Detection and analysis of drive-by-download attacks and malicious JavaScript code

Cova, Marco; Kruegel, Christopher; Vigna, Giovanni

doi:10.1145/1772690.1772720

Cited by 439 publications

(315 citation statements)

References 10 publications

Supporting

Mentioning

308

Contrasting

Unclassified

Order By: Relevance

“…They modeled a document as a set of structural paths and detected malicious PDF using Decision Tree and SVM (Support Vector Machine). Wepawet [18] uses JSAND [14], which leverages statistical and lexical features of Javascript, to detect malicious PDF. In general, static methods have been proven to be simple, fast, and effective.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Detecting Malicious Javascript in PDF through Document Instrumentation

Liu

Wang

Stavrou

2014

2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks

View full text Add to dashboard Cite

Abstract-An emerging threat vector, embedded malware inside popular document formats, has become rampant since 2008. Owed to its wide-spread use and Javascript support, PDF has been the primary vehicle for delivering embedded exploits. Unfortunately, existing defenses are limited in effectiveness, vulnerable to evasion, or computationally expensive to be employed as an on-line protection system. In this paper, we propose a context-aware approach for detection and confinement of malicious Javascript in PDF. Our approach statically extracts a set of static features and inserts context monitoring code into a document. When an instrumented document is opened, the context monitoring code inside will cooperate with our runtime monitor to detect potential infection attempts in the context of Javascript execution. Thus, our detector can identify malicious documents by using both static and runtime features. To validate the effectiveness of our approach in a realworld setting, we first conduct a security analysis, showing that our system is able to remain effective in detection and be robust against evasion attempts even in the presence of sophisticated adversaries. We implement a prototype of the proposed system, and perform extensive experiments using 18623 benign PDF samples and 7370 malicious samples. Our evaluation results demonstrate that our approach can accurately detect and confine malicious Javascript in PDF with minor performance overhead.

show abstract

Section: Related Workmentioning

confidence: 99%

“…One intuitive choice is to extract Javascript from documents [9] [14]. Alternatively, Javascript interpreters can be instrumented [15].…”

Section: Introductionmentioning

confidence: 99%

Detecting Malicious Javascript in PDF through Document Instrumentation

Liu

Wang

Stavrou

2014

2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks

View full text Add to dashboard Cite

show abstract

“…There have been many techniques proposed to detect drive-by downloads. Cova et al [5] proposed an emulation based execution of webpages to extract the behavior of JavaScript code and the use of machine-learning techniques to differentiate anomalous samples. An attack-agnostic approach was introduced in BLADE [11] based on the intuition that unconsented browser downloads should be isolated and not executed.…”

Section: Related Workmentioning

confidence: 99%

“…Because of the raw number of different vulnerabilities and drive-by download attacks, and the high rate of addition of new exploits and changes of the exploit kits, the fight against web-distributed malware is mostly carried out by automated analysis systems, called "honeyclients", that visit a web page suspected of malicious behavior and analyze the behavior of the page to determine its maliciousness [12,16,5,14,17,10]. These systems fall into two main categories: low-interaction honeyclients and high-interaction honeyclients.…”

Section: Introductionmentioning

confidence: 99%

PExy: The Other Side of Exploit Kits

Maio

Kapravelos

Shoshitaishvili

et al. 2014

Detection of Intrusions and Malware, and Vulnerability Assessment

Self Cite

View full text Add to dashboard Cite

Abstract. The drive-by download scene has changed dramatically in the last few years. What was a disorganized ad-hoc generation of malicious pages by individuals has evolved into sophisticated, easily extensible frameworks that incorporate multiple exploits at the same time and are highly configurable. We are now dealing with exploit kits. In this paper we focus on the server-side part of drive-by downloads by automatically analyzing the source code of multiple exploit kits. We discover through static analysis what checks exploit-kit authors perform on the server to decide which exploit is served to which client and we automatically generate the configurations to extract all possible exploits from every exploit kit. We also examine the source code of exploit kits and look for interesting coding practices, their detection mitigation techniques, the similarities between them and the rise of Exploit-as-a-Service through a highly customizable design. Our results indicate that even with a perfect drive-by download analyzer it is not trivial to trigger the expected behavior from an exploit kit so that it is classified appropriately as malicious.

show abstract

“…To locate the other nearby malicious pages, they design several gadgets to automatically generate search queries. However, with the three oracles used in their work, Google's Safe Browing blacklist [5], Wepawet [18], and a custom-built tool to detect sites that host fake AV tools, EvilSeed cannot handle more stealthy attacks such as Search Poisoning Attacks discussed in this paper. That is, EvilSeed can only find a small subset of these cloaking attacks that PoisonAmplifier can find.…”

Section: Related Workmentioning

confidence: 99%

PoisonAmplifier: A Guided Approach of Discovering Compromised Websites through Reversing Search Poisoning Attacks

Zhang

Yang

et al. 2012

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

Abstract. Through injecting dynamic script codes into compromised websites, attackers have widely launched search poisoning attacks to achieve their malicious goals, such as spreading spam or scams, distributing malware and launching drive-by download attacks. While most current related work focuses on measuring or detecting specific search poisoning attacks in the crawled dataset, it is also meaningful to design an effective approach to find more compromised websites on the Internet that have been utilized by attackers to launch search poisoning attacks, because those compromised websites essentially become an important component in the search poisoning attack chain. In this paper, we present an active and efficient approach, named PoisonAmplifier, to find compromised websites through tracking down search poisoning attacks. Particularly, starting from a small seed set of known compromised websites that are utilized to launch search poisoning attacks, PoisonAmplifier can recursively find more compromised websites by analyzing poisoned webpages' special terms and links, and exploring compromised web sites' vulnerabilities. Through our 1 month evaluation, PoisonAmplifier can quickly collect around 75K unique compromised websites by starting from 252 verified compromised websites within first 7 days and continue to find 827 new compromised websites on a daily basis thereafter.

show abstract

Detection and analysis of drive-by-download attacks and malicious JavaScript code

Cited by 439 publications

References 10 publications

Detecting Malicious Javascript in PDF through Document Instrumentation

Detecting Malicious Javascript in PDF through Document Instrumentation

PExy: The Other Side of Exploit Kits

PoisonAmplifier: A Guided Approach of Discovering Compromised Websites through Reversing Search Poisoning Attacks

Contact Info

Product

Resources

About