Abstract
Javascript is a scripting language that is commonly used to create sophisticated interactive client-side web applications. It can also be used to carry out browser-based attacks on users. Malicious JavaScript code is usually highly obfuscated, making detection a challenge. This paper describes a simple approach to deobfuscation of JavaScript code based on dynamic analysis and slicing. Experiments using a prototype implementation indicate that our approach is able to penetrate multiple layers of complex obfuscations and extract the core logic of the computation.
This work was supported in part by the National Science Foundation via grant nos. CNS-1016058 and CNS-1115829, the Air Force Office of Scientific Research via grant no. FA9550-11-1-0191, and by a GAANN fellowship from the Department of Education award no. P200A070545.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Online Javascript obfuscator, http://www.daftlogic.com/projects-online-javascript-obfuscator.html
Aho, A.V., Sethi, R., Ullman, J.D.: Compilers – Principles, Techniques, and Tools. Addison-Wesley, Reading (1985)
Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: A fast filter for the large-scale detection of malicious web pages. In: Proceedings of the 20th International Conference on World Wide Web, pp. 197–206. ACM (2011)
Coogan, K., Debray, S., Kaochar, T., Townsend, G.: Automatic static unpacking of malware binaries. In: Proc. 16th IEEE Working Conference on Reverse Engineering, pp. 167–176 (October 2009)
Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: Zozzle: Fast and precise in-browser JavaScript malware detection. In: USENIX Security Symposium (2011)
Feinstein, B., Peck, D., SecureWorks, Inc.: Caffeine monkey: Automated collection, detection and analysis of malicious JavaScript. Black Hat USA (2007)
Hallaraker, O., Vigna, G.: Detecting malicious JavaScript code in mozilla. In: Proc. 10th IEEE International Conference on Engineering of Complex Computer Systems, pp. 85–94 (June 2005)
Howard, F.: Malware with your mocha: Obfuscation and antiemulation tricks inmalicious JavaScript (2010)
Joelsson, E.: Decompilation for visualization of code optimizations (2003)
Kang, M.G., Poosankam, P., Yin, H.: Renovo: A hidden code extractor for packed executables. In: Proc. Fifth ACM Workshop on Recurring Malcode (WORM 2007) (November 2007)
Kirk, A.: Gumblar and more on Javascript obfuscation. Sourcefire Vulnerability Research Team (May 22, 2009), http://vrt-blog.snort.org/2009/05/gumblar-and-more-on-javascript.html
Lu, G., Coogan, K., Debray, S.: Automatic simplification of obfuscated JavaScript code. Technical report, Dept. of Computer Science, The University of Arizona (October 2011), http://www.cs.arizona.edu/~debray/Publications/js-deobf-full.pdf
Markowski, P.: ISC’s four methods of decoding Javascript + 1 (March 2010), http://blog.vodun.org/2010/03/iscs-four-methods-of-decoding.html
Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In: Proc. 21st Annual Computer Security Applications Conference (December 2007)
Mozilla. Spidermonkey JavaScript engine, https://developer.mozilla.org/en/SpiderMonkey
Muchnick, S.S.: Advanced compiler design and implementation (1997)
Nazario, J.: Reverse engineering malicious Javascript. CanSecWest (2007), http://cansecwest.com/csw07/csw07-nazario.pdf
Palant, W.: JavaScript deobfuscator 1.5.7, https://addons.mozilla.org/en-US/firefox/addon/javascript-deobfuscator/
Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: Polyunpack: Automating the hidden-code extraction of unpack-executing malware. In: ACSAC 2006: Proceedings of the 22nd Annual Computer Security Applications Conference, pp. 289–300 (2006)
Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: Proc. IEEE Symposium on Security and Privacy, pp. 513–528 (2010)
Wang, T., Roychoudhury, A.: Dynamic slicing on java bytecode traces. ACM Transactions on Programming Languages and Systems (TOPLAS)Â 30(2), 10 (2008)
Wesemann, D.: Advanced obfuscated JavaScript analysis (April 2008), http://isc.sans.org/diary.html?storyid=4246
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lu, G., Coogan, K., Debray, S. (2012). Automatic Simplification of Obfuscated JavaScript Code (Extended Abstract). In: Dua, S., Gangopadhyay, A., Thulasiraman, P., Straccia, U., Shepherd, M., Stein, B. (eds) Information Systems, Technology and Management. ICISTM 2012. Communications in Computer and Information Science, vol 285. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29166-1_31
Download citation
DOI: https://doi.org/10.1007/978-3-642-29166-1_31
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-29165-4
Online ISBN: 978-3-642-29166-1
eBook Packages: Computer ScienceComputer Science (R0)