Understanding evasion techniques that abuse differences among javascript implementations

Yuta Takata, Mitsuaki Akiyama, Takeshi Yagi, Takeo Hariu, Shigeki Goto

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    1 Citation (Scopus)

    Abstract

    There is a common approach to detecting drive-by downloads using a classifier based on the static and dynamic features of malicious websites collected using a honeyclient. However, attackers detect the honeyclient and evade analysis using sophisticated JavaScript code. The evasive code indirectly identifies clients by abusing the differences among JavaScript implementations. Attackers deliver malware only to targeted clients on the basis of the evasion results while avoiding honeyclient analysis. Therefore, we are faced with a problem in that honeyclients cannot extract features from malicious websites and the subsequent classifier does not work. Nevertheless, we can observe the evasion nature, i.e., the results in accessing malicious websites by using targeted clients are different from those by using honeyclients. In this paper, we propose a method of extracting evasive code by leveraging the above differences to investigate current evasion techniques and to use them for analyzing malicious websites. Our method analyzes HTTP transactions of the same website obtained using two types of clients, a real browser as a targeted client and a browser emulator as a honeyclient. As a result of evaluating our method with 8,467 JavaScript samples executed in 20,272 malicious websites, we discovered unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will contribute to improving the analysis capabilities of conventional honeyclients.

    Original languageEnglish
    Title of host publicationWeb Information Systems Engineering – WISE 2017 - 18th International Conference, Proceedings
    PublisherSpringer Verlag
    Pages278-294
    Number of pages17
    Volume10570 LNCS
    ISBN (Print)9783319687858
    DOIs
    Publication statusPublished - 2017
    Event18th International Conference on Web Information Systems Engineering, WISE 2017 - Puschino, Russian Federation
    Duration: 2017 Oct 72017 Oct 11

    Publication series

    NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
    Volume10570 LNCS
    ISSN (Print)0302-9743
    ISSN (Electronic)1611-3349

    Other

    Other18th International Conference on Web Information Systems Engineering, WISE 2017
    CountryRussian Federation
    CityPuschino
    Period17/10/717/10/11

    Fingerprint

    JavaScript
    Websites
    Classifier
    Malware
    Classifiers
    Transactions
    HTTP
    Unknown

    Keywords

    • Differential analysis
    • Evasive code
    • JavaScript
    • Web security

    ASJC Scopus subject areas

    • Theoretical Computer Science
    • Computer Science(all)

    Cite this

    Takata, Y., Akiyama, M., Yagi, T., Hariu, T., & Goto, S. (2017). Understanding evasion techniques that abuse differences among javascript implementations. In Web Information Systems Engineering – WISE 2017 - 18th International Conference, Proceedings (Vol. 10570 LNCS, pp. 278-294). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10570 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-68786-5_22

    Understanding evasion techniques that abuse differences among javascript implementations. / Takata, Yuta; Akiyama, Mitsuaki; Yagi, Takeshi; Hariu, Takeo; Goto, Shigeki.

    Web Information Systems Engineering – WISE 2017 - 18th International Conference, Proceedings. Vol. 10570 LNCS Springer Verlag, 2017. p. 278-294 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10570 LNCS).

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Takata, Y, Akiyama, M, Yagi, T, Hariu, T & Goto, S 2017, Understanding evasion techniques that abuse differences among javascript implementations. in Web Information Systems Engineering – WISE 2017 - 18th International Conference, Proceedings. vol. 10570 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10570 LNCS, Springer Verlag, pp. 278-294, 18th International Conference on Web Information Systems Engineering, WISE 2017, Puschino, Russian Federation, 17/10/7. https://doi.org/10.1007/978-3-319-68786-5_22
    Takata Y, Akiyama M, Yagi T, Hariu T, Goto S. Understanding evasion techniques that abuse differences among javascript implementations. In Web Information Systems Engineering – WISE 2017 - 18th International Conference, Proceedings. Vol. 10570 LNCS. Springer Verlag. 2017. p. 278-294. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-68786-5_22
    Takata, Yuta ; Akiyama, Mitsuaki ; Yagi, Takeshi ; Hariu, Takeo ; Goto, Shigeki. / Understanding evasion techniques that abuse differences among javascript implementations. Web Information Systems Engineering – WISE 2017 - 18th International Conference, Proceedings. Vol. 10570 LNCS Springer Verlag, 2017. pp. 278-294 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
    @inproceedings{981c27acb4934a5e934607ffc82c7e6c,
    title = "Understanding evasion techniques that abuse differences among javascript implementations",
    abstract = "There is a common approach to detecting drive-by downloads using a classifier based on the static and dynamic features of malicious websites collected using a honeyclient. However, attackers detect the honeyclient and evade analysis using sophisticated JavaScript code. The evasive code indirectly identifies clients by abusing the differences among JavaScript implementations. Attackers deliver malware only to targeted clients on the basis of the evasion results while avoiding honeyclient analysis. Therefore, we are faced with a problem in that honeyclients cannot extract features from malicious websites and the subsequent classifier does not work. Nevertheless, we can observe the evasion nature, i.e., the results in accessing malicious websites by using targeted clients are different from those by using honeyclients. In this paper, we propose a method of extracting evasive code by leveraging the above differences to investigate current evasion techniques and to use them for analyzing malicious websites. Our method analyzes HTTP transactions of the same website obtained using two types of clients, a real browser as a targeted client and a browser emulator as a honeyclient. As a result of evaluating our method with 8,467 JavaScript samples executed in 20,272 malicious websites, we discovered unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will contribute to improving the analysis capabilities of conventional honeyclients.",
    keywords = "Differential analysis, Evasive code, JavaScript, Web security",
    author = "Yuta Takata and Mitsuaki Akiyama and Takeshi Yagi and Takeo Hariu and Shigeki Goto",
    year = "2017",
    doi = "10.1007/978-3-319-68786-5_22",
    language = "English",
    isbn = "9783319687858",
    volume = "10570 LNCS",
    series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
    publisher = "Springer Verlag",
    pages = "278--294",
    booktitle = "Web Information Systems Engineering – WISE 2017 - 18th International Conference, Proceedings",
    address = "Germany",

    }

    TY - GEN

    T1 - Understanding evasion techniques that abuse differences among javascript implementations

    AU - Takata, Yuta

    AU - Akiyama, Mitsuaki

    AU - Yagi, Takeshi

    AU - Hariu, Takeo

    AU - Goto, Shigeki

    PY - 2017

    Y1 - 2017

    N2 - There is a common approach to detecting drive-by downloads using a classifier based on the static and dynamic features of malicious websites collected using a honeyclient. However, attackers detect the honeyclient and evade analysis using sophisticated JavaScript code. The evasive code indirectly identifies clients by abusing the differences among JavaScript implementations. Attackers deliver malware only to targeted clients on the basis of the evasion results while avoiding honeyclient analysis. Therefore, we are faced with a problem in that honeyclients cannot extract features from malicious websites and the subsequent classifier does not work. Nevertheless, we can observe the evasion nature, i.e., the results in accessing malicious websites by using targeted clients are different from those by using honeyclients. In this paper, we propose a method of extracting evasive code by leveraging the above differences to investigate current evasion techniques and to use them for analyzing malicious websites. Our method analyzes HTTP transactions of the same website obtained using two types of clients, a real browser as a targeted client and a browser emulator as a honeyclient. As a result of evaluating our method with 8,467 JavaScript samples executed in 20,272 malicious websites, we discovered unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will contribute to improving the analysis capabilities of conventional honeyclients.

    AB - There is a common approach to detecting drive-by downloads using a classifier based on the static and dynamic features of malicious websites collected using a honeyclient. However, attackers detect the honeyclient and evade analysis using sophisticated JavaScript code. The evasive code indirectly identifies clients by abusing the differences among JavaScript implementations. Attackers deliver malware only to targeted clients on the basis of the evasion results while avoiding honeyclient analysis. Therefore, we are faced with a problem in that honeyclients cannot extract features from malicious websites and the subsequent classifier does not work. Nevertheless, we can observe the evasion nature, i.e., the results in accessing malicious websites by using targeted clients are different from those by using honeyclients. In this paper, we propose a method of extracting evasive code by leveraging the above differences to investigate current evasion techniques and to use them for analyzing malicious websites. Our method analyzes HTTP transactions of the same website obtained using two types of clients, a real browser as a targeted client and a browser emulator as a honeyclient. As a result of evaluating our method with 8,467 JavaScript samples executed in 20,272 malicious websites, we discovered unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will contribute to improving the analysis capabilities of conventional honeyclients.

    KW - Differential analysis

    KW - Evasive code

    KW - JavaScript

    KW - Web security

    UR - http://www.scopus.com/inward/record.url?scp=85031431175&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85031431175&partnerID=8YFLogxK

    U2 - 10.1007/978-3-319-68786-5_22

    DO - 10.1007/978-3-319-68786-5_22

    M3 - Conference contribution

    AN - SCOPUS:85031431175

    SN - 9783319687858

    VL - 10570 LNCS

    T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

    SP - 278

    EP - 294

    BT - Web Information Systems Engineering – WISE 2017 - 18th International Conference, Proceedings

    PB - Springer Verlag

    ER -