Abstract
Drive-by download attacks are among the most common methods for spreading malware today. These attacks typically exploit memory corruption vulnerabilities in web browsers and browser plug-ins to execute shellcode, and in consequence, gain control of a victim’s computer. Compromised machines are then used to carry out various malicious activities, such as joining botnets, sending spam emails, or participating in distributed denial of service attacks.
To counter drive-by downloads, we propose a technique that relies on x86 instruction emulation to identify JavaScript string buffers that contain shellcode. Our detection is integrated into the browser, and performed before control is transfered to the shellcode, thus, effectively thwarting the attack. The solution maintains fair performance by avoiding unnecessary invocations of the emulator, while ensuring that every buffer with potential shellcode is checked. We have implemented a prototype of our system, and evaluated it over thousands of malicious and legitimate web sites. Our results demonstrate that the system performs accurate detection with no false positives.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bayer, U.: Anubis - analyzing unknown binaries, http://www.anubis.iseclab.org
Capture-HPC Client Honeypot / Honeyclient (2009), https://projects.honeynet.org/capture-hpc
Chenette, S.: ToorConX - the ultimate deobfuscator (2008), http://www.toorcon.org/tcx/26_Chenette.pdf
Superbuddy activex control vulnerability (2006), http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5820
Dagon, D., Gu, G., Lee, C., Lee, W.: A Taxonomy of Botnet Structures. In: Annual Computer Security Applications Conference, ACSAC (2007)
Dan Goodin (The Register). SQL injection taints BusinessWeek.com, http://www.theregister.co.uk/2008/09/16/businessweek_hacked/ (last accessed, December 2008)
Daniel, M., Honoroff, J., Miller, C.: Engineering Heap Overflow Exploits with JavaScript. In: 2nd USENIX Workshop on Offensive Technologies, WOOT 2008 (2008)
Dormann, W., Plakosh, D.: Vulnerability detection in activex controls through automated fuzz testing (2008), http://www.cert.org/archive/pdf/dranzer.pdf
Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.X.: Dynamic spyware analysis. In: USENIX Annual Technical Conference, pp. 233–246 (2007)
Feinstein, B., Peck, D.: Caffeine monkey: Automated collection, detection and analysis of malicious javascript (2006), http://www.dc414.org/download/confs/defcon15/Speakers/Feinstein_and%20_Peck/Whitepaper/dc-15-feinstein_and_peck-WP.pdf
M. Foundation. SpiderMonkey (JavaScript-C) Engine, http://www.mozilla.org/js/spidermonkey/
Frei, S., Dübendorfer, T., Ollmann, G., May, M.: Understanding the web browser threat. Technical Report 288, ETH Zurich, 06 2008 (2008)
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: 10th Annual Network and Distributed System Security Symposium, NDSS 2003 (2003)
Gregg, B.: fetch application data from snoop or tcpdump logs, http://chaosreader.sourceforge.net/
Hallaraker, O., Vigna, G.: Detecting malicious javascript code in mozilla. In: 10th International Conference on Engineering of Complex Computer Systems (ICECCS 2005), pp. 85–94 (2005)
Leyden, J.: Drive-by download attack compromises 500k websites, http://www.channelregister.co.uk/2008/05/13/zlob_trojan_forum_compromise_attack/ (last accessed, February 2009)
Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G.M., Paxson, V., Savage, S.: Spamalytics: An empirical analysis of spam marketing conversion. In: ACM Conference on Computer and Communications Security (2008)
Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.A.: Behavior-based spyware detection. In: USENIX Security (2006)
x86 shellcode detection and emulation, http://libemu.mwcollect.org/
Moore, D., Voelker, G., Savage, S.: Inferring Internet Denial of Service Activity. In: Usenix Security Symposium (2001)
M.D. Network. ActiveX Controls, http://msdn.microsoft.com/en-us/library/aa751968.aspx
M.D. Network. JScript Windows Script Technologies, http://msdn.microsoft.com/en-us/library/hbxc2t98.aspx
Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31 (1999)
Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network–level polymorphic shellcode detection using emulation. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 54–73. Springer, Heidelberg (2006)
Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-based detection of non-self-contained polymorphic shellcode. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 87–106. Springer, Heidelberg (2007)
Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network-level polymorphic shellcode detection using emulation. Journal in Computer Virology 2(4), 257–274 (2007)
Polychronakis, M., Provos, N.: Ghost turns zombie: Exploring the life cycle of web-based malware. In: First USENIX Workshop on Large-Scale Exploits and Emergent Threats (2008)
Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iframes point to us. In: USENIX Security Symposium (2008)
Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: The Ghost In The Browser Analysis of Web-based Malware. In: First Workshop on Hot Topics in Understanding Botnets, HotBots 2007 (2007)
Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: 13th Systems Administration Conference, LISA (1999)
Secunia PSI study: 28% of all detected applications are insecure (2007), http://secunia.com/blog/11/
Sotirov, A.: Heap Feng Shui in JavaScript, http://www.phreedom.org/research/heap-feng-shui/heap-feng-shui.html (last accessed, November 2008)
Spamcop - the premier service for reporting spam, http://www.spamcop.net/
Tóth, T., Krügel, C.: Accurate buffer overflow detection via abstract payload execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 274–291. Springer, Heidelberg (2002)
Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: 14th Annual Network and Distributed System Security Symposium, NDSS 2007 (2007)
Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Security and Privacy 5(2), 32–39 (2007)
Yin, H., Song, D.X., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: ACM Conference on Computer and Communications Security, pp. 116–127 (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Egele, M., Wurzinger, P., Kruegel, C., Kirda, E. (2009). Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks. In: Flegel, U., Bruschi, D. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2009. Lecture Notes in Computer Science, vol 5587. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02918-9_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-02918-9_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-02917-2
Online ISBN: 978-3-642-02918-9
eBook Packages: Computer ScienceComputer Science (R0)