Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks

  • Manuel Egele
  • Peter Wurzinger
  • Christopher Kruegel
  • Engin Kirda
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5587)

Abstract

Drive-by download attacks are among the most common methods for spreading malware today. These attacks typically exploit memory corruption vulnerabilities in web browsers and browser plug-ins to execute shellcode, and in consequence, gain control of a victim’s computer. Compromised machines are then used to carry out various malicious activities, such as joining botnets, sending spam emails, or participating in distributed denial of service attacks.

To counter drive-by downloads, we propose a technique that relies on x86 instruction emulation to identify JavaScript string buffers that contain shellcode. Our detection is integrated into the browser, and performed before control is transfered to the shellcode, thus, effectively thwarting the attack. The solution maintains fair performance by avoiding unnecessary invocations of the emulator, while ensuring that every buffer with potential shellcode is checked. We have implemented a prototype of our system, and evaluated it over thousands of malicious and legitimate web sites. Our results demonstrate that the system performs accurate detection with no false positives.

Keywords

Drive-by download malicious script emulation shellcode 

References

  1. 1.
    Bayer, U.: Anubis - analyzing unknown binaries, http://www.anubis.iseclab.org
  2. 2.
    Capture-HPC Client Honeypot / Honeyclient (2009), https://projects.honeynet.org/capture-hpc
  3. 3.
    Chenette, S.: ToorConX - the ultimate deobfuscator (2008), http://www.toorcon.org/tcx/26_Chenette.pdf
  4. 4.
    Superbuddy activex control vulnerability (2006), http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5820
  5. 5.
    Dagon, D., Gu, G., Lee, C., Lee, W.: A Taxonomy of Botnet Structures. In: Annual Computer Security Applications Conference, ACSAC (2007)Google Scholar
  6. 6.
    Dan Goodin (The Register). SQL injection taints BusinessWeek.com, http://www.theregister.co.uk/2008/09/16/businessweek_hacked/ (last accessed, December 2008)
  7. 7.
    Daniel, M., Honoroff, J., Miller, C.: Engineering Heap Overflow Exploits with JavaScript. In: 2nd USENIX Workshop on Offensive Technologies, WOOT 2008 (2008)Google Scholar
  8. 8.
    Dormann, W., Plakosh, D.: Vulnerability detection in activex controls through automated fuzz testing (2008), http://www.cert.org/archive/pdf/dranzer.pdf
  9. 9.
    Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.X.: Dynamic spyware analysis. In: USENIX Annual Technical Conference, pp. 233–246 (2007)Google Scholar
  10. 10.
    Feinstein, B., Peck, D.: Caffeine monkey: Automated collection, detection and analysis of malicious javascript (2006), http://www.dc414.org/download/confs/defcon15/Speakers/Feinstein_and%20_Peck/Whitepaper/dc-15-feinstein_and_peck-WP.pdf
  11. 11.
    M. Foundation. SpiderMonkey (JavaScript-C) Engine, http://www.mozilla.org/js/spidermonkey/
  12. 12.
    Frei, S., Dübendorfer, T., Ollmann, G., May, M.: Understanding the web browser threat. Technical Report 288, ETH Zurich, 06 2008 (2008)Google Scholar
  13. 13.
    Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: 10th Annual Network and Distributed System Security Symposium, NDSS 2003 (2003)Google Scholar
  14. 14.
    Gregg, B.: fetch application data from snoop or tcpdump logs, http://chaosreader.sourceforge.net/
  15. 15.
    Hallaraker, O., Vigna, G.: Detecting malicious javascript code in mozilla. In: 10th International Conference on Engineering of Complex Computer Systems (ICECCS 2005), pp. 85–94 (2005)Google Scholar
  16. 16.
    Leyden, J.: Drive-by download attack compromises 500k websites, http://www.channelregister.co.uk/2008/05/13/zlob_trojan_forum_compromise_attack/ (last accessed, February 2009)
  17. 17.
    Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G.M., Paxson, V., Savage, S.: Spamalytics: An empirical analysis of spam marketing conversion. In: ACM Conference on Computer and Communications Security (2008)Google Scholar
  18. 18.
    Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.A.: Behavior-based spyware detection. In: USENIX Security (2006)Google Scholar
  19. 19.
    x86 shellcode detection and emulation, http://libemu.mwcollect.org/
  20. 20.
    Moore, D., Voelker, G., Savage, S.: Inferring Internet Denial of Service Activity. In: Usenix Security Symposium (2001)Google Scholar
  21. 21.
  22. 22.
    M.D. Network. JScript Windows Script Technologies, http://msdn.microsoft.com/en-us/library/hbxc2t98.aspx
  23. 23.
    Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31 (1999)Google Scholar
  24. 24.
    Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network–level polymorphic shellcode detection using emulation. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 54–73. Springer, Heidelberg (2006)Google Scholar
  25. 25.
    Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-based detection of non-self-contained polymorphic shellcode. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 87–106. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  26. 26.
    Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network-level polymorphic shellcode detection using emulation. Journal in Computer Virology 2(4), 257–274 (2007)CrossRefGoogle Scholar
  27. 27.
    Polychronakis, M., Provos, N.: Ghost turns zombie: Exploring the life cycle of web-based malware. In: First USENIX Workshop on Large-Scale Exploits and Emergent Threats (2008)Google Scholar
  28. 28.
    Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iframes point to us. In: USENIX Security Symposium (2008)Google Scholar
  29. 29.
    Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: The Ghost In The Browser Analysis of Web-based Malware. In: First Workshop on Hot Topics in Understanding Botnets, HotBots 2007 (2007)Google Scholar
  30. 30.
    Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: 13th Systems Administration Conference, LISA (1999)Google Scholar
  31. 31.
    Secunia PSI study: 28% of all detected applications are insecure (2007), http://secunia.com/blog/11/
  32. 32.
    Sotirov, A.: Heap Feng Shui in JavaScript, http://www.phreedom.org/research/heap-feng-shui/heap-feng-shui.html (last accessed, November 2008)
  33. 33.
    Spamcop - the premier service for reporting spam, http://www.spamcop.net/
  34. 34.
    Tóth, T., Krügel, C.: Accurate buffer overflow detection via abstract payload execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 274–291. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  35. 35.
    Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: 14th Annual Network and Distributed System Security Symposium, NDSS 2007 (2007)Google Scholar
  36. 36.
    Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Security and Privacy 5(2), 32–39 (2007)CrossRefGoogle Scholar
  37. 37.
    Yin, H., Song, D.X., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: ACM Conference on Computer and Communications Security, pp. 116–127 (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Manuel Egele
    • 1
  • Peter Wurzinger
    • 1
  • Christopher Kruegel
    • 2
  • Engin Kirda
    • 3
  1. 1.Secure Systems LabTechnical University ViennaAustria
  2. 2.University of CaliforniaSanta BarbaraUSA
  3. 3.Institute EurecomFrance

Personalised recommendations