Weaknesses in Defenses against Web-Borne Malware

Lu, Gen; Debray, Saumya

doi:10.1007/978-3-642-39235-1_8

Cited by 5 publications

(3 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As the second alternative illustrates, the validation step of a defense need not involve an explicit comparison against some expected value; rather, it can simply be a computation that produces correct output if and only if the observation produces the observed value. Lu and Debray use a similar approach in a construct called "implicit conditionals" that branch to the correct targets only if certain environmental observations yield expected values [24].…”

Section: Self-checksumming-based Anti-tamper Defensesmentioning

confidence: 99%

“…However, identifying such conceptual similarities can be helpful for devising strategies for neutralizing them. For example, Cappaert et al [4] and Wang et al [41] discuss how checksum values can be used as code unpacking keys in anti-tampering defenses; Lu and Debray [24] discuss the use of timing information in antianalysis defenses in web-based malware that use emulationbased obfuscation. While these may seem, superficially, to be very different kinds of defenses, they share underlying structural similarities; understanding these similarities can be useful in adapting defenses from one to the other.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Framework for Understanding Dynamic Anti-Analysis Defenses

Qiu

Yadegari

Johannesmeyer

et al. 2014

Proceedings of the 4th Program Protection and Reverse Engineering Workshop

Self Cite

View full text Add to dashboard Cite

Malicious code often use a variety of anti-analysis and antitampering defenses to hinder analysis. Researchers trying to understand the internal logic of the malware have to penetrate these defenses. Existing research on such anti-analysis defenses tend to study them in isolation, thereby failing to see underlying conceptual similarities between different kinds of anti-analysis defenses. This paper proposes an information-flow-based framework that encompasses a wide variety of anti-analysis defenses. We illustrate the utility of our approach using two different instances of this framework: self-checksumming-based anti-tampering defenses and timing-based emulator detection. Our approach can provide insights into the underlying structure of various anti-analysis defenses and thereby help devise techniques for neutralizing them.

show abstract

Section: Self-checksumming-based Anti-tamper Defensesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

A Framework for Understanding Dynamic Anti-Analysis Defenses

Qiu

Yadegari

Johannesmeyer

et al. 2014

Proceedings of the 4th Program Protection and Reverse Engineering Workshop

Self Cite

View full text Add to dashboard Cite

show abstract

“…Attackers abuse various web techniques to evade analysis and detection by security researchers/vendors. For example, JavaScript code pieces separately written in many script tags (scattered code) and JavaScript code dynamically generated by eval() and DOM manipulation functions (obfuscated code) are used in malicious websites to evade signature matching [16]. In addition, attackers abuse browserfingerprinting techniques to increase the success rate of exploitation.…”

Section: Motivating Examplementioning

confidence: 99%

Identifying Evasive Code in Malicious Websites by Analyzing Redirection Differences

Takata

Akiyama

Yagi

et al. 2018

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

Security researchers/vendors detect malicious websites based on several website features extracted by honeyclient analysis. However, web-based attacks continue to be more sophisticated along with the development of countermeasure techniques. Attackers detect the honeyclient and evade analysis using sophisticated JavaScript code. The evasive code indirectly identifies vulnerable clients by abusing the differences among JavaScript implementations. Attackers deliver malware only to targeted clients on the basis of the evasion results while avoiding honeyclient analysis. Therefore, we are faced with a problem in that honeyclients cannot analyze malicious websites. Nevertheless, we can observe the evasion nature, i.e., the results in accessing malicious websites by using targeted clients are different from those by using honeyclients. In this paper, we propose a method of extracting evasive code by leveraging the above differences to investigate current evasion techniques. Our method analyzes HTTP transactions of the same website obtained using two types of clients, a real browser as a targeted client and a browser emulator as a honeyclient. As a result of evaluating our method with 8,467 JavaScript samples executed in 20,272 malicious websites, we discovered previously unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will contribute to improving the analysis capabilities of conventional honeyclients.

show abstract