Revolver: An automated approach to the detection of evasive web-based malware

Proceedings of the 22nd USENIX Security Symposium

Volumn , Issue , 2013, Pages 637-651

  Kapravelos, Alexandros ^a   Shoshitaishvili, Yan ^a   Cova, Marco ^b   Kruegel, Christopher ^a   Vigna, Giovanni ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b UNIVERSITY OF BIRMINGHAM   (United Kingdom)

Author keywords

[No Author keywords available]

Indexed keywords

HIGH LEVEL LANGUAGES; WEB BROWSERS; WEBSITES;

AUTOMATED APPROACH; CONTINUOUS IMPROVEMENTS; DYNAMIC CODE GENERATION; JAVASCRIPT PROGRAMS; LARGE SCALE EXPERIMENTS; MALICIOUS BEHAVIOR; MALICIOUS JAVASCRIPT; SIGNATURE BASED DETECTIONS;

MALWARE;

EID: 84924656413     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (40)

1. HtmlUnit. http://htmlunit.sourceforge.net/.
2. JavaScript for Acrobat API Reference. http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/js_api-reference.pdf.
3. D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, E. Kirda, and G. Vigna. Efficient Detection of Split Personalities in Malware. In Proc. of the Symposium on Network and Distributed System Security (NDSS), 2010.
4. U. Bayer, P. M. Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, Behavior-Based Malware Clustering. In Proc. of the Symposium on Network and Distributed System Security (NDSS), 2009.
5. D. Canali, M. Cova, G. Vigna, and C. Kruegel. Prophiler: A Fast Filter for the Large-scale Detection of Malicious Web Pages. In Proc. of the International World Wide Web Conference (WWW), 2011.
6. M. Cova, C. Kruegel, and G. Vigna. Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code. In Proc. of the International World Wide Web Conference (WWW), 2010.
7. C. Curtsinger, B. Livshits, B. Zorn, and C. Seifert. Zozzle: Low-overhead Mostly Static JavaScript Malware Detection. In Proc. of the USENIX Security Symposium, 2011.
8. A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: Malware Analysis via Hardware Virtualization Extensions. In Proc. of the ACM Conference on Computer and Communications Security (CCS), 2008.
9. D. Edwards. Dean Edwards Packer. http://bit.ly/TWQ46b.
10. P. Ferrie. Attacks on Virtual Machines. In Proc. of the Association of Anti-Virus Asia Researchers Conference, 2003.
11. Google. Safe Browsing API. http://code.google.com/apis/safebrowsing/.
12. C. Grier, L. Ballard, J. Caballero, N. Chachra, C. J. Dietrich, K. Levchenko, P. Mavrommatis, D. McCoy, A. Nappa, A. Pitsillidis, N. Provos, M. Z. Rafique, M.A. Rajab, C. Rossow, K. Thomas, V. Paxson, S. Savage, and G. M. Voelker. Manufacturing Compromise: The Emergenceof Exploit-as-a-Service. In Proc. of the ACM Conference on Computer and Communications Security (CCS), 2012.
13. B. Hartstein. jsunpack - a generic JavaScript unpacker. http://jsunpack.jeek.org/dec/go.
14. J. Jang, D. Brumley, and S. Venkataraman. BitShred: Feature Hashing Malware for Scalable Triage and Semantic Analysis. In Proc. of the ACM Conference on Computer and Communications Security (CCS), 2011.
15. M. G. Kang, H. Yin, S. Hanna, S. McCamant, and D. Song. Emulating Emulation-Resistant Malware. In Proc. of the Workshop on Virtual Machine Security (VMSec), 2009.
16. A. Kapravelos, M. Cova, C. Kruegel, and G. Vigna. Escape from Monkey Island: Evading High-Interaction Honeyclients. In Proc. of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2011.
17. C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert. Rozzle: De-Cloaking Internet Malware. In Proc. of the IEEE Symposium on Security and Privacy, 2012.
18. B. Krebs. Virus Scanners for Virus Authors, Part II. http://krebsonsecurity.com/2010/04/virus-scanners-for-virus-authors-part-ii/, 2010.
19. F. Leder, B. Steinbock, and P. Martini. Classification and detection of metamorphic malware using value set analysis. In Proc. of the Conference on Malicious and Unwanted Software (MALWARE), 2009.
20. L. Lu, V. Yegneswaran, P. Porras, and W. Lee. BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections. In Proc. of the ACM Conference on Computer and Communications Security (CCS), 2010.
21. L. Martignoni, R. Paleari, G. F. Roglia, and D. Bruschi. Testing CPU Emulators. In Proc. of the International Symposium on Software Testing and Analysis (ISSTA), 2009.
22. Microsoft. Microsoft Security Intelligence Report, Volume 13. Technical report, Microsoft Corporation, 2012.
23. Moss. Moss with obfuscated scripts. http://goo.gl/XzJ7M.
24. M. Muja and D. G. Lowe. Fast Approximate Nearest Neighbors with Automatic Algorithm Configuration. In Proc. of the Conference on Computer Vision Theory and Applications (VISAPP), 2009.
25. J. Nazario. Phoney C: A Virtual Client Honeypot. In Proc. of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2009.
26. R. Paleari, L. Martignoni, G. F. Roglia, and D. Bruschi. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators. In Proc. of the USENIX Workshop on Offensive Technologies (WOOT), 2009.
27. J. Pate, R. Tairas, and N. Kraft. Clone Evolution: a Systematic Review. Journal of Software Maintenance and Evolution: Research and Practice, 2011.
28. N. Provos, P. Mavrommatis, M. Rajab, and F. Monrose. All Youri FRAMEs Pointto Us. In Proc. of the USENIX Security Symposium, 2008.
29. N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The Ghost in the Browser: Analysis of Web-based Malware. In Proc. of the USENIX Workshop on Hot Topics in Understanding Botnet, 2007.
30. T. Raffetseder, C. Kruegel, and E. Kirda. Detecting System Emulators. In Proc. of the Information Security Conference, 2007.
31. M. A. Rajab, L. Ballard, N. Jagpal, P. Mavrommatis, D. Nojiri, N. Provos, and L. Schmidt. Trends in Circumventing Web-Malware Detection. Technical report, Google, 2011.
32. P. Ratanaworabhan, B. Livshits, and B. Zorn. Nozzle: A Defense Against Heap-spraying Code Injection Attacks. In Proc. of the USENIX Security Symposium, 2009.
33. J. W. Ratclif. Pattern Matching: the Gestalt Approach. Dr. Dobb's, 1988.
34. K. Rieck, T. Krueger, and A. Dewald. Cujo: Efficient Detection and Prevention of Drive-by-Download Attacks. In Proc. of the Annual Computer Security Applications Conference (ACSAC), 2010.
35. C. K. Roy and J. R. Cordy. A Survey on Software Clone Detection Research. Technical report, School of Computing, Queen's University, 2007.
36. J. Rutkowska. Red Pill⋯ or how to detect VMM using (almost) one CPU instruction. http://www.invisiblethings.org/papers/redpill.html, 2004.
37. S. Schleimer, D. Wilkerson, and A. Aiken. Winnowing: local algorithms for document fingerprinting. In Proc. of the 2003 ACM SIGMOD international conference on Management of data, 2003.
38. The Honeynet Project. Capture-HPC. https://projects.honeynet.org/capture-hpc.
39. A. Vasudevan and R. Yerraballi. Cobra: Fine-grained Malware Analysis using Stealth Localized Executions. In Proc. of the IEEE Symposium on Security and Privacy, 2006.
40. Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. King. Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In Proc. of the Symposium on Network and Distributed System Security (NDSS), 2006.