Skip to main content
SpringerLink
Log in

Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5587))

Abstract

Drive-by download attacks are among the most common methods for spreading malware today. These attacks typically exploit memory corruption vulnerabilities in web browsers and browser plug-ins to execute shellcode, and in consequence, gain control of a victim’s computer. Compromised machines are then used to carry out various malicious activities, such as joining botnets, sending spam emails, or participating in distributed denial of service attacks.

To counter drive-by downloads, we propose a technique that relies on x86 instruction emulation to identify JavaScript string buffers that contain shellcode. Our detection is integrated into the browser, and performed before control is transfered to the shellcode, thus, effectively thwarting the attack. The solution maintains fair performance by avoiding unnecessary invocations of the emulator, while ensuring that every buffer with potential shellcode is checked. We have implemented a prototype of our system, and evaluated it over thousands of malicious and legitimate web sites. Our results demonstrate that the system performs accurate detection with no false positives.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bayer, U.: Anubis - analyzing unknown binaries, http://www.anubis.iseclab.org

  2. Capture-HPC Client Honeypot / Honeyclient (2009), https://projects.honeynet.org/capture-hpc

  3. Chenette, S.: ToorConX - the ultimate deobfuscator (2008), http://www.toorcon.org/tcx/26_Chenette.pdf

  4. Superbuddy activex control vulnerability (2006), http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5820

  5. Dagon, D., Gu, G., Lee, C., Lee, W.: A Taxonomy of Botnet Structures. In: Annual Computer Security Applications Conference, ACSAC (2007)

    Google Scholar 

  6. Dan Goodin (The Register). SQL injection taints BusinessWeek.com, http://www.theregister.co.uk/2008/09/16/businessweek_hacked/ (last accessed, December 2008)

  7. Daniel, M., Honoroff, J., Miller, C.: Engineering Heap Overflow Exploits with JavaScript. In: 2nd USENIX Workshop on Offensive Technologies, WOOT 2008 (2008)

    Google Scholar 

  8. Dormann, W., Plakosh, D.: Vulnerability detection in activex controls through automated fuzz testing (2008), http://www.cert.org/archive/pdf/dranzer.pdf

  9. Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.X.: Dynamic spyware analysis. In: USENIX Annual Technical Conference, pp. 233–246 (2007)

    Google Scholar 

  10. Feinstein, B., Peck, D.: Caffeine monkey: Automated collection, detection and analysis of malicious javascript (2006), http://www.dc414.org/download/confs/defcon15/Speakers/Feinstein_and%20_Peck/Whitepaper/dc-15-feinstein_and_peck-WP.pdf

  11. M. Foundation. SpiderMonkey (JavaScript-C) Engine, http://www.mozilla.org/js/spidermonkey/

  12. Frei, S., Dübendorfer, T., Ollmann, G., May, M.: Understanding the web browser threat. Technical Report 288, ETH Zurich, 06 2008 (2008)

    Google Scholar 

  13. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: 10th Annual Network and Distributed System Security Symposium, NDSS 2003 (2003)

    Google Scholar 

  14. Gregg, B.: fetch application data from snoop or tcpdump logs, http://chaosreader.sourceforge.net/

  15. Hallaraker, O., Vigna, G.: Detecting malicious javascript code in mozilla. In: 10th International Conference on Engineering of Complex Computer Systems (ICECCS 2005), pp. 85–94 (2005)

    Google Scholar 

  16. Leyden, J.: Drive-by download attack compromises 500k websites, http://www.channelregister.co.uk/2008/05/13/zlob_trojan_forum_compromise_attack/ (last accessed, February 2009)

  17. Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G.M., Paxson, V., Savage, S.: Spamalytics: An empirical analysis of spam marketing conversion. In: ACM Conference on Computer and Communications Security (2008)

    Google Scholar 

  18. Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.A.: Behavior-based spyware detection. In: USENIX Security (2006)

    Google Scholar 

  19. x86 shellcode detection and emulation, http://libemu.mwcollect.org/

  20. Moore, D., Voelker, G., Savage, S.: Inferring Internet Denial of Service Activity. In: Usenix Security Symposium (2001)

    Google Scholar 

  21. M.D. Network. ActiveX Controls, http://msdn.microsoft.com/en-us/library/aa751968.aspx

  22. M.D. Network. JScript Windows Script Technologies, http://msdn.microsoft.com/en-us/library/hbxc2t98.aspx

  23. Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31 (1999)

    Google Scholar 

  24. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network–level polymorphic shellcode detection using emulation. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 54–73. Springer, Heidelberg (2006)

    Google Scholar 

  25. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-based detection of non-self-contained polymorphic shellcode. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 87–106. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  26. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network-level polymorphic shellcode detection using emulation. Journal in Computer Virology 2(4), 257–274 (2007)

    Article  Google Scholar 

  27. Polychronakis, M., Provos, N.: Ghost turns zombie: Exploring the life cycle of web-based malware. In: First USENIX Workshop on Large-Scale Exploits and Emergent Threats (2008)

    Google Scholar 

  28. Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iframes point to us. In: USENIX Security Symposium (2008)

    Google Scholar 

  29. Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: The Ghost In The Browser Analysis of Web-based Malware. In: First Workshop on Hot Topics in Understanding Botnets, HotBots 2007 (2007)

    Google Scholar 

  30. Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: 13th Systems Administration Conference, LISA (1999)

    Google Scholar 

  31. Secunia PSI study: 28% of all detected applications are insecure (2007), http://secunia.com/blog/11/

  32. Sotirov, A.: Heap Feng Shui in JavaScript, http://www.phreedom.org/research/heap-feng-shui/heap-feng-shui.html (last accessed, November 2008)

  33. Spamcop - the premier service for reporting spam, http://www.spamcop.net/

  34. Tóth, T., Krügel, C.: Accurate buffer overflow detection via abstract payload execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 274–291. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  35. Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: 14th Annual Network and Distributed System Security Symposium, NDSS 2007 (2007)

    Google Scholar 

  36. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Security and Privacy 5(2), 32–39 (2007)

    Article  Google Scholar 

  37. Yin, H., Song, D.X., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: ACM Conference on Computer and Communications Security, pp. 116–127 (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Secure Systems Lab, Technical University Vienna, Austria

    Manuel Egele & Peter Wurzinger

  2. University of California, Santa Barbara, USA

    Christopher Kruegel

  3. Institute Eurecom, France

    Engin Kirda

Authors
  1. Manuel Egele
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Peter Wurzinger
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christopher Kruegel
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Engin Kirda
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. SAP Research Center Karlsruhe, Karlsruhe, Germany

    Ulrich Flegel

  2. Dipartimento di Informatica e Comunicazione, Università degli Studi di Milano, Milano, Italy

    Danilo Bruschi

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Egele, M., Wurzinger, P., Kruegel, C., Kirda, E. (2009). Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks. In: Flegel, U., Bruschi, D. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2009. Lecture Notes in Computer Science, vol 5587. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02918-9_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-02918-9_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-02917-2

  • Online ISBN: 978-3-642-02918-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation