Skip to main content
SpringerLink
Log in

Automatic Simplification of Obfuscated JavaScript Code (Extended Abstract)

  • Conference paper
Information Systems, Technology and Management (ICISTM 2012)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 285))

Abstract

Javascript is a scripting language that is commonly used to create sophisticated interactive client-side web applications. It can also be used to carry out browser-based attacks on users. Malicious JavaScript code is usually highly obfuscated, making detection a challenge. This paper describes a simple approach to deobfuscation of JavaScript code based on dynamic analysis and slicing. Experiments using a prototype implementation indicate that our approach is able to penetrate multiple layers of complex obfuscations and extract the core logic of the computation.

This work was supported in part by the National Science Foundation via grant nos. CNS-1016058 and CNS-1115829, the Air Force Office of Scientific Research via grant no. FA9550-11-1-0191, and by a GAANN fellowship from the Department of Education award no. P200A070545.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Online Javascript obfuscator, http://www.daftlogic.com/projects-online-javascript-obfuscator.html

  2. Aho, A.V., Sethi, R., Ullman, J.D.: Compilers – Principles, Techniques, and Tools. Addison-Wesley, Reading (1985)

    Google Scholar 

  3. Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: A fast filter for the large-scale detection of malicious web pages. In: Proceedings of the 20th International Conference on World Wide Web, pp. 197–206. ACM (2011)

    Google Scholar 

  4. Coogan, K., Debray, S., Kaochar, T., Townsend, G.: Automatic static unpacking of malware binaries. In: Proc. 16th IEEE Working Conference on Reverse Engineering, pp. 167–176 (October 2009)

    Google Scholar 

  5. Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: Zozzle: Fast and precise in-browser JavaScript malware detection. In: USENIX Security Symposium (2011)

    Google Scholar 

  6. Feinstein, B., Peck, D., SecureWorks, Inc.: Caffeine monkey: Automated collection, detection and analysis of malicious JavaScript. Black Hat USA (2007)

    Google Scholar 

  7. Hallaraker, O., Vigna, G.: Detecting malicious JavaScript code in mozilla. In: Proc. 10th IEEE International Conference on Engineering of Complex Computer Systems, pp. 85–94 (June 2005)

    Google Scholar 

  8. Howard, F.: Malware with your mocha: Obfuscation and antiemulation tricks inmalicious JavaScript (2010)

    Google Scholar 

  9. Joelsson, E.: Decompilation for visualization of code optimizations (2003)

    Google Scholar 

  10. Kang, M.G., Poosankam, P., Yin, H.: Renovo: A hidden code extractor for packed executables. In: Proc. Fifth ACM Workshop on Recurring Malcode (WORM 2007) (November 2007)

    Google Scholar 

  11. Kirk, A.: Gumblar and more on Javascript obfuscation. Sourcefire Vulnerability Research Team (May 22, 2009), http://vrt-blog.snort.org/2009/05/gumblar-and-more-on-javascript.html

  12. Lu, G., Coogan, K., Debray, S.: Automatic simplification of obfuscated JavaScript code. Technical report, Dept. of Computer Science, The University of Arizona (October 2011), http://www.cs.arizona.edu/~debray/Publications/js-deobf-full.pdf

  13. Markowski, P.: ISC’s four methods of decoding Javascript + 1 (March 2010), http://blog.vodun.org/2010/03/iscs-four-methods-of-decoding.html

  14. Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In: Proc. 21st Annual Computer Security Applications Conference (December 2007)

    Google Scholar 

  15. Mozilla. Spidermonkey JavaScript engine, https://developer.mozilla.org/en/SpiderMonkey

  16. Muchnick, S.S.: Advanced compiler design and implementation (1997)

    Google Scholar 

  17. Nazario, J.: Reverse engineering malicious Javascript. CanSecWest (2007), http://cansecwest.com/csw07/csw07-nazario.pdf

  18. Palant, W.: JavaScript deobfuscator 1.5.7, https://addons.mozilla.org/en-US/firefox/addon/javascript-deobfuscator/

  19. Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: Polyunpack: Automating the hidden-code extraction of unpack-executing malware. In: ACSAC 2006: Proceedings of the 22nd Annual Computer Security Applications Conference, pp. 289–300 (2006)

    Google Scholar 

  20. Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: Proc. IEEE Symposium on Security and Privacy, pp. 513–528 (2010)

    Google Scholar 

  21. Wang, T., Roychoudhury, A.: Dynamic slicing on java bytecode traces. ACM Transactions on Programming Languages and Systems (TOPLAS) 30(2), 10 (2008)

    Article  Google Scholar 

  22. Wesemann, D.: Advanced obfuscated JavaScript analysis (April 2008), http://isc.sans.org/diary.html?storyid=4246

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, The University of Arizona, Tucson, AZ, 85721, USA

    Gen Lu, Kevin Coogan & Saumya Debray

Authors
  1. Gen Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kevin Coogan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Saumya Debray
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Science, College of Engineering and Science, Louisiana Tech University, 71272, Ruston, LA, USA

    Sumeet Dua

  2. Department of Information Systems, College of Engineering and Information, Technology, UMBC, 1000 Hilltop Circle, 2125, Baltimore, MD, USA

    Aryya Gangopadhyay

  3. Department of Computer Science, The University of Manitoba, Winnipeg, MB, Canada

    Parimala Thulasiraman

  4. ISTI - CNR, Pisa, Italy

    Umberto Straccia

  5. Faculty of Computer Science, Dalhousie University Halifax, B3H 1W5, Nova Scotia, Canada

    Michael Shepherd

  6. Faculty of Media: Media Systems, Bauhaus University Weimar, 99421, Weimar, Germany

    Benno Stein

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Lu, G., Coogan, K., Debray, S. (2012). Automatic Simplification of Obfuscated JavaScript Code (Extended Abstract). In: Dua, S., Gangopadhyay, A., Thulasiraman, P., Straccia, U., Shepherd, M., Stein, B. (eds) Information Systems, Technology and Management. ICISTM 2012. Communications in Computer and Information Science, vol 285. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29166-1_31

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-29166-1_31

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-29165-4

  • Online ISBN: 978-3-642-29166-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation