Understanding Evasion Techniques that Abuse Differences Among JavaScript Implementations

Takata, Yuta; Akiyama, Mitoshi; Yagi, T.; Hariu, Takeo; Goto, Shigeki

doi:10.1007/978-3-319-68786-5_22

Cited by 2 publications

(1 citation statement)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therefore, the attacker must identify semantic discrepancies that are due to either implementation bugs in the viewer or in SAFE-PDF and exploit them. This type of attack is also very unlikely, but not unheard of [47].…”

Section: Threat Model and Possible Attacksmentioning

confidence: 99%

SAFE-PDF: Robust Detection of JavaScript PDF Malware Using Abstract Interpretation

Jordan,

Gauthier,

Hassanshahi

et al. 2018

Preprint

View full text Add to dashboard Cite

The popularity of the PDF format and the rich JavaScript environment that PDF viewers offer make PDF documents an attractive attack vector for malware developers. PDF documents present a serious threat to the security of organizations because most users are unsuspecting of them and thus likely to open documents from untrusted sources.We propose to identify malicious PDFs by using conservative abstract interpretation to statically reason about the behavior of the embedded JavaScript code. Currently, state-of-the-art tools either: (1) statically identify PDF malware based on structural similarity to known malicious samples; or (2) dynamically execute the code to detect malicious behavior. These two approaches are subject to evasion attacks that mimic the structure of benign documents or do not exhibit their malicious behavior when being analyzed dynamically. In contrast, abstract interpretation is oblivious to both types of evasions. A comparison with two state-of-the-art PDF malware detection tools shows that our conservative abstract interpretation approach achieves similar accuracy, while being more resilient to evasion attacks.

show abstract

Section: Threat Model and Possible Attacksmentioning

confidence: 99%

SAFE-PDF: Robust Detection of JavaScript PDF Malware Using Abstract Interpretation

Jordan,

Gauthier,

Hassanshahi

et al. 2018

Preprint

View full text Add to dashboard Cite

show abstract

Identifying Evasive Code in Malicious Websites by Analyzing Redirection Differences

Takata

Akiyama

Yagi

et al. 2018

IEICE Trans. Inf. & Syst.

Self Cite

View full text Add to dashboard Cite

Security researchers/vendors detect malicious websites based on several website features extracted by honeyclient analysis. However, web-based attacks continue to be more sophisticated along with the development of countermeasure techniques. Attackers detect the honeyclient and evade analysis using sophisticated JavaScript code. The evasive code indirectly identifies vulnerable clients by abusing the differences among JavaScript implementations. Attackers deliver malware only to targeted clients on the basis of the evasion results while avoiding honeyclient analysis. Therefore, we are faced with a problem in that honeyclients cannot analyze malicious websites. Nevertheless, we can observe the evasion nature, i.e., the results in accessing malicious websites by using targeted clients are different from those by using honeyclients. In this paper, we propose a method of extracting evasive code by leveraging the above differences to investigate current evasion techniques. Our method analyzes HTTP transactions of the same website obtained using two types of clients, a real browser as a targeted client and a browser emulator as a honeyclient. As a result of evaluating our method with 8,467 JavaScript samples executed in 20,272 malicious websites, we discovered previously unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will contribute to improving the analysis capabilities of conventional honeyclients.

show abstract

Understanding Evasion Techniques that Abuse Differences Among JavaScript Implementations

Cited by 2 publications

References 16 publications

SAFE-PDF: Robust Detection of JavaScript PDF Malware Using Abstract Interpretation

SAFE-PDF: Robust Detection of JavaScript PDF Malware Using Abstract Interpretation

Identifying Evasive Code in Malicious Websites by Analyzing Redirection Differences

Contact Info

Product

Resources

About