Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks

Egele, Manuel; Wurzinger, P.; Kruegel, Christopher; Kirda, Engin

doi:10.1007/978-3-642-02918-9_6

Cited by 118 publications

(97 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Polychronakis et al [23] proposed to execute shellcode in a CPU emulator and detect suspicious memory accesses using four heuristics. Egele et al [24] presented a similar method which identifies potential shellcode at runtime and tests it in libemu [25]. Compared with these methods, we use different and more robust runtime features, which characterize the essential operations required in the infection process.…”

Section: Related Workmentioning

confidence: 99%

Detecting Malicious Javascript in PDF through Document Instrumentation

Liu

Wang

Stavrou

2014

2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks

View full text Add to dashboard Cite

Abstract-An emerging threat vector, embedded malware inside popular document formats, has become rampant since 2008. Owed to its wide-spread use and Javascript support, PDF has been the primary vehicle for delivering embedded exploits. Unfortunately, existing defenses are limited in effectiveness, vulnerable to evasion, or computationally expensive to be employed as an on-line protection system. In this paper, we propose a context-aware approach for detection and confinement of malicious Javascript in PDF. Our approach statically extracts a set of static features and inserts context monitoring code into a document. When an instrumented document is opened, the context monitoring code inside will cooperate with our runtime monitor to detect potential infection attempts in the context of Javascript execution. Thus, our detector can identify malicious documents by using both static and runtime features. To validate the effectiveness of our approach in a realworld setting, we first conduct a security analysis, showing that our system is able to remain effective in detection and be robust against evasion attempts even in the presence of sophisticated adversaries. We implement a prototype of the proposed system, and perform extensive experiments using 18623 benign PDF samples and 7370 malicious samples. Our evaluation results demonstrate that our approach can accurately detect and confine malicious Javascript in PDF with minor performance overhead.

show abstract

Section: Related Workmentioning

confidence: 99%

Detecting Malicious Javascript in PDF through Document Instrumentation

Liu

Wang

Stavrou

2014

2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks

View full text Add to dashboard Cite

show abstract

“…A representive work is [18] that uses libemu [28] to detect shellcode in JS strings. The state of the art of dynamic analysis is network-level emulation, which decodes input data into instruction sequences and then emulates their execution [28, [37][38][39].…”

Section: Background: Detecting Shellcode In Js Objectsmentioning

confidence: 99%

“…1(a) can also be used to evade detection by current dynamic analysis based tools [18,28,[37][38][39]. Given an input stream containing the shellcode shown in Fig.…”

Section: Example 1: Thwarting Content Analysis Approachesmentioning

confidence: 99%

“…We also notice that some tools based on network-level emulation use heuristics based on the GetPC code [24,37] in shellcode detection, e.g., [18] uses libemu [28]. Besides the aforementioned evasion methods, attackers can also evade detection by writing shellcode without call group instruction or fstenv instruction opcodes, e.g., using purely alphanumeric shellcode [31].…”

Section: Example 1: Thwarting Content Analysis Approachesmentioning

confidence: 99%

See 1 more Smart Citation

JSGuard: Shellcode Detection in JavaScript

Zhang

Bai

et al. 2013

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Abstract. JavaScript (JS) based shellcode injections are among the most dangerous attacks to computer systems. Existing approaches have various limitations in detecting such attacks. In this paper, we propose a new detection methodology that overcomes these limitations by fully using JS code execution environment information. We leverage this information and create a virtual execution environment where shellcodes' real behavior can be precisely monitored and detection redundancy can be reduced. Following this methodology, we implement JSGuard, a prototype malicious JS code detection system in Debian Linux with kernel version 2.6.26. Our extensive experiments show that JSGuard reports very few false positives and false negatives with acceptable overhead.

show abstract

“…In this case, since bots cannot find new victims automatically, malware writers should employ other techniques. They install a malicious binary into compromised web sites and trick people into downloading it (i.e., drive-by-download [12]) or they ask other malware owners, who have pre-installed malware, to distribute their malware (i.e., pay-perinstallation (PPI) [17] [28]). This approach seems to be relatively passive because the operation sequence of this approach may depend on human actions or other tools.…”

Section: Introductionmentioning

confidence: 99%

Cross-Analysis of Botnet Victims: New Insights and Implications

Shin

Lin

2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract.In this paper, we analyze a large amount of infection data for three major botnets: Conficker, MegaD, and Srizbi. These botnets represent two distinct types of botnets in terms of the methods they use to recruit new victims. We propose the use of cross-analysis between these different types of botnets as well as between botnets of the same type in order to gain insights into the nature of their infection. In this analysis, we examine commonly-infected networks which appear to be extremely prone to malware infection. We provide an in-depth passive and active measurement study to have a fine-grained view of the similarities and differences for the two infection types. Based on our cross-analysis results, we further derive new implications and insights for defense. For example, we empirically show the promising power of cross-prediction of new unknown botnet victim networks using historic infection data of some known botnet that uses the same infection type with more than 80% accuracy.

show abstract

Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks

Cited by 118 publications

References 12 publications

Detecting Malicious Javascript in PDF through Document Instrumentation

Detecting Malicious Javascript in PDF through Document Instrumentation

JSGuard: Shellcode Detection in JavaScript

Cross-Analysis of Botnet Victims: New Insights and Implications

Contact Info

Product

Resources

About