Advertisement

Automatic Simplification of Obfuscated JavaScript Code (Extended Abstract)

  • Gen Lu
  • Kevin Coogan
  • Saumya Debray
Part of the Communications in Computer and Information Science book series (CCIS, volume 285)

Abstract

Javascript is a scripting language that is commonly used to create sophisticated interactive client-side web applications. It can also be used to carry out browser-based attacks on users. Malicious JavaScript code is usually highly obfuscated, making detection a challenge. This paper describes a simple approach to deobfuscation of JavaScript code based on dynamic analysis and slicing. Experiments using a prototype implementation indicate that our approach is able to penetrate multiple layers of complex obfuscations and extract the core logic of the computation.

Keywords

System Call Prototype Implementation Execution Trace Symbolic Execution Code Transformation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
  2. 2.
    Aho, A.V., Sethi, R., Ullman, J.D.: Compilers – Principles, Techniques, and Tools. Addison-Wesley, Reading (1985)Google Scholar
  3. 3.
    Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: A fast filter for the large-scale detection of malicious web pages. In: Proceedings of the 20th International Conference on World Wide Web, pp. 197–206. ACM (2011)Google Scholar
  4. 4.
    Coogan, K., Debray, S., Kaochar, T., Townsend, G.: Automatic static unpacking of malware binaries. In: Proc. 16th IEEE Working Conference on Reverse Engineering, pp. 167–176 (October 2009)Google Scholar
  5. 5.
    Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: Zozzle: Fast and precise in-browser JavaScript malware detection. In: USENIX Security Symposium (2011)Google Scholar
  6. 6.
    Feinstein, B., Peck, D., SecureWorks, Inc.: Caffeine monkey: Automated collection, detection and analysis of malicious JavaScript. Black Hat USA (2007)Google Scholar
  7. 7.
    Hallaraker, O., Vigna, G.: Detecting malicious JavaScript code in mozilla. In: Proc. 10th IEEE International Conference on Engineering of Complex Computer Systems, pp. 85–94 (June 2005)Google Scholar
  8. 8.
    Howard, F.: Malware with your mocha: Obfuscation and antiemulation tricks inmalicious JavaScript (2010)Google Scholar
  9. 9.
    Joelsson, E.: Decompilation for visualization of code optimizations (2003)Google Scholar
  10. 10.
    Kang, M.G., Poosankam, P., Yin, H.: Renovo: A hidden code extractor for packed executables. In: Proc. Fifth ACM Workshop on Recurring Malcode (WORM 2007) (November 2007)Google Scholar
  11. 11.
    Kirk, A.: Gumblar and more on Javascript obfuscation. Sourcefire Vulnerability Research Team (May 22, 2009), http://vrt-blog.snort.org/2009/05/gumblar-and-more-on-javascript.html
  12. 12.
    Lu, G., Coogan, K., Debray, S.: Automatic simplification of obfuscated JavaScript code. Technical report, Dept. of Computer Science, The University of Arizona (October 2011), http://www.cs.arizona.edu/~debray/Publications/js-deobf-full.pdf
  13. 13.
    Markowski, P.: ISC’s four methods of decoding Javascript + 1 (March 2010), http://blog.vodun.org/2010/03/iscs-four-methods-of-decoding.html
  14. 14.
    Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In: Proc. 21st Annual Computer Security Applications Conference (December 2007)Google Scholar
  15. 15.
    Mozilla. Spidermonkey JavaScript engine, https://developer.mozilla.org/en/SpiderMonkey
  16. 16.
    Muchnick, S.S.: Advanced compiler design and implementation (1997)Google Scholar
  17. 17.
    Nazario, J.: Reverse engineering malicious Javascript. CanSecWest (2007), http://cansecwest.com/csw07/csw07-nazario.pdf
  18. 18.
  19. 19.
    Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: Polyunpack: Automating the hidden-code extraction of unpack-executing malware. In: ACSAC 2006: Proceedings of the 22nd Annual Computer Security Applications Conference, pp. 289–300 (2006)Google Scholar
  20. 20.
    Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: Proc. IEEE Symposium on Security and Privacy, pp. 513–528 (2010)Google Scholar
  21. 21.
    Wang, T., Roychoudhury, A.: Dynamic slicing on java bytecode traces. ACM Transactions on Programming Languages and Systems (TOPLAS) 30(2), 10 (2008)CrossRefGoogle Scholar
  22. 22.
    Wesemann, D.: Advanced obfuscated JavaScript analysis (April 2008), http://isc.sans.org/diary.html?storyid=4246

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Gen Lu
    • 1
  • Kevin Coogan
    • 1
  • Saumya Debray
    • 1
  1. 1.Department of Computer ScienceThe University of ArizonaTucsonUSA

Personalised recommendations