Automatic De-obfuscation-based Malicious Webpages Detection

doi:10.3969/j.issn.1671-1122.2019.04.005

Abstract

Abstract:

Browsing webpages is a popular way of using internet for many users. But malicious webpages can compromise users’ computer systems, steal the sensitive privacy data from users, and often result in users’ financial loss or making the compromised systems bots. So malicious webpages are becoming notorious threats of information security and computer systems. Moreover, malicious webpages often obfuscated their malicious codes to fuzz their signatures and make signature-based anti-virus engines cannot function effectively. This paper proposed an approach of automatic de-obfuscation based malicious webpage detection. Firstly, the proposed approach leverages taint analysis to automatically locate obfuscated code relevant of data and code. Next, based on the located data and code, it can change the obfuscated code into de-obfuscated code and replace these generated codes for the related obfuscated code in webpages. Finally, apply a well-known signature-based anti-virus engine to modified webpages for malicious code detection. This paper also conducted experiments to evaluate the proposed approach. The experimental results show that the approach can locate obfuscated code contained in webpages, de-obfuscate the obfuscated code successfully, and averagely enhances around 50 percent of malicious webpages detection ratio for 13 anti-virus engines deployed in VirusTotal website. Three of these anti-virus engines have increased detection rates by more than 80%.

Key words: malicious webpages, de-obfuscation, JavaScript, cyber security

CLC Number:

TP309

Yitao NI, Yongjia CHEN, Bogang LIN. Automatic De-obfuscation-based Malicious Webpages Detection[J]. Netinfo Security, 2019, 19(4): 37-46.

Figures/Tables 5

References 15

[1]	FU Leipeng, ZHANG Han, HUO Luyang.JavaScript Malicious Script Detection Algorithm Based on Multi-class Features[J]. Pattern Recognition and Artificial Intelligence, 2015, 28(12): 1110-1118.
	付垒朋,张瀚,霍路阳. 基于多类特征的JavaScript恶意脚本检测算法[J].模式识别与人工智能,2015,28(12):1110-1118.
[2]	CURTSINGER C, LIVSHITS B, ZORN B, et al. ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection[EB/OL]. , 2018-10-1.
[3]	PAN Jinkun, MAO Xiaoguang. Obfuscated Malicious JavaScript Detection by Machine Learning[EB/OL]. , 2018-10-10.
[4]	KLOFT M, BIKADOROV A, RIECK K. Early Detection of Malicious Behavior in JavaScript Code [EB/OL]. , 2018-11-1.
[5]	AEBESOLD S, KRYSZCZUK K, PAGANONI S, et al. Detecting Obfuscated JavaScripts using Machine Learning [EB/OL]. , 2018-11-1.
[6]	RIECK K, KRUEGER T, DEWALD A. Cujo: Efficient Detection and Prevention of Drive-by-download Attacks [EB/OL]. , 2018-11-1.
[7]	XU Wei, ZHANG Fangfang, ZHU Sencun. JStill: Mostly Static Detection of Obfuscated Malicious JavaScript Code [EB/OL]. , 2018-11-1.
[8]	SUN Jingchao.A Classification Method of Web Page Using Machine Learning[J]. Netinfo Security, 2017, 17(9):45-48.
	孙靖超. 一种基于机器学习的网页分类技术[J].信息网络安全,2017,17(9):45-48.
[9]	MA J, SAUL L K, SAVAGE S, et al.Learning to Detect Malicious URLs[J]. ACM Transactions on Intelligent Systems & Technology, 2011, 2(3):1-24.
[10]	MA J, SAUL L K, SAVAGE S, et al. Beyond Blacklists: Learning to Detect Malicious Web Sites from Suspicious URLs [EB/OL]. , 2018-11-1.
[11]	MA J, SAUL L K, SAVAGE S, et al. Identifying suspicious URLs: an application of large-scale online learning [EB/OL]. , 2018-11-1.
[12]	CHOI Hyunsang, ZHU Bin, LEE Heejo. Detecting Malicious Web Links and Identifying Their Attack Types [EB/OL]. , 2018-11-1.
[13]	ESHETE B, VILLAFIORITA A, WELDEMARIAM K. BINSPECT: Holistic Analysis and Detection of Malicious Web Pages[EB/OL]. , 2018-10-1.
[14]	STOCK B, JHONS M, STEFFENS M, BACKES M. How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security [EB/OL]. , 2018-11-1.
[15]	CANALI D, COVA M, VIGNA G, KRUEGEL C. Prophiler: A Fast Filter for the Large-scale Detection of Malicious Web Pages[EB/OL]. , 2018-11-1.

恶意网页检测引擎名称	对解混淆前样本的检测率/%	对解混淆后样本的检测率/%	从解混淆后的样本中检测到恶意代码而解混淆前没检测到的样本数
F-Secure	56.88	57.90	219
GData	83.82	83.82	33
ALYac	84.66	83.63	34
TrendMicro-HouseCall	0.19	42.66	433
MicroWorld-eScan	86.16	87.09	12
Avast	1.50	85.59	894
Ikarus	75.96	82.60	107
BitDefender	86.06	86.81	15
Arcabit	82.79	83.07	43
MAX	86.81	87.46	6
Ad-Aware	86.34	86.25	9
AVG	1.22	85.41	896
Emsisoft	84.66	85.59	25
AegisLab	0.84	43.59	444
Qihoo-360	0.94	42.75	433
ZoneAlarm	82.41	81.20	15
Kaspersky	82.23	81.48	8
Cyren	3.09	16.56	141
Microsoft	83.91	85.69	27
McAfee-GW-Edition	80.82	80.17	23
NANO-Antivirus	0.09	81.01	865
Symantec	0.56	43.97	453
Avira	81.57	81.01	16
K7AntiVirus	82.13	81.48	8
K7GW	82.32	81.20	6
Rising	55.75	80.73	279
Tencent	0.09	20.77	222
ViRobot	0.00	36.86	394
Yandex	0.00	11.97	128

特征	原始脚本出现次数	解混淆后出现次数	增量
eval函数	0	1180	1180
setTimeout和setInterval函数	0	4655	4655
关键词	427147	641743	214596
Unescape等常用于解混淆的内置函数	14545	60427	45882
可疑标签名	1	11505	11504
可疑对象	1	7250	7249
DOM对象修改函数	3875	49277	45402