Identifying evasive code in maliciouswebsites by analyzing redirection differences

Yuta Takata, Mitsuaki Akiyama, Takeshi Yagi, Takeo Hariu, Kazuhiko Ohkubo, Shigeki Goto

    研究成果: Article査読

    4 被引用数 (Scopus)


    Security researchers/vendors detect malicious websites based on several website features extracted by honeyclient analysis. However, web-based attacks continue to be more sophisticated along with the development of countermeasure techniques. Attackers detect the honeyclient and evade analysis using sophisticated JavaScript code. The evasive code indirectly identifies vulnerable clients by abusing the differences among JavaScript implementations. Attackers deliver malware only to targeted clients on the basis of the evasion results while avoiding honeyclient analysis. Therefore, we are faced with a problem in that honeyclients cannot analyze malicious websites. Nevertheless, we can observe the evasion nature, i.e., the results in accessing malicious websites by using targeted clients are different from those by using honeyclients. In this paper, we propose a method of extracting evasive code by leveraging the above differences to investigate current evasion techniques. Our method analyzes HTTP transactions of the same website obtained using two types of clients, a real browser as a targeted client and a browser emulator as a honeyclient. As a result of evaluating our method with 8,467 JavaScript samples executed in 20,272 malicious websites, we discovered previously unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will contribute to improving the analysis capabilities of conventional honeyclients.

    ジャーナルIEICE Transactions on Information and Systems
    出版ステータスPublished - 2018 11月 1

    ASJC Scopus subject areas

    • ソフトウェア
    • ハードウェアとアーキテクチャ
    • コンピュータ ビジョンおよびパターン認識
    • 電子工学および電気工学
    • 人工知能


    「Identifying evasive code in maliciouswebsites by analyzing redirection differences」の研究トピックを掘り下げます。これらがまとまってユニークなフィンガープリントを構成します。