Detecting and Understanding Self-Deleting JavaScript Code
Pages 1768 - 1778
Abstract
Self-deletion is a well-known strategy frequently utilized by malware to evade detection. Recently, this technique has found its way into client-side JavaScript code, significantly raising the complexity of JavaScript analysis. In this work, we systematically study the emerging client-side JavaScript self-deletion behavior on the web. We tackle various technical challenges associated with JavaScript dynamic analysis and introduce JSRay, a browser-based JavaScript runtime monitoring system designed to comprehensively study client-side script deletion. We conduct a large-scale measurement of one million popular websites, revealing that script self-deletion is prevalent in the real world. While our findings indicate that most developers employ self-deletion for legitimate purposes, we also discover that self-deletion has already been employed together with other anti-analysis techniques for cloaking suspicious operations in client-side JavaScript.
Supplemental Material
MP4 File
video presentation
- Download
- 1460.02 MB
MP4 File
Supplemental video
- Download
- 28.66 MB
References
[1]
Atif Ahmad, Jeb Webb, Kevin C Desouza, and James Boorman. 2019. Strategically-motivated advanced persistent threat: Definition, process, tactics and a disinformation model of counterattack. Computers & Security, Vol. 86 (2019), 402--418.
[2]
Kyu Hyung Lee Bo Li, Phani Vadrevu and Roberto Perdisci. 2018. JSgraph: Enabling Reconstruction of Web Attacks via Efficient Tracking of Live In-Browser JavaScript Executions. In Proceedings of the 2018 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA, USA.
[3]
Charlie Curtsinger, Benjamin Livshits, Benjamin Zorn, and Christian Seifert. 2011. ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection. In Proceedings of the 20th USENIX Security Symposium (Security). San Francisco, CA, USA.
[4]
Cybereason Nocturnus. 2019. Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware. https://www.cybereason.com/blog/research/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware.
[5]
Priyanka Dodia, Mashael AlSabah, Omar Alrawi, and Tao Wang. 2022. Exposing the Rat in the Tunnel: Using Traffic Analysis for Tor-Based Malware Detection. In Proceedings of the 29th ACM Conference on Computer and Communications Security (CCS). Los Angeles, CA, USA.
[6]
Adam Duby, Teryl Taylor, Gedare Bloom, and Yanyan Zhuang. 2022. Detecting and Classifying Self-Deleting Windows Malware Using Prefetch Files. In 2022 IEEE 12th Annual Computing and Communication Workshop and Conference (CCWC). IEEE, 0745--0751.
[7]
Yong Fang, Cheng Huang, Yu Su, and Yaoyao Qiu. 2020. Detecting malicious JavaScript code based on semantic analysis. Computers & Security, Vol. 93 (2020), 101764.
[8]
Aurore Fass, Michael Backes, and Ben Stock. 2019a. HideNoSeek: Camouflaging malicious javascript in benign asts. In Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS). London, UK.
[9]
Aurore Fass, Michael Backes, and Ben Stock. 2019b. Jstap: A static pre-filter for malicious javascript detection. In Proceedings of the 35th Annual Computer Security Applications Conference (ACSAC). San Juan, PR, USA.
[10]
Aurore Fass, Robert P Krawczyk, Michael Backes, and Ben Stock. 2018. Jast: Fully syntactic detection of malicious (obfuscated) javascript. In Proceedings of the 15th Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA). Paris, France.
[11]
Xunchao Hu, Yao Cheng, Yue Duan, Andrew Henderson, and Heng Yin. 2017. JSForce: A Forced Execution Engine for Malicious JavaScript Detection. In SecureComm.
[12]
Muhammad Ikram, Rahat Masood, Gareth Tyson, Mohamed Ali Kaafar, Noha Loizon, and Roya Ensafi. 2019. The Chain of Implicit Trust: An Analysis of the Web Third-Party Resources Loading. In Proceedings of the Web Conference (WWW). San Francisco, CA, USA.
[13]
Microsoft Security Intelligence. 2017. TrojanDownloader:Win32/Nemim.gen!A. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Nemim.gen!A.
[14]
Jordan Jueckstock and Alexandros Kapravelos. 2019. VisibleV8: In-browser Monitoring of JavaScript in the Wild. In Proceedings of the ACM Internet Measurement Conference (IMC).
[15]
Alex Kantchelian, Michael Carl Tschantz, Sadia Afroz, Brad Miller, Vaishaal Shankar, Rekha Bachwani, Anthony D. Joseph, and J. D. Tygar. [n.,d.]. Better Malware Ground Truth: Techniques for Weighting Anti-Virus Vendor Labels. In Proceedings of the 8th ACM Workshop on Artificial Intelligence and Security (AISec '15). 45--56.
[16]
Amin Kharraz, William Robertson, Davide Balzarotti, Leyla Bilge, and Engin Kirda. 2015. Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment. 3--24.
[17]
Kyungtae Kim, I Luk Kim, Chung Hwan Kim, Yonghwi Kwon, Yunhui Zheng, Xiangyu Zhang, and Dongyan Xu. 2017. J-Force: Forced Execution on JavaScript. In Proceedings of the 26th International World Wide Web Conference (WWW). Perth, Australia.
[18]
Minho Kim, Haehyun Cho, and Jeong Hyun Yi. 2022. Large-Scale Analysis on Anti-Analysis Techniques in Real-World Malware. IEEE Access, Vol. 10 (2022), 75802--75815.
[19]
Amit Klein and Benny Pinkas. 2019. DNS Cache-Based User Tracking. In Proceedings of the 2019 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA, USA.
[20]
Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson, and Engin Kirda. 2017. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA, USA.
[21]
Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczy'nski, and Wouter Joosen. 2019. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In Proceedings of the 2019 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA, USA.
[22]
Zhou Li, Kehuan Zhang, Yinglian Xie, Fang Yu, and XiaoFeng Wang. 2012. Knowing Your Enemy: Understanding and Detecting Malicious Web Advertising. In Proceedings of the 2012 ACM conference on Computer and communications security.
[23]
Peter Likarish, Eunjin Jung, and Insoon Jo. 2009. Obfuscated malicious javascript detection using classification techniques. In 2009 4th International Conference on Malicious and Unwanted Software (MALWARE). 47--54.
[24]
Moritz Lipp Michael Schwarz and Daniel Gruss. 2018. JavaScript Zero: Real JavaScript and Zero Side-Channel Attacks. In Proceedings of the 2018 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA, USA.
[25]
Marius Musch and Martin Johns. 2021. U Can't Debug This: Detecting JavaScript Anti-Debugging Techniques in the Wild. In Proceedings of the 30th USENIX Security Symposium (Security). Virtual Event.
[26]
Lukasz Olejnik. 2017. Stealing sensitive browser data with the W3C Ambient Light Sensor API. https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/.
[27]
Łukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz. 2016. The Leaking Battery. In Data Privacy Management, and Security Assurance. 254--263.
[28]
H. Petrak. 2021. Javascript Malware Collection. https://github.com/HynekPetrak/javascript-malware-collection.
[29]
Gregor Richards, Christian Hammer, Brian Burg, and Jan Vitek. 2011. The eval that men do. In European Conference on Object-Oriented Programming. Springer, 52--78.
[30]
Asuman Senol, Gunes Acar, Mathias Humbert, and Frederik Zuiderveen Borgesius. 2022. Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission. In Proceedings of the 31st USENIX Security Symposium (Security). Boston, MA, USA.
[31]
Philippe Skolka, Cristian-Alexandru Staicu, and Michael Pradel. 2019. Anything to hide? studying minified and obfuscated code in the web. In Proceedings of the Web Conference (WWW). San Francisco, CA, USA.
[32]
Konstantinos Solomos, John Kristoff, Chris Kanich, and Jason Polakis. 2021. Tales of favicons and caches: Persistent tracking in modern browsers. In Proceedings of the 2021 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA, USA.
[33]
Marius Steffens, Marius Musch, Martin Johns, and Ben Stock. 2021. Who's Hosting the Block Party? Studying Third-Party Blockage of CSP and SRI. In Proceedings of the 2021 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA, USA.
[34]
Marius Steffens and Ben Stock. 2020. PMForce: Systematically Analyzing postMessage Handlers at Scale. In Proceedings of the 27th ACM Conference on Computer and Communications Security (CCS). Orlando, FL, USA.
[35]
Tobias Urban, Martin Degeling, Thorsten Holz, and Norbert Pohlmann. 2020. Beyond the Front Page:Measuring Third Party Dynamics in the Field. In Proceedings of the Web Conference (WWW). Taipei, Taiwan.
[36]
Xinzhe Wang, Zeyang Zhuang, Wei Meng, and James Cheng. 2024. JSRay: Self-Deleting JavaScript Code Monitor. https://doi.org/10.5281/zenodo.10676966
[37]
WHATWG. 2022. HTML Standard. https://html.spec.whatwg.org/.
[38]
Wei Xu, Fangfang Zhang, and Sencun Zhu. 2013. Jstill: mostly static detection of obfuscated malicious javascript code. In Proceedings of the third ACM conference on Data and application security and privacy. 117--128.
[39]
Mingxue Zhang and Wei Meng. 2021. JSISOLATE: Lightweight In-Browser JavaScript Isolation. In Proceedings of the 29th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE). Athens, Greece. io
Index Terms
- Detecting and Understanding Self-Deleting JavaScript Code
Recommendations
A SIMD programming model for dart, javascript,and other dynamically typed scripting languages
WPMVP '14: Proceedings of the 2014 Workshop on Programming models for SIMD/Vector processingIt has not been possible to take advantage of the SIMD co-processors available in all x86 and most ARM processors shipping today in dynamically typed scripting languages. Web browsers have become a mainstream platform to deliver large and complex ...
Comments
Information & Contributors
Information
Published In
May 2024
4826 pages
ISBN:9798400701719
DOI:10.1145/3589334
- General Chairs:
- Tat-Seng Chua,
- Chong-Wah Ngo,
- Proceedings Chair:
- Roy Ka-Wei Lee,
- Program Chairs:
- Ravi Kumar,
- Hady W. Lauw
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 13 May 2024
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
Conference
WWW '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,899 of 8,196 submissions, 23%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 314Total Downloads
- Downloads (Last 12 months)314
- Downloads (Last 6 weeks)34
Reflects downloads up to 01 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in