Abstract
The Internet plays a major role in the propagation of malware. A recent trend is the infection of machines through web pages, often due to malicious code inserted in JavaScript. From the malware writer’s perspective, one potential advantage of JavaScript is that powerful code obfuscation techniques can be applied to evade detection. In this research, we analyze metamorphic JavaScript malware. We compare the effectiveness of several static detection strategies and we quantify the degree of morphing required to defeat each of these techniques.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
For example, self-decryption is not behavior that we typically expect to see in benign code.
References
Anderson, B., et al.: Graph-based malware detection using dynamic analysis. J. Comput. Virol. 7(4), 247–258 (2011)
Apache Cassandra Project. http://cassandra.apache.org/
Attaluri, S., McGhee, S., Stamp, M.: Profile hidden Markov models and metamorphic virus detection. J. Comput. Virol. 5(2), 151–169 (2009)
Austin, T.H., et al.: Exploring hidden Markov models for virus analysis: a semantic approach. In: Proceedings of 46th Hawaii International Conference on System Sciences (2013)
Aycock, J.: Computer Viruses and Malware. Springer, New York (2006)
Baysa, D., Low, R.M., Stamp, M.: Structural entropy and metamorphic malware. J. Comput. Virol. Hacking Tech. 9(4), 179–192 (2013)
Bradley, A.P.: The use of the area under the roc curve in the evaluation of machine learning algorithms. J. Pattern Recognit. 30(7), 1145–1159 (1997)
Collberg, C., Thomborson, C., Low, D.: Manufacturing cheap, resilient, and stealthy opaque constructs. In: Symposium on Principles of Programming Languages, pp. 184–196 (1998)
Daoud, E., Jebril, I.: Computer virus strategies and detection methods. Int. J. Open Probl. Comput. Sci. Math. 1(2), 29–36 (2008). http://www.emis.de/journals/IJOPCM/files/IJOPCM(vol.1.2.3.S.08).pdf
DataTables Library. https://github.com/DataTables/DataTables
Desai, P., Stamp, M.: A highly metamorphic virus generator. Int. J. Multimedia Intell. Secur. 1(4), 402–427 (2010)
Deshpande, S., Park, Y., Stamp, M.: Eigenvalue analysis for metamorphic detection. J. Comput. Virol. Hacking Tech. 10(1), 53–65 (2014)
Dhavare, A., Low, R.M., Stamp, M.: Efficient cryptanalysis of homophonic substitution ciphers. Cryptologia 37(3), 250–281 (2013)
Flanagan, D.: JavaScript: The Definitive Guide, 6th edn. O’Reilly Media, USA (2011)
Ferrie, P.: Read the transcript. Virus Bull. (2013). https://www.virusbtn.com/virusbulletin/archive/2013/05/vb201305-Transcript
Jakobsen, T.: A fast method for the cryptanalysis of substitution ciphers. Cryptologia 19, 265–274 (1995)
Jidigam, R.K., Austin, T.H., Stamp, M.: Singular value decomposition and metamorphic detection. J. Comput. Virol. Hacking Tech. (2014, to appear)
Jquery Library. http://jquery.com/
Lee, J., Austin, T.H., Stamp, M.: Compression-based analysis of metamorphic malware (2014, submitted)
Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–214 (2011)
Musale, M.: Hunting for metamorphic JavaScript malware, Master’s Report, Department of Computer Science, San Jose State University (2014)
Oxford Dictionaries, transcriptase. http://www.oxforddictionaries.com/us/definition/american_english/transcriptase
Provos, N., et al.: All your iFRAMEs point to us. In: Proceedings of USENIX Security ’08, pp. 1–15, (2008)
Rad, B., Masrom, M., Ibrahim, S.: Camouflage in malware: from encryption to metamorphism. Int. J. Comput. Sci. Netw. Secur. 12(8), 74–83 (2012)
Rhino documentation. https://developer.mozilla.org/en-US/docs/Rhino_documentation
Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput. Virol. 8(1–2), 37–52 (2012)
Shanmugam, G., Low, R.M., Stamp, M.: Simple substitution distance and metamorphic detection. J. Comput. Virol. Hacking Tech. 9(3), 159–170 (2013)
Shlens, J.: A tutorial on principal component analysis. http://www.cs.cmu.edu/~elaw/papers/pca.pdf
SOPHOS Securtiy Threat Report (2013). http://www.sophos.com/en-us/medialibrary/PDFs/other/sophossecuritythreatreport2013.pdf
Sridhara, S.M., Stamp, M.: Metamorphic worm that carries its own morphing engine. J. Comput. Virol. Hacking Tech. 9(2), 49–58 (2013)
Stamp, M.: A revealing introduction to hidden Markov models (2012). http://www.cs.sjsu.edu/~stamp/RUA/HMM.pdf
Szor, P., Ferrie, P.: Hunting for metamorphic. Symantec Security Response. http://www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf
Szor, P.: The Art of Computer Virus Research and Defense. Addison-Wesley Professional (2005)
Toderici, A.H., Stamp, M.: Chi-squared distance and metamorphic virus detection. J. Comput. Virol. Hacking Tech. 9(1), 1–14 (2013)
Transcriptase. http://spth.virii.lu/Transcriptase.rar
Walenstein, R., et al.: The design space of metamorphic malware. In: Proceedings of the 2nd International Conference on Information Warfare (2007)
Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)
Xu, W., Zhang, F., Zhu, S.: The power of obfuscation techniques in malicious JavaScript code: a measurement study (2010). http://www.cse.psu.edu/~szhu/papers/malware.pdf
YUI Library, http://yuilibrary.com/
Zbitskiy, P.V.: Code mutation techniques by means of formal grammars and automatons. J. Comput. Virol. 5(3), 199–207 (2009)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Musale, M., Austin, T.H. & Stamp, M. Hunting for metamorphic JavaScript malware. J Comput Virol Hack Tech 11, 89–102 (2015). https://doi.org/10.1007/s11416-014-0225-8
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-014-0225-8