Identifying evasive code in maliciouswebsites by analyzing redirection differences

Yuta Takata, Mitsuaki Akiyama, Takeshi Yagi, Takeo Hariu, Kazuhiko Ohkubo, Shigeki Goto

    Research output: Contribution to journalArticle

    Abstract

    Security researchers/vendors detect malicious websites based on several website features extracted by honeyclient analysis. However, web-based attacks continue to be more sophisticated along with the development of countermeasure techniques. Attackers detect the honeyclient and evade analysis using sophisticated JavaScript code. The evasive code indirectly identifies vulnerable clients by abusing the differences among JavaScript implementations. Attackers deliver malware only to targeted clients on the basis of the evasion results while avoiding honeyclient analysis. Therefore, we are faced with a problem in that honeyclients cannot analyze malicious websites. Nevertheless, we can observe the evasion nature, i.e., the results in accessing malicious websites by using targeted clients are different from those by using honeyclients. In this paper, we propose a method of extracting evasive code by leveraging the above differences to investigate current evasion techniques. Our method analyzes HTTP transactions of the same website obtained using two types of clients, a real browser as a targeted client and a browser emulator as a honeyclient. As a result of evaluating our method with 8,467 JavaScript samples executed in 20,272 malicious websites, we discovered previously unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will contribute to improving the analysis capabilities of conventional honeyclients.

    Original languageEnglish
    Pages (from-to)2600-2611
    Number of pages12
    JournalIEICE Transactions on Information and Systems
    VolumeE101D
    Issue number11
    DOIs
    Publication statusPublished - 2018 Nov 1

    Fingerprint

    Websites
    HTTP
    World Wide Web

    Keywords

    • Evasive code
    • Javascript
    • Malicious website
    • Redirection

    ASJC Scopus subject areas

    • Software
    • Hardware and Architecture
    • Computer Vision and Pattern Recognition
    • Electrical and Electronic Engineering
    • Artificial Intelligence

    Cite this

    Identifying evasive code in maliciouswebsites by analyzing redirection differences. / Takata, Yuta; Akiyama, Mitsuaki; Yagi, Takeshi; Hariu, Takeo; Ohkubo, Kazuhiko; Goto, Shigeki.

    In: IEICE Transactions on Information and Systems, Vol. E101D, No. 11, 01.11.2018, p. 2600-2611.

    Research output: Contribution to journalArticle

    Takata, Yuta ; Akiyama, Mitsuaki ; Yagi, Takeshi ; Hariu, Takeo ; Ohkubo, Kazuhiko ; Goto, Shigeki. / Identifying evasive code in maliciouswebsites by analyzing redirection differences. In: IEICE Transactions on Information and Systems. 2018 ; Vol. E101D, No. 11. pp. 2600-2611.
    @article{5cad2c01a0584930993816de3de36289,
    title = "Identifying evasive code in maliciouswebsites by analyzing redirection differences",
    abstract = "Security researchers/vendors detect malicious websites based on several website features extracted by honeyclient analysis. However, web-based attacks continue to be more sophisticated along with the development of countermeasure techniques. Attackers detect the honeyclient and evade analysis using sophisticated JavaScript code. The evasive code indirectly identifies vulnerable clients by abusing the differences among JavaScript implementations. Attackers deliver malware only to targeted clients on the basis of the evasion results while avoiding honeyclient analysis. Therefore, we are faced with a problem in that honeyclients cannot analyze malicious websites. Nevertheless, we can observe the evasion nature, i.e., the results in accessing malicious websites by using targeted clients are different from those by using honeyclients. In this paper, we propose a method of extracting evasive code by leveraging the above differences to investigate current evasion techniques. Our method analyzes HTTP transactions of the same website obtained using two types of clients, a real browser as a targeted client and a browser emulator as a honeyclient. As a result of evaluating our method with 8,467 JavaScript samples executed in 20,272 malicious websites, we discovered previously unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will contribute to improving the analysis capabilities of conventional honeyclients.",
    keywords = "Evasive code, Javascript, Malicious website, Redirection",
    author = "Yuta Takata and Mitsuaki Akiyama and Takeshi Yagi and Takeo Hariu and Kazuhiko Ohkubo and Shigeki Goto",
    year = "2018",
    month = "11",
    day = "1",
    doi = "10.1587/transinf.2017ICP0005",
    language = "English",
    volume = "E101D",
    pages = "2600--2611",
    journal = "IEICE Transactions on Information and Systems",
    issn = "0916-8532",
    publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
    number = "11",

    }

    TY - JOUR

    T1 - Identifying evasive code in maliciouswebsites by analyzing redirection differences

    AU - Takata, Yuta

    AU - Akiyama, Mitsuaki

    AU - Yagi, Takeshi

    AU - Hariu, Takeo

    AU - Ohkubo, Kazuhiko

    AU - Goto, Shigeki

    PY - 2018/11/1

    Y1 - 2018/11/1

    N2 - Security researchers/vendors detect malicious websites based on several website features extracted by honeyclient analysis. However, web-based attacks continue to be more sophisticated along with the development of countermeasure techniques. Attackers detect the honeyclient and evade analysis using sophisticated JavaScript code. The evasive code indirectly identifies vulnerable clients by abusing the differences among JavaScript implementations. Attackers deliver malware only to targeted clients on the basis of the evasion results while avoiding honeyclient analysis. Therefore, we are faced with a problem in that honeyclients cannot analyze malicious websites. Nevertheless, we can observe the evasion nature, i.e., the results in accessing malicious websites by using targeted clients are different from those by using honeyclients. In this paper, we propose a method of extracting evasive code by leveraging the above differences to investigate current evasion techniques. Our method analyzes HTTP transactions of the same website obtained using two types of clients, a real browser as a targeted client and a browser emulator as a honeyclient. As a result of evaluating our method with 8,467 JavaScript samples executed in 20,272 malicious websites, we discovered previously unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will contribute to improving the analysis capabilities of conventional honeyclients.

    AB - Security researchers/vendors detect malicious websites based on several website features extracted by honeyclient analysis. However, web-based attacks continue to be more sophisticated along with the development of countermeasure techniques. Attackers detect the honeyclient and evade analysis using sophisticated JavaScript code. The evasive code indirectly identifies vulnerable clients by abusing the differences among JavaScript implementations. Attackers deliver malware only to targeted clients on the basis of the evasion results while avoiding honeyclient analysis. Therefore, we are faced with a problem in that honeyclients cannot analyze malicious websites. Nevertheless, we can observe the evasion nature, i.e., the results in accessing malicious websites by using targeted clients are different from those by using honeyclients. In this paper, we propose a method of extracting evasive code by leveraging the above differences to investigate current evasion techniques. Our method analyzes HTTP transactions of the same website obtained using two types of clients, a real browser as a targeted client and a browser emulator as a honeyclient. As a result of evaluating our method with 8,467 JavaScript samples executed in 20,272 malicious websites, we discovered previously unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will contribute to improving the analysis capabilities of conventional honeyclients.

    KW - Evasive code

    KW - Javascript

    KW - Malicious website

    KW - Redirection

    UR - http://www.scopus.com/inward/record.url?scp=85056095980&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85056095980&partnerID=8YFLogxK

    U2 - 10.1587/transinf.2017ICP0005

    DO - 10.1587/transinf.2017ICP0005

    M3 - Article

    VL - E101D

    SP - 2600

    EP - 2611

    JO - IEICE Transactions on Information and Systems

    JF - IEICE Transactions on Information and Systems

    SN - 0916-8532

    IS - 11

    ER -