The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
Les chercheurs/fournisseurs en sécurité détectent les sites Web malveillants sur la base de plusieurs fonctionnalités de sites Web extraites par l’analyse HoneyClient. Cependant, les attaques basées sur le Web continuent d'être plus sophistiquées, parallèlement au développement de techniques de contre-mesure. Les attaquants détectent le client Honey et échappent à l'analyse à l'aide d'un code JavaScript sophistiqué. Le code évasif identifie indirectement les clients vulnérables en abusant des différences entre les implémentations JavaScript. Les attaquants diffusent des logiciels malveillants uniquement aux clients ciblés sur la base des résultats de l'évasion tout en évitant l'analyse des clients. Par conséquent, nous sommes confrontés à un problème dans la mesure où les clients Honey ne peuvent pas analyser les sites Web malveillants. Néanmoins, nous pouvons observer la nature de l'évasion, c'est-à-dire que les résultats de l'accès à des sites Web malveillants en utilisant des clients ciblés sont différents de ceux obtenus en utilisant des clients miel. Dans cet article, nous proposons une méthode d'extraction de code évasif en tirant parti des différences ci-dessus pour étudier les techniques d'évasion actuelles. Notre méthode analyse les transactions HTTP d'un même site Web obtenues à l'aide de deux types de clients, un vrai navigateur en tant que client ciblé et un émulateur de navigateur en tant que client miel. Suite à l’évaluation de notre méthode avec 8,467 20,272 échantillons JavaScript exécutés sur XNUMX XNUMX sites Web malveillants, nous avons découvert des techniques d’évasion jusqu’alors inconnues qui exploitent les différences entre les implémentations JavaScript. Ces résultats contribueront à améliorer les capacités d’analyse des clients miel conventionnels.
Yuta TAKATA
NTT Secure Platform Laboratories
Mitsuaki AKIYAMA
NTT Secure Platform Laboratories
Takeshi YAGI
NTT Secure Platform Laboratories
Takeo HARIU
NTT Secure Platform Laboratories
Kazuhiko OHKUBO
NTT Secure Platform Laboratories
Shigeki GOTO
Waseda University
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copier
Yuta TAKATA, Mitsuaki AKIYAMA, Takeshi YAGI, Takeo HARIU, Kazuhiko OHKUBO, Shigeki GOTO, "Identifying Evasive Code in Malicious Websites by Analyzing Redirection Differences" in IEICE TRANSACTIONS on Information,
vol. E101-D, no. 11, pp. 2600-2611, November 2018, doi: 10.1587/transinf.2017ICP0005.
Abstract: Security researchers/vendors detect malicious websites based on several website features extracted by honeyclient analysis. However, web-based attacks continue to be more sophisticated along with the development of countermeasure techniques. Attackers detect the honeyclient and evade analysis using sophisticated JavaScript code. The evasive code indirectly identifies vulnerable clients by abusing the differences among JavaScript implementations. Attackers deliver malware only to targeted clients on the basis of the evasion results while avoiding honeyclient analysis. Therefore, we are faced with a problem in that honeyclients cannot analyze malicious websites. Nevertheless, we can observe the evasion nature, i.e., the results in accessing malicious websites by using targeted clients are different from those by using honeyclients. In this paper, we propose a method of extracting evasive code by leveraging the above differences to investigate current evasion techniques. Our method analyzes HTTP transactions of the same website obtained using two types of clients, a real browser as a targeted client and a browser emulator as a honeyclient. As a result of evaluating our method with 8,467 JavaScript samples executed in 20,272 malicious websites, we discovered previously unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will contribute to improving the analysis capabilities of conventional honeyclients.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2017ICP0005/_p
Copier
@ARTICLE{e101-d_11_2600,
author={Yuta TAKATA, Mitsuaki AKIYAMA, Takeshi YAGI, Takeo HARIU, Kazuhiko OHKUBO, Shigeki GOTO, },
journal={IEICE TRANSACTIONS on Information},
title={Identifying Evasive Code in Malicious Websites by Analyzing Redirection Differences},
year={2018},
volume={E101-D},
number={11},
pages={2600-2611},
abstract={Security researchers/vendors detect malicious websites based on several website features extracted by honeyclient analysis. However, web-based attacks continue to be more sophisticated along with the development of countermeasure techniques. Attackers detect the honeyclient and evade analysis using sophisticated JavaScript code. The evasive code indirectly identifies vulnerable clients by abusing the differences among JavaScript implementations. Attackers deliver malware only to targeted clients on the basis of the evasion results while avoiding honeyclient analysis. Therefore, we are faced with a problem in that honeyclients cannot analyze malicious websites. Nevertheless, we can observe the evasion nature, i.e., the results in accessing malicious websites by using targeted clients are different from those by using honeyclients. In this paper, we propose a method of extracting evasive code by leveraging the above differences to investigate current evasion techniques. Our method analyzes HTTP transactions of the same website obtained using two types of clients, a real browser as a targeted client and a browser emulator as a honeyclient. As a result of evaluating our method with 8,467 JavaScript samples executed in 20,272 malicious websites, we discovered previously unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will contribute to improving the analysis capabilities of conventional honeyclients.},
keywords={},
doi={10.1587/transinf.2017ICP0005},
ISSN={1745-1361},
month={November},}
Copier
TY - JOUR
TI - Identifying Evasive Code in Malicious Websites by Analyzing Redirection Differences
T2 - IEICE TRANSACTIONS on Information
SP - 2600
EP - 2611
AU - Yuta TAKATA
AU - Mitsuaki AKIYAMA
AU - Takeshi YAGI
AU - Takeo HARIU
AU - Kazuhiko OHKUBO
AU - Shigeki GOTO
PY - 2018
DO - 10.1587/transinf.2017ICP0005
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E101-D
IS - 11
JA - IEICE TRANSACTIONS on Information
Y1 - November 2018
AB - Security researchers/vendors detect malicious websites based on several website features extracted by honeyclient analysis. However, web-based attacks continue to be more sophisticated along with the development of countermeasure techniques. Attackers detect the honeyclient and evade analysis using sophisticated JavaScript code. The evasive code indirectly identifies vulnerable clients by abusing the differences among JavaScript implementations. Attackers deliver malware only to targeted clients on the basis of the evasion results while avoiding honeyclient analysis. Therefore, we are faced with a problem in that honeyclients cannot analyze malicious websites. Nevertheless, we can observe the evasion nature, i.e., the results in accessing malicious websites by using targeted clients are different from those by using honeyclients. In this paper, we propose a method of extracting evasive code by leveraging the above differences to investigate current evasion techniques. Our method analyzes HTTP transactions of the same website obtained using two types of clients, a real browser as a targeted client and a browser emulator as a honeyclient. As a result of evaluating our method with 8,467 JavaScript samples executed in 20,272 malicious websites, we discovered previously unknown evasion techniques that abuse the differences among JavaScript implementations. These findings will contribute to improving the analysis capabilities of conventional honeyclients.
ER -