TY - GEN
T1 - Understanding evasion techniques that abuse differences among javascript implementations
AU - Takata, Yuta
AU - Akiyama, Mitsuaki
AU - Yagi, Takeshi
AU - Hariu, Takeo
AU - Goto, Shigeki
PY - 2017
Y1 - 2017
N2 - There is a common approach to detecting drive-by downloads using a classifier based on the static and dynamic features of malicious websites collected using a honeyclient. However, attackers detect the honeyclient and evade analysis using sophisticated JavaScript code. The evasive code indirectly identifies clients by abusing the differences among JavaScript implementations. Attackers deliver malware only to targeted clients on the basis of the evasion results while avoiding honeyclient analysis. Therefore, we are faced with a problem in that honeyclients cannot extract features from malicious websites and the subsequent classifier does not work. Nevertheless, we can observe the evasion nature, i.e., the results in accessing malicious websites by using targeted clients are different from those by using honeyclients. In this paper, we propose a method of extracting evasive code by leveraging the above differences to investigate current evasion techniques and to use them for analyzing malicious websites. Our method analyzes HTTP transactions of the same website obtained using two types of clients, a real browser as a targeted client and a browser emulator as a honeyclient. As a result of evaluating our method with 8,467 JavaScript samples executed in 20,272 malicious websites, we discovered unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will contribute to improving the analysis capabilities of conventional honeyclients.
AB - There is a common approach to detecting drive-by downloads using a classifier based on the static and dynamic features of malicious websites collected using a honeyclient. However, attackers detect the honeyclient and evade analysis using sophisticated JavaScript code. The evasive code indirectly identifies clients by abusing the differences among JavaScript implementations. Attackers deliver malware only to targeted clients on the basis of the evasion results while avoiding honeyclient analysis. Therefore, we are faced with a problem in that honeyclients cannot extract features from malicious websites and the subsequent classifier does not work. Nevertheless, we can observe the evasion nature, i.e., the results in accessing malicious websites by using targeted clients are different from those by using honeyclients. In this paper, we propose a method of extracting evasive code by leveraging the above differences to investigate current evasion techniques and to use them for analyzing malicious websites. Our method analyzes HTTP transactions of the same website obtained using two types of clients, a real browser as a targeted client and a browser emulator as a honeyclient. As a result of evaluating our method with 8,467 JavaScript samples executed in 20,272 malicious websites, we discovered unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will contribute to improving the analysis capabilities of conventional honeyclients.
KW - Differential analysis
KW - Evasive code
KW - JavaScript
KW - Web security
UR - http://www.scopus.com/inward/record.url?scp=85031431175&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85031431175&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-68786-5_22
DO - 10.1007/978-3-319-68786-5_22
M3 - Conference contribution
AN - SCOPUS:85031431175
SN - 9783319687858
VL - 10570 LNCS
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 278
EP - 294
BT - Web Information Systems Engineering – WISE 2017 - 18th International Conference, Proceedings
PB - Springer Verlag
T2 - 18th International Conference on Web Information Systems Engineering, WISE 2017
Y2 - 7 October 2017 through 11 October 2017
ER -