Abstract
Nowadays, users and corporates are more and more connected to the web. User accesses her/his sensitive business/non-business applications using a web browser. There are numerous browsers’ based attacks and many of them are implemented using JavaScript. One of these attacks is Drive-by-Download. Security researchers introduced several tools and techniques to detect and/or prevent this serious attack. Few address the browser forensics to identify the attack traces/evidences and reconstruct the executed events of a downloaded malicious content. In this study, we introduce a postmortem forensic methodology that investigates a web browser subjected to Drive-by-Download attack. We develop a Firefox browser extension (FEPFA) to delve into the malicious URLs. The developed system is tested on malicious web pages and successfully identifies the digital evidences of the attack. The majority of the collected evidences were non-volatile evidences that could assist forensic investigator in the postmortem analysis.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Afonso, V. M., Grgio, A. R. A., Fernandes Filho, D. S., & de Geus, P. L. (2011). A hybrid system for analysis and detection of web-based client-side malicious code. In Proceedings of the IADIS international conference www/internet (Vol. 2011).
Canali, D., Cova, M., Vigna, G., & Kruegel, C. (2011, March). Prophiler: a fast filter for the large-scale detection of malicious web pages. In Proceedings of the 20th international conference on world wide web (pp. 197–206). ACM.
Catakoglu, O., Balduzzi, M., & Balzarotti, D. (2016, April). Automatic extraction of indicators of compromise for web applications. In Proceedings of the 25th international conference on WorldWideWeb (pp. 333–343). InternationalWorldWideWeb Conferences Steering Committee.
Choi, J. H., Lee, K. G., Park, J., Lee, C., & Lee, S. (2012). Analysis framework to detect artifacts of portable web browser. In Information technology convergence, secure and trust computing, and data management (pp. 207–214). Netherlands: Springer.
Cova, M., Kruegel, C., & Vigna, G. (2010, April). Detection and analysis of drive-by-download attacks and malicious JavaScript code. In Proceedings of the 19th international conference on world wide web (pp. 281–290). ACM.
Curtsinger, C., Livshits, B., Zorn, B. G., & Seifert, C. (2011, August). ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection. In USENIX security symposium (pp. 33–48).
De Maio, G., Kapravelos, A., Shoshitaishvili, Y., Kruegel, C., & Vigna, G. (2014, July). Pexy: The other side of exploit kits. In International conference on detection of intrusions and malware, and vulnerability assessment (pp. 132–151). Cham: Springer.
Fratantonio, Y., Kruegel, C., & Vigna, G. (2011, September). Shellzer: a tool for the dynamic analysis of malicious shellcode. In International workshop on recent advances in intrusion detection (pp. 61–80). Berlin Heidelberg: Springer.
Gu, B., Zhang, W., Bai, X., Champion, A. C., Qin, F., & Xuan, D. (2012, September). Jsguard: shellcode detection in JavaScript. In International conference on security and privacy in communication systems (pp. 112–130). Berlin Heidelberg: Springer.
Invernizzi, L., & Comparetti, P. M. (2012, May). Evilseed: A guided approach to finding malicious web pages. In 2012 IEEE symposium on security and privacy (SP), (pp. 428–442). IEEE.
Jayasinghe, G. K., Culpepper, J. S., & Bertok, P. (2014). Efficient and effective realtime prediction of drive-by download attacks. Journal of Network and Computer Applications, 38, 135–149.
Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., & Vigna, G. (2013, August). Revolver: An automated approach to the detection of evasive web-based malware. In USENIX security (pp. 637–652).
Kolbitsch, C., Livshits, B., Zorn, B., & Seifert, C. (2012, May). Rozzle: De-cloaking internet malware. In 2012 IEEE symposium on security and privacy (SP), (pp. 443–457). IEEE.
Kotov, V., & Massacci, F. (2013, February). Anatomy of exploit kits. In International symposium on engineering secure software and systems (pp. 181–196). Berlin Heidelberg: Springer.
Laskov, P., & Šrndić, N. (2011, December). Static detection of malicious JavaScript-bearing PDF documents. In Proceedings of the 27th annual computer security applications conference (pp. 373–382). ACM.
Ligh, M., Adair, S., Hartstein, B., & Richard, M. (2010). Malware analyst’s cookbook and DVD: Tools and techniques for fighting malicious code. Hoboken, NJ: Wiley.
Lu, L., Yegneswaran, V., Porras, P., & Lee, W. (2010, October). Blade: An attack-agnostic approach for preventing drive-by malware infections. In Proceedings of the 17th ACM conference on computer and communications security (pp. 440–450). ACM.
Mohamed, S. M., Abdelbaki, N., & Shosha, A. F. (2016, January). Digital forensic analysis of web-browser based attacks. In Proceedings of the international conference on security and management (SAM) (p. 237). The Steering Committee of the World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp).
Oh, J., Lee, S., & Lee, S. (2011). Advanced evidence collection and analysis of web browser activity. Digital Investigation, 8, S62–S70.
Ohana, D. J., & Shashidhar, N. (2013). Do private and portable web browsers leave incriminating evidence?: A forensic analysis of residual artifacts from private and portable web browsing sessions. EURASIP Journal on Information Security, 2013(1), 6.
Ratanaworabhan, P., Livshits, V. B., & Zorn, B. G. (2009, August). NOZZLE: A defense against heap-spraying code injection attacks. In USENIX security symposium (pp. 169–186).
Van Overveldt, T., Kruegel, C., & Vigna, G. (2012, September). FlashDetect: ActionScript 3 malware detection. In International workshop on recent advances in intrusion detection (pp. 274–293). Berlin Heidelberg: Springer.
Virvilis, N., Mylonas, A., Tsalis, N., & Gritzalis, D. (2015). Security busters: Web browser security vs. rogue sites. Computers & Security, 52, 90–105.
Xing, X., Meng, W., Lee, B., Weinsberg, U., Sheth, A., Perdisci, R., & Lee, W. (2015, May). Understanding malvertising through ad-injecting browser extensions. In Proceedings of the 24th international conference on world wide web (pp. 1286–1295). ACM.
Zhang, J., Seifert, C., Stokes, J. W., & Lee, W. (2011, March). Arrow: Generating signatures to detect drive-by downloads. In Proceedings of the 20th international conference on world wide web (pp. 187–196). ACM.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this chapter
Cite this chapter
Mosaad, S., Abdelbaki, N., Shosha, A.F. (2018). A Postmortem Forensic Analysis for a JavaScript Based Attack. In: Daimi, K. (eds) Computer and Network Security Essentials. Springer, Cham. https://doi.org/10.1007/978-3-319-58424-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-58424-9_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-58423-2
Online ISBN: 978-3-319-58424-9
eBook Packages: EngineeringEngineering (R0)