Hunting for metamorphic JavaScript malware

  • Mangesh Musale
  • Thomas H. Austin
  • Mark Stamp
Original Paper


The Internet plays a major role in the propagation of malware. A recent trend is the infection of machines through web pages, often due to malicious code inserted in JavaScript. From the malware writer’s perspective, one potential advantage of JavaScript is that powerful code obfuscation techniques can be applied to evade detection. In this research, we analyze metamorphic JavaScript malware. We compare the effectiveness of several static detection strategies and we quantify the degree of morphing required to defeat each of these techniques.


Hide Markov Model Singular Value Decomposition Simple Substitution Dead Code Opcode Sequence 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Anderson, B., et al.: Graph-based malware detection using dynamic analysis. J. Comput. Virol. 7(4), 247–258 (2011)CrossRefGoogle Scholar
  2. 2.
    Apache Cassandra Project.
  3. 3.
    Attaluri, S., McGhee, S., Stamp, M.: Profile hidden Markov models and metamorphic virus detection. J. Comput. Virol. 5(2), 151–169 (2009)CrossRefGoogle Scholar
  4. 4.
    Austin, T.H., et al.: Exploring hidden Markov models for virus analysis: a semantic approach. In: Proceedings of 46th Hawaii International Conference on System Sciences (2013)Google Scholar
  5. 5.
    Aycock, J.: Computer Viruses and Malware. Springer, New York (2006)Google Scholar
  6. 6.
    Baysa, D., Low, R.M., Stamp, M.: Structural entropy and metamorphic malware. J. Comput. Virol. Hacking Tech. 9(4), 179–192 (2013)CrossRefGoogle Scholar
  7. 7.
    Bradley, A.P.: The use of the area under the roc curve in the evaluation of machine learning algorithms. J. Pattern Recognit. 30(7), 1145–1159 (1997)CrossRefGoogle Scholar
  8. 8.
    Collberg, C., Thomborson, C., Low, D.: Manufacturing cheap, resilient, and stealthy opaque constructs. In: Symposium on Principles of Programming Languages, pp. 184–196 (1998)Google Scholar
  9. 9.
    Daoud, E., Jebril, I.: Computer virus strategies and detection methods. Int. J. Open Probl. Comput. Sci. Math. 1(2), 29–36 (2008).
  10. 10.
  11. 11.
    Desai, P., Stamp, M.: A highly metamorphic virus generator. Int. J. Multimedia Intell. Secur. 1(4), 402–427 (2010)CrossRefGoogle Scholar
  12. 12.
    Deshpande, S., Park, Y., Stamp, M.: Eigenvalue analysis for metamorphic detection. J. Comput. Virol. Hacking Tech. 10(1), 53–65 (2014)CrossRefGoogle Scholar
  13. 13.
    Dhavare, A., Low, R.M., Stamp, M.: Efficient cryptanalysis of homophonic substitution ciphers. Cryptologia 37(3), 250–281 (2013)CrossRefGoogle Scholar
  14. 14.
    Flanagan, D.: JavaScript: The Definitive Guide, 6th edn. O’Reilly Media, USA (2011)zbMATHGoogle Scholar
  15. 15.
    Ferrie, P.: Read the transcript. Virus Bull. (2013).
  16. 16.
    Jakobsen, T.: A fast method for the cryptanalysis of substitution ciphers. Cryptologia 19, 265–274 (1995)CrossRefzbMATHGoogle Scholar
  17. 17.
    Jidigam, R.K., Austin, T.H., Stamp, M.: Singular value decomposition and metamorphic detection. J. Comput. Virol. Hacking Tech. (2014, to appear)Google Scholar
  18. 18.
    Jquery Library.
  19. 19.
    Lee, J., Austin, T.H., Stamp, M.: Compression-based analysis of metamorphic malware (2014, submitted)Google Scholar
  20. 20.
    Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–214 (2011)CrossRefGoogle Scholar
  21. 21.
    Musale, M.: Hunting for metamorphic JavaScript malware, Master’s Report, Department of Computer Science, San Jose State University (2014)Google Scholar
  22. 22.
  23. 23.
    Provos, N., et al.: All your iFRAMEs point to us. In: Proceedings of USENIX Security ’08, pp. 1–15, (2008)Google Scholar
  24. 24.
    Rad, B., Masrom, M., Ibrahim, S.: Camouflage in malware: from encryption to metamorphism. Int. J. Comput. Sci. Netw. Secur. 12(8), 74–83 (2012)Google Scholar
  25. 25.
  26. 26.
    Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput. Virol. 8(1–2), 37–52 (2012)CrossRefGoogle Scholar
  27. 27.
    Shanmugam, G., Low, R.M., Stamp, M.: Simple substitution distance and metamorphic detection. J. Comput. Virol. Hacking Tech. 9(3), 159–170 (2013)CrossRefGoogle Scholar
  28. 28.
    Shlens, J.: A tutorial on principal component analysis.
  29. 29.
  30. 30.
    Sridhara, S.M., Stamp, M.: Metamorphic worm that carries its own morphing engine. J. Comput. Virol. Hacking Tech. 9(2), 49–58 (2013) Google Scholar
  31. 31.
    Stamp, M.: A revealing introduction to hidden Markov models (2012).
  32. 32.
    Szor, P., Ferrie, P.: Hunting for metamorphic. Symantec Security Response.
  33. 33.
    Szor, P.: The Art of Computer Virus Research and Defense. Addison-Wesley Professional (2005)Google Scholar
  34. 34.
    Toderici, A.H., Stamp, M.: Chi-squared distance and metamorphic virus detection. J. Comput. Virol. Hacking Tech. 9(1), 1–14 (2013)CrossRefGoogle Scholar
  35. 35.
  36. 36.
    Walenstein, R., et al.: The design space of metamorphic malware. In: Proceedings of the 2nd International Conference on Information Warfare (2007)Google Scholar
  37. 37.
    Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)CrossRefGoogle Scholar
  38. 38.
    Xu, W., Zhang, F., Zhu, S.: The power of obfuscation techniques in malicious JavaScript code: a measurement study (2010).
  39. 39.
  40. 40.
    Zbitskiy, P.V.: Code mutation techniques by means of formal grammars and automatons. J. Comput. Virol. 5(3), 199–207 (2009)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag France 2014

Authors and Affiliations

  1. 1.Department of Computer ScienceSan Jose State UniversitySan JoseUnited States

Personalised recommendations