-
Browser JS Guard: Detects and Defends against
Malicious JavaScript Injection based Drive by
Download Attacks
Ravi Kishore K, Mallesh M, Jyostna G and P R L Eswari
Centre for Development of Advanced Computing,
Hyderabad
Email:
{ravikishorek,malleshm,gjyostna,prleswari}@cdac.inhttp://www.cdachyd.in
Samavedam Satyanadha Sarma
CERT-IN, DIT,
New Delhi
Email: [email protected]
http://www.cert-in.org.in
AbstractIn the recent times, most of the systems connectedto
Internet are getting infected with the malware and some ofthese
systems are becoming zombies for the attacker. When userknowingly
or unknowingly visits a malware website, his systemgets infected.
Attackers do this by exploiting the vulnerabilitiesin the web
browser and acquire control over the underlyingoperating system.
Once attacker compromises the users webbrowser, he can instruct the
browser to visit the attackers websiteby using number of
redirections. During the process, users webbrowser downloads the
malware without the intervention of theuser. Once the malware is
downloaded, it would be placed inthe file system and responds as
per the instructions of theattacker. These types of attacks are
known as Drive by Downloadattacks. Now-a-days, Drive by Download is
the major channelfor delivering the Malware. In this paper, Browser
JS Guardan extension to the browser is presented for detecting
anddefending against Drive by Download attacks via HTML tagsand
JavaScript.
KeywordsMalware, HTML tags, DOM Change Methods,JavaScript
Functions, Web Browser, Web Browser Extensions, Driveby Download
Attacks.
I. INTRODUCTION
With the increasing usage of Internet, the attacking chan-nels
are flagging towards the usage of web browsers and webapplications
widely. Browsers have evolved from static doc-ument renderers to
todays sophisticated execution platformsfor web applications.
Browsers are very much susceptibleto attacks through exploitable
vulnerabilities. Attacker usesbrowser/ browser plug-in/ webpage as
vehicles to infect endsystem without directly connecting to
them.
Attacks are launching through memory, web content, webmarkup or
scripting language level exploits. In a typicalXSS attack, due to
the vulnerability in validating the input,attacker can inject
malicious JavaScript code as a commentin the blog or reply to a
post. This injection leads to theexecution of malicious JavaScript
code with the privileges ofweb application. This injection affects
the users who visit thesewebsites. This makes attacker get
unauthorized access to datastored at users end system without their
knowledge.
Now-a-days, it became very easy for any user to downloadand
install the required software from web without checking
whether they are trusted or untrusted sites. Attackers aretaking
this as an advantage and tricking the users to downloadmalicious
software. This is one of the easy channels for anattacker, as he
can enter into the users end system withoutexploiting any
vulnerability. It is also possible for attackerto exploit browser
vulnerabilities and download maliciouscode into end system when
user visits compromised websites,knowingly or unknowingly. One such
type of popular attackis Drive by Download attack [16], [17].
In this attack, initially the attacker compromises a legit-imate
web server and inserts a script in web application.When user
accesses the web site that was compromised bythe attacker, web
server sends the injected script along withthe requested page. This
script is either an exploit script or itimports exploit from a
central server which is controlled bythe attacker and this import
is either a direct inclusion of theresources from the remote server
or through a number of redi-rections the browser is instructed to
follow. A redirection startsfrom one web server to the other that
actually plays part ofhop points. After following a number of
redirections the usersrequest reaches the central exploit server.
The central exploitserver sends the exploit script depending on the
fingerprintof the user end system. Fingerprinting is done by using
theUser-Agent field present in the HTTP request coming from
theusers web browser. Fingerprinting includes web browser typeand
underlying operating system along with version details.Imported
exploit script is used to exploit the vulnerabilitypresent either
in the browser/ browser plug-in/ webpage. Thisexploit instructs the
browser to visit the malware distributionsite. This is, actually,
when the Drive by Download starts.Malware executables are
downloaded and users end systemautomatically installs and executes
the malicious code.
II. BACKGROUND
In the earlier days attackers used vulnerabilities in
theoperating system configuration or installed applications
forexploitation. With the advent of web, attackers have
changedtheir target to web browser and its plug-ins. Some of
thecurrent day attacks such as XSS (Cross Site Scripting) andCSRF
(Cross Site Request Forgery) does not require exploitingthe
vulnerabilities in the clients browser or system. In these
978-1-4799-2259-14/$31.002014 92
-
Fig. 1: Drive by Download attack scenario - Exploit coderesides
on Target server
attacks, malicious code is injected into the webpage andattacker
tricks the client to visit the infected webpage forgetting access
to users web browser. Through this Drive byDownload attack is
carried out.
In some scenarios, Drive by Download attack is initiatedfrom a
genuine web server. Attacker initially injects themalicious code
into the web server and then tricks the userto visit the web page
in which the malicious code is injected.This injected malicious
code typically written in JavaScriptlanguage redirects browser
requests and downloads exploitcode. Injected malicious code allows
execution of downloadedexploit code by exploiting vulnerabilities
in web browser.
If successful, the attack will be able to execute arbitrarycode
with the privileges of the user. During this process it
usesRedirections (to other malicious websites), Fingerprinting
andObfuscations. Drive by Download attack is explained in
detailwith the following scenarios.
In the first scenario, attacker prepares the attack usinga
genuine web server. Attacker injects into the target webserver, PHP
code as well as web content to redirect theuser to PHP code through
iframe tag. Web browser accessesthe injected web page when
connected to the target webserver. After accessing the injected web
page from the server,web browser gets redirected to PHP page. This
redirection ispossible through iframe tag. Now the web server sends
theattack code or payload to the web browser if it is
vulnerable.Target browser runs the exploit script received from the
targetweb server as it is from the same origin. This is one
scenariofor Drive by Download attack, where the exploit code
alsoresides in the target web server as shown in Figure 1.
In second scenario exploit code resides on attacker serveras
shown in Figure 2. In this scenario, attacker injects thecontent
into target web server. Injected content refers to ascript residing
in attackers web server. Target browser fetchesthe injected web
page from the target web server. Wheneverbrowser renders the
fetched web page, client browser is beingredirected to a script on
attackers web server which is referredby using Script src tag.
Attackers web server delivers theexploit code to the target browser
if it is vulnerable. Target
Fig. 2: Drive by Download attack scenario Exploit coderesides on
Attacker Server
web browser runs the exploit code received from the
attackersserver.
Detailed analysis on mechanisms used by JavaScript injec-tion
attacks is carried out and the result is shown in Figure3. From the
analysis, it is understood that Hidden iframe andJS Obfuscation are
the main mechanisms for initializing theattack. Sample obfuscated
codes found in various attacks arepresented below.
Sample 1: Obfuscated Code:
eval(unescape(%64%6F%63%75%6D%65%6E%74%2E
%77%72%69%......(some bytes skipped) .......3E%3
C%2F%69%66%72%61%6D%65%3E%27%29));
De Obfuscated Code:
document.write();
Sample 2: Obfuscated Code:
p=parseInt;ss=(123)?
String.fromCharCode:0;asgq="28!66!75!6e!63!74!6@
!6f!6e!20!28!2@!20!7b! ... (some bytes skipped)
.... 7a!74!2@!3b!d!a!20!20!20!20!7d!d!a!7d!2@
!28!2@!3b".replace(/@/g,"9").split("!");try{
document.body&=0.1}catch(gdsgsdg){zz=3;dbshre
=62;if(dbshre){vfvwe=0;try{document;}catch(agdsg
){vfvwe=1;}if(!vfvwe){e=eval;}s="";if(zz)for(i
=0;i-485!=0;i++){if(window.document)s+=ss(p(asgq
[i],16));}if(window.document)e(s);}}
De Obfuscated Code:
(function() {
var pzt = document.createElement(iframe);
pzt.src = http://www.betterbailbonds.net/
VLNSec01/cnt.php;
pzt.style.position = absolute;
pzt.style.border = 0;
pzt.style.height = 1px;
pzt.style.width = 1px;
pzt.style.left = 1px;
pzt.style.top = 1px;
if (!document.getElementById(pzt)) {
93
-
Fig. 3: Mechanisms used by JavaScript Injection Attacks
document.write();
document.getElementById(pzt).appendChild(
pzt);
} })();
If the obfuscated code of the Sample code is de-obfuscatedthen
it is leading to a hidden iframe which redirects the userto an evil
URL.
Consider an example of a website compromised in therecent times.
PHP.net has been compromised and it is beingredirected to an
exploit kit as per the sources and this attackis a form of Drive by
Download attack [19].
In this attack, the attackers built a connection to inject
amalicious iframe in the PHP.net website that was redirectingto an
Exploit Kit. It seems that as reported by Google theJavaScript file
www.php.net/userprefs.js had some injectedobfuscated content at the
end of the file. Part of injectedobfuscated code is as shown
below
(function(Anv){var LUI="M\xaa\xb0\xa9\xf5n-\x92\xe0\
xb5S\xc7\x81,\x0b\x0f\x1e\x15\xb0\xa6BL\x16\x7f
%\x0aCDkFDt{bszH2qEdpNFX\x173\x18@Y\x7fZ}\x1bk\
x08%\x05*:7{bedFmHi\x0a%\x0f\x20NKDnBSIww
z8fol;pxoo:\x0a%\x00n]nA C o l
..(some bytes skipped)).
De-obfuscated content for the above obfuscated JavaScriptcode is
shown below
It contains an iframe which is redirecting the user to anevil
URL (http://url.whichusb.co.uk/stat.htm). The content ofthe file
stat.htm is shown below
try{
var os=PluginDetect.OS;}
... (some bytes skipped).
try{
var adobe=PluginDetect.getVersion("AdobeReader");}
... (some bytes skipped).
The JavaScript code uses a publicly available JavaScriptlibrary
to collect information about browser plugins. Onceit has collected
the information it makes a POST request tothe server indicating
whether the victim has Java and AdobeAcrobat Reader installed in
the system.
The server redirects the browser to a server that makesanother
redirection very likely depending on the plugins de-tected on the
victim. The server has returned HTML codethat is embedding some
Flash content in the browser aswell as a new iframe and encoded
JavaScript content withString.fromCharCode() function.
The exploit code in this exploit is matching with the ExploitKit
known as Magnitude/Popads.
III. RELATED WORK
WANG has done some good work in this area. In hisapproach he is
extracting the features of malicious javascriptstatically[1].
In inline code analyzer, authors discussed inline code anal-ysis
for malicious JavaScript elements. The elements includestring
functions and HTML tags[2].
In Browser guard, authors discussed about the file down-load
scenario and depending on the scenario, blocking theexecution of
any file that is automatically downloaded withoutany knowledge of
the user. This tool is developed for IEbrowser only[3].
Various types of hidden iframe injections into the web pageare
well explained by Bin Liang [4].
JStill captures some essential characteristics of
obfuscatedmalicious code by function invocation based analysis. It
alsoleverages the combination of static analysis and
lightweightruntime inspection so that it not only detects, but also
preventsthe execution of the obfuscated malicious JavaScript code
inbrowsers [5].
An integrated approach of using honey client with theabnormal
visibility recognition detection is chosen in thisapproach for
increasing the malicious website detection rateand speed. This
integrated approach consists of Spidering,HTML Parser, JavaScript
Engine, Honey client and abnormalvisibility detector [6].
Prophiler does not execute any code associated with theweb page
and the specified features are extracted from thewebpage statically
[7].
The idea of ADSandbox is executing any embeddedjavascript
objects in separate isolated sandbox environmentand logging all the
critical activities. Compare the activities
94
-
with the heuristics and decide whether the page is maliciousor
not[8].
Sarma has examined the current trends in malware propaga-tion
and functionalities of large scale botnets such as operatingFast
Flux DNS, hosting of malicious websites and injectingmalicious
links on legitimate websites [15]. Various types ofattacks on
Indian websites, observed by CERT-In are examinedand also discussed
various attack scenarios like Remote FileInclusion through
malicious scripts on PHP based websites,SQL Injection attacks on
ASP based websites.
Various tools were designed for identifying maliciousjavascript
objects in web pages such as Google Safe BrowsingDiagnostic page
[9], McAfee Site Advisor [10], DeFusinator[11] and Trafficlight
addon [12]. Most of the tools use thecloud database for checking
the malicious URLs. Databaseshould be updated frequently and also
there is a possibility ofnot detecting zero day attacks. Browser JS
Guard protects theuser from zero day attacks as it is content based
JavaScriptmalware filtering solution.
IV. OUR APPROACH
Drive by Download attacks made through maliciousJavaScripts are
detected by examining The structure of thestatic HTML page, Dynamic
JavaScript Code and the DOMchanges in a web page. These
characteristics are interceptedfor every incoming webpage and
intercepted behavior is com-pared against the ruleset for analyzing
and deciding whetherthe webpage is malicious or not. Ruleset is
designed by an-alyzing various malicious JavaScript injection
attack patterns.This detection approach is implemented as an
extension to webbrowser.
A. Monitoring Structure of the static HTML page
The incoming web page can be monitored and the vulner-able HTML
tag properties can be extracted from it [13], [14],[17], [18].
TABLE I: Monitorable Behaviors in HTML Tags of awebpage
HTML Tag Monitorable behaviours
frame/ iframe Cross Domain Source File
Invisible/Hidden Iframes
script
Cross Domain Source File
Wrong File name Extensions
Monitoring inline Script
img Cross Domain Source File
Wrong File name Extensions
anchor/link/area Cross Domain Source File
meta If contentType = refresh then monitor
src attribute
object Cross Domain Source File
Class ID of the plug-in to be invoked
The extracted properties specify the behavior of the webpage and
are compared against the Ruleset and if any matchis found then the
web page is treated as malicious page. The
HTML tags and their vulnerable properties to be monitoredare
presented in Table I.
B. Monitoring HTML DOM Changes of a Web Page
Browsers provide an API through JavaScript, called theDocument
Object Model (DOM), which represents the page asa tree of nodes
with methods and properties. Scripts existingin the web page use
the DOM to examine and change theweb page behavior. Table II shows
the methods and propertiesof DOM through which a web page can be
customized dy-namically. A script can be implemented using DOM
methodsand properties. These methods and properties are used
todynamically create any HTML tag elements [14], [17] andredirect
the user to any evil URL respectively.
TABLE II: Monitorable DOM Change Methods of a WebPage
DOM Change Methods Monitorable behaviours
document.write() Presence of Vulnerable Tags
Presence of Obfuscated JS Code
document.createElement() Presence of Vulnerable Tags
document.location()
document.location.href
document.URL
Redirection Source
The arguments of DOM methods can consist of scriptswith
obfuscated code which can be executed dynamically. Thisobfuscated
code may be a shellcode which can be used toexecute any executable
or a hidden iframe used to redirect anuser to any evil URL.
C. Dynamic JavaScript Code Execution Functions
Code generation at runtime is fairly common in JavaScript.The
most widely used technique is the use of eval. Theincoming web page
is intercepted and the vulnerable JavaScriptfunction arguments are
extracted [17], [18]. The extractedproperties specify the behavior
of the dynamic JavaScript codeexecution.
TABLE III: Monitorable dynamic code execution
JavaScriptfunctions in a webpage
JS Functions Monitorable behaviours
eval()
String analysis in its argument
Presence of Shellcode / Non-printable
characters
setTimeout() Malicious JavaScript
unescape()
String analysis in its argument
Presence of Shellcode / Non-printable
characters
setInterval() Periodic Redirections
fromCharCode()
String analysis in its argument
Presence of Shellcode / Non-printable
characters
The argument of these functions may be obfuscated forescaping
itself from being detected by Anti Virus solutions.
95
-
Fig. 4: Block Diagram of Browser JS Guard
Obfuscation of the code is being detected by calculating
thepercentage of whitespaces present in a string, ratio of
Key-words to Words, Word size in each String, Entropy, N-gram[20],
[5] and checking for Non Printable ASCII characters inthe
string.
If the extracted argument is an obfuscated code then checkthe
maliciousness of the obfuscated code. if not, compareagainst the
vulnerable HTML tags and the vulnerable HTMLtag properties are
extracted and compared against the genuineproperties of the HTML
tag. If any deviation is found thenthe web page is treated as
malicious page. The vulnerableJavaScript dynamic code execution
functions to be monitoredare shown in Table III.
The above specified features are implemented and
thefunctionality is added to the web browser as part of Browser
JSGuard extension. The above mechanism is implemented withthe help
of JavaScript, HTML, HTML DOM, Ajax, jQueryand CSS
technologies.
D. System Design
Whenever user is browsing a webpage, client initiates aHTTP
request for the required resource and the server responseis called
as HTTP Response.
HTTP Response includes the requested resource. TheHTTP Response
is the incoming webpage and this webpage ismonitored for
determining whether it has any malicious con-tents or not. In this
incoming webpage, vulnerable tags, DOMchange functions and dynamic
code execution functions aremonitored for determining the
maliciousness of the webpage.
Block diagram of the JSGuard is shown in Figure 4.Incoming web
page is intercepted for detecting vulnerableHTML tags, DOM change
functions and runtime JS codeexecution functions in it. If any of
them are detected in thewebpage then the respective properties are
sent to Analyzermodule. Analyzer module gets the extracted
properties and it
Fig. 5: Architecture of Static Monitoring Engine
checks for Hidden iframe redirections, Unauthorized
Redi-rections and Obfuscated code. Analysis report is sent to
theUser Alert & Decision Making component in which user willbe
alerted if the webpage contains any malicious behaviorspresent.
Webpage may be either rendered in the web browseror blocked
depending on the decision taken by the user.
JSGuard works with two different types of engines forachieving
its functionality at different phases of the web-page rendering.
First one is Static Monitoring Engine, whichstatically analyses the
vulnerabilities in source code of thewebpage and second one is
Runtime Monitoring Engine, whichanalyses for the vulnerabilities in
DOM changing functions anddynamic JS code execution functions.
The architecture of Static Monitoring Engine is shown inFigure
5.
In Static Monitoring Engine, Intercept module behaves asHTML tag
Extractor. This Extractor detects the vulnerableHTML tags in the
incoming webpage and if they are foundin the webpage, the
properties of them are extracted and sendthem to Analyzer. Analyzer
analyses them to detect Hiddenbehaviors, Unauthorized Redirections
and Encoded JavaScript.Analysis report is sent to the User Alert
& Decision Makingmodule.
The second component of JSGuard is Runtime MonitoringEngine and
its architecture is shown in Figure 6.
In Runtime Monitoring Engine, Intercept module behavesas DOM and
JS Function Extractor. This Extractor detectsthe vulnerable DOM
change functions and dynamic codeexecution functions in the
incoming webpage and if they arefound in the webpage, the arguments
of them are extractedand send them to Analyzer. Analyzer analyses
them to detectObfuscated code and HTML tags created at runtime.
If any HTML tags are created dynamically in the argu-ments of
the intercepted functions then send them to Static
96
-
Fig. 6: Architecture of Runtime Monitoring Engine
Monitoring Engine for deciding whether the tags are
behavingmaliciously or not. The details collected from Analyzer
aresent to the User Alert & Decision Making module.
E. Implementation of Browser JS Guard
The detection mechanism is implemented in JavaScriptlanguage.
Implemented security mechanism consists of variousJavaScript
components namely tagMonitor.js, dynamicJSMon-itor.js,
reportGenerator.js and jQueryAlert.
tagMonitor.js monitors the vulnerable HTML tags andspecified
attributes of tags in every webpage by using DOMlanguage. The list
of HTML tags is presented in Tables 1 and2. The HTML tags are
stored in an array.
monitorTags = new Array("iframe", "script", "img", "
area", "link", "a", "frame", "form", "embed", "
applet", "meta", "object", "html", "head", "
title", "body");
dynamicJSMonitor.js tracks the function calls that are usedto
dynamically interpret JavaScript code (e.g., eval, setTime-out,
unescape), and DOM changes that may lead to codeexecution (e.g.,
document.write, document.createElement, doc-ument.location). It
also retrieves the parameters of thesefunctions and verifies
whether any vulnerable HTML tagsare dynamically created. For
tracking the specified functions,hooks are being created for each
function.
Internal function hooking (IFH) mechanism implementedfor
monitoring eval() function is given below
var evalp=[];
var oldEval = eval;
eval = function eval(param)
{
evalp.push(param);
return oldEval(param);
Fig. 7: Browser JS Guard User Alert for Hidden iframe
}
console.log(evalp);
reportGenerator.js generates the report of the webpage
byconsolidating the result from tagMonitor.js and
dynamicJS-Monitor.js components and it includes the mechanism
foralerting the user if the webpage is malicious.
Report(Result1, Result2)
{
//Writing the result to panel
finalReport = Result1 + Result2;
}
Result1 is the webpage analysis report received fromcomponent 1,
i.e., tagMonitor.js and Result2 is the webpageanalysis report
received from component 2, i.e., dynamicJS-Monitor.js.
jQueryAlert component uses jQueryAlert.js andjQueryAlert.css
files which internally handles jConfirm()method for alerting the
user.
jConfirm (MaliciousResult, Warning by Browser JS
Guard);
User can confirm whether to continue browsing the web-page or
quit the website from the popup given by the Add-on.
The implemented extension functionality is compatiblewith
various web browsers and the details are given in TableIV.
TABLE IV: Compatible Browsers for Browser JS Guard
Web BrowserCompatible
VersionSupported OS
Firefox >= 14.0 Windows & Linux
Google Chrome >=14.0 Windows & Linux
Iceweasel >=14.0 Windows & Linux
Opera >=11.0 Windows & Linux
Internet Explorer >=9.0 Windows
V. EXPERIMENTAL RESULTS
Implemented extension was deployed in various systems,tested the
detection rate, calculated false positives, false nega-tives and
performance overhead of the web browser when theJS Guard extension
is installed.
97
-
A. Environment
Browser JS Guard extension has been deployed and testedin
various systems of our organization. JSGuard has beendeployed for
Firefox, Google Chrome, Opera web browsersin Windows and Linux
operating systems. Also deployed forInternet Explorer in Windows
OS.
B. Testing
Functional testing has been performed using various com-promised
websites. Deployed extension is detecting the mali-cious injections
in the compromised websites. Figure 7 showsthe hidden iframe
injected in the website and the victim isbeing redirected to
bedfer.com. The URL bedfer.com maybe a landing site or exploit
server.
The JSGuard extension is initially tested on test systemswith
both genuine and compromised URLs and compared withother existing
content based online URL scanners.
Implemented Security extension is also tested with
knownmalicious URLs received from CERT-IN and other
onlineresources. The test results of JSGuard are compared
againstvarious online URL scanners (Quettera, Sucuri, Wepawet
andeVuln) as shown in Table V. Online URL scanners are theservices
available in Internet to check whether a specificdomain is
malicious or genuine. URL scanners require userto manually specify
the URL and it downloads and scans theentire website source for the
presence of JavaScript Malware.This entire process requires user
interaction and lot of timeto download and scan entire website. But
JS Guard is anextension to the browser and it scans each and every
incomingwebpage for JavaScript Malware without any user
interaction.Sucuri says a webpage as malicious if any blacklisted
domainis present in the webpage source even though the webpageis
not containing any malware code in it. JS Guard does notreport the
presence of blacklisted domains in the source codeof the webpage
but it detects whenever the blacklisted domainexhibits any
malicious behavior.
C. False Positive and False Negatives
False Positive is a result of a test that shows as
presentsomething that is absent.
False Positives are because of the presence of third
partyadvertising and tracking code in the web page. Popular
adver-tisement links are Doubleclick.net and Tribalfusion.net.
Oneof the popular tracking sites is Google analytics. If
webpageincludes advertisements in frame / iframe and if they are
hiddenthen the extension detects it as hidden and injected
iframe.
False Negative is a result of a test shows as absentsomething
that is present.
False Negatives are because of malicious process creationon the
target machine and presence of blacklisted domains inthe webpage
source. When the extension is tested with theURL, Google Safe
Browsing reported as Malicious softwareincludes 3 exploit(s).
Successful infection resulted in newprocess (es) on the target
machine. But JS Guard does notcheck for the newly created processes
in the system and alsoit does not report a web page as malicious if
any blacklisteddomains are present in the webpage source.
Fig. 9: Detailed report on Hidden iframe Redirections
Accuracy refers to the number of correctly classified webpages
among the total number of web pages tested.
F.P =No.ofBenignWebpagesDetectedasMalicious
TotalNumberofBeningnWebpages100
(1)
F.N =No.ofMaliciousWebpagesDetectedasBenign
TotalNumberofMaliciousWebpages100
(2)
Accuracy =N.C
TotalNumberofWebpages 100 (3)
N.C = TotalNumberofWebPagesN.W (4)
F.P = False PositivesF.N = False NegativesN.C = No.of WebPages
Classified CorrectlyN.W = No.of WebPages Classified Wrongly
Figure 8(a),(b) and (c) shows the False Positive rate,
FalseNegative rate and Accuracy of Browser JSGuard
extensionrespectively. Equations 1, 2 and 3 shows the calculationof
False Positive, False Negative and Accuracy respectively.
D. Reporting
A detailed report of the visiting website can be viewedby
clicking on the icon present at the right hand side bottomcorner of
the browser status bar. By clicking on the icon, awindow is opened
and displays the report of the requestedwebpage.
98
-
TABLE V: Comparison of JS Guard Detection Rate against other
online URL Scanners
Product Name Browser JSGuard Quettera Sucuri Wepawet eVuln
Tested URLs 641 641 641 641 641
URLs Detected as Malicious 583 510 594 382 573
Detection Rate(%) 90.95 79.56 92.66 59.59 89.39
Fig. 8: Testing Results
Fig. 10: Detailed report on Encoded JavaScript Malware
Figure 9 shows a threat under Hidden iframe Redi-rections tab.
The visiting website is injected with a hiddeniframe by using
either HTML iframe tag or dynamic JS codeexecution functions. As
the result of functional testing, wehave identified various
mechanisms for injecting maliciousJavaScript and Encoded JavaScript
is majorly used. Figure 10shows the detailed report for Encoded
JavaScript Malware.
E. Performance
For evaluating the browser performance when the extensionis
installed to it, LORI (Life Of Request Info) addon is usedfor
Firefox web browser. The experiment of calculating thepage load
time is repeated number of times for the Firefox
Fig. 11: Performance Testing Results
browser with and without JS Guard extension and the resultsare
noted and analysed.
Web Page load time is calculated with and without JSGuard
extension and the results are shown in Figures 11 and12. Average
page load time of the web browser is increasedby 180 ms for loading
any webpage.
Figure 12 shows the performance graph of the webbrowser. Graph
is drawn with number of times tested on x-axis and time in secs on
y-axis.
99
-
Fig. 12: Performance Testing Results
VI. CONCLUSION
In this paper, Browser JS Guard is presented for analyzingand
detecting malicious JavaScript injections in the incom-ing web
pages. JS Guard resides as part of the client webbrowser and
detects the malicious web pages. In addition tothe detection, JS
Guard extension provides the flexibility touser for viewing the
detailed analysis report of the webpage.Furthermore this extension
gives an option for user to decidewhether to continue browsing the
webpage or not. Testinghas been performed on JSGuard using known
Genuine andMalicious URLs. JSGuard has detected the malicious
webpages with lesser rates of false positives (0.72 %) and
falsenegatives (9.04 %). JS Guard installed web browser have
taken180 ms more time for loading a webpage when compared withthe
page load time of the web browser when JSGuard is notinstalled.
In the future, we plan to evaluate more number of URLsand try to
improve the detection mechanism to further reducethe false positive
and false negative rates by analyzing newattack trends and building
intelligence. Further, we want toimprove the performance by
applying various code optimiza-tion techniques.
ACKNOWLEDGMENT
Our sincere thanks to Department of Electronics &
Infor-mation Technology (Deity), Ministry of Communications
andInformation Technology, Government of India for supportingthis
research work.
REFERENCES
[1] WANG Wei-Hong, LV Yin-Jun, CHEN Hui-Bing and FANG Zhao-Lin.A
Static Malicious Javascript Detection Using SVM. In proceedings
ofthe 2nd International Conference on Computer Science and
ElectronicsEngineering (ICCSEE 2013)
[2] D.Nandhini, Kalpana.G and Abhilash.R. Browser Authentication
andInline Code Analyzer with Common Centralized Browser
Security
Violation Report Management System for Mitigating Web Attacks.In
proceedings of International Journal of Engineering Research
andDevelopment
[3] Pratik Upadhya, Farhan Meer, Acquin Dmello and Nikita
Dmello.Runtime Solution for Minimizing Drive-By-Download Attacks.
Inproceedings of International Journal of Modern Engineering
Research(IJMER)
[4] Bin Liang, Jianjun Huang, Fang Liu, Dawei Wang, Daxiang Dong
andZhaohui Liang. Malicious Web Pages Detection Based on
AbnormalVisibility Recognition. In proceedings of IEEE 2009
[5] Wei Xu, Fangfang Zhang and Sencun Zhu. JStill: Mostly Static
De-tection of Obfuscated Malicious JavaScript Code. In proceedings
ofACM, February 1820, 2013
[6] Krishnaveni Raju, C.Chellappan. Integrated Approach of
MaliciousWebsite Detection. In proceedings of International Journal
Communi-cation & Network Security (IJCNS), Volume-I, Issue-II,
2011
[7] D. Canali, M. Cova, G. Vigna, and C.Kruegel. Prophiler: A
fast filterfor the large-scale detection of malicious web pages. In
Proceedings ofthe 20th international conference on World Wide Web,
pages 197-206.ACM, 2011
[8] Andreas Dewald, Thorsten Holz, Felix C. Freiling.
PADSandbox: Sand-boxing JavaScript to fight Malicious Websites. In
proceedings ofSAC10 March 22-26, 2010
[9] Google Inc. Safe Browsing for Firefox. Google Inc. Safe
Browsing forFirefox
[10] McAfee SiteAdvisor. http://www.siteadvisor.com
[11] DeFusinator: https://code.google.com/p/defusinator
[12] Trafficlight:
https://addons.mozilla.org/En-us/firefox/addon/trafficlight
[13] D.J.Guan, Chia-Mei Chen, Jing-Siang Luo, and Yung-Tsung
Hou.Malicious Web Page Detection Based on Anomaly Semantics.
[14] Birhanu Eshete, Adolfo Villa orita, and Komminist
Weldemariam.BINSPECT: Holistic Analysis and Detection of Malicious
Web Pages.
[15] S.S. Sarma. Propagation of Malware Through Compromised
Web-sites: Attack Trends and Countermeasures. In proceedings of
11thAssociation of Anti-Virus Asia Researchers International
Conference,December 2008
[16] Aikaterinaki Niki. Drive by Download attacks: Effects and
Detectionmethods. In proceedings of IT Security Conference for the
NextGeneration
[17] M. Cova, C. Kruegel, and G. Vigna. Detection and analysis
of Drive byDownload attacks and malicious javascript code. In
Proceedings ofthe 19th international conference on World Wide Web,
pages 281-290.ACM, 2010
[18] Jaeun Choi, Gisung Kim, Tae Ghyoon Kim, and Sehun Kim.
AnEfficient Filtering Method for Detecting Malicious Web Pages.
Inproceedings of 13th International Workshop, WISA 2012, Jeju
Island,Korea, 2012
[19] PHP.net Article:
http://www.alienvault.com/open-threat-exchange/blog/phpnet-potentially-compromised-and-redirecting-to-
an-exploit-kit
[20] YoungHan Choi, TaeGhyoon Kim, SeokJin Choi. Automatic
Detectionfor JavaScript Obfuscation Attacks in Web Pages through
String Pattern
Analysis. In proceedings of International Journal of Security
and itsapplications, April 2010
100