("alert(‘1’)");

</script>

2011/5/24

A Seminar at Advanced Defense Lab 33

In the network, I find …

<script>([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+

[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])(+!+[])

</script>

2011/5/24

A Seminar at Advanced Defense Lab 34

THE END

2011/5/24