Term-rewriting deobfuscation for static client-side scripting malware detection

Gregory Blanc; Ruo Ando; Youki Kadobayashi

doi:10.1109/NTMS.2011.5720649

Term-rewriting deobfuscation for static client-side scripting malware detection

Gregory Blanc
, Ruo Ando
, Youki Kadobayashi

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Ensuring users with a safe web experience has become a critical problem recently as fraud and privacy infringement on the Internet are becoming current. Web-scripting-based malware is also intensively used to carry out longer-term exploitation such as XSS worms or botnets, and server-side countermeasures are often ineffective against such threats while client-side ones seldom deal with the problem of obfuscation. In order to provide a sounder and more complete analysis, we propose to carry out deobfuscation of web-scripting-language-based malware. In this paper, we study the possibility of automating the deobfuscation process using a term rewriting system based on automated deduction. Such static approach intends to evade anti-analysis techniques and unknown obfuscation schemes. With some preliminary experiments in JavaScript, we show evidence that this is actually possible and highlight several challenges we need to tackle in order to implement an effective script-based malware deobfuscator. This approach can be generalized to web scripting languages other than JavaScript such as ActionScript or VBScript. Applications encompass script-based malware static analysis or malware distribution website crawling. This paper is included in a wider project that aims to provide a client-based defense against Web 2.0 malware.

Original language	English
Title of host publication	2011 4th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2011 - Proceedings
DOIs	https://doi.org/10.1109/NTMS.2011.5720649
Publication status	Published - 25 Mar 2011
Externally published	Yes
Event	4th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2011 - Paris, France Duration: 7 Feb 2011 → 10 Feb 2011

Publication series

Name	2011 4th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2011 - Proceedings

Conference

Conference	4th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2011
Country/Territory	France
City	Paris
Period	7/02/11 → 10/02/11

Keywords

Automated theorem proving
Client-side
Deobfuscation
JavaScript malware
Term rewriting system
Web 2.0

Access to Document

10.1109/NTMS.2011.5720649

Cite this

Blanc, G., Ando, R., & Kadobayashi, Y. (2011). Term-rewriting deobfuscation for static client-side scripting malware detection. In 2011 4th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2011 - Proceedings Article 5720649 (2011 4th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2011 - Proceedings). https://doi.org/10.1109/NTMS.2011.5720649

@inproceedings{990bf8aa2960487aaf9f1213b34db588,

title = "Term-rewriting deobfuscation for static client-side scripting malware detection",

abstract = "Ensuring users with a safe web experience has become a critical problem recently as fraud and privacy infringement on the Internet are becoming current. Web-scripting-based malware is also intensively used to carry out longer-term exploitation such as XSS worms or botnets, and server-side countermeasures are often ineffective against such threats while client-side ones seldom deal with the problem of obfuscation. In order to provide a sounder and more complete analysis, we propose to carry out deobfuscation of web-scripting-language-based malware. In this paper, we study the possibility of automating the deobfuscation process using a term rewriting system based on automated deduction. Such static approach intends to evade anti-analysis techniques and unknown obfuscation schemes. With some preliminary experiments in JavaScript, we show evidence that this is actually possible and highlight several challenges we need to tackle in order to implement an effective script-based malware deobfuscator. This approach can be generalized to web scripting languages other than JavaScript such as ActionScript or VBScript. Applications encompass script-based malware static analysis or malware distribution website crawling. This paper is included in a wider project that aims to provide a client-based defense against Web 2.0 malware.",

keywords = "Automated theorem proving, Client-side, Deobfuscation, JavaScript malware, Term rewriting system, Web 2.0",

author = "Gregory Blanc and Ruo Ando and Youki Kadobayashi",

year = "2011",

month = mar,

day = "25",

doi = "10.1109/NTMS.2011.5720649",

language = "English",

isbn = "9781424487042",

series = "2011 4th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2011 - Proceedings",

booktitle = "2011 4th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2011 - Proceedings",

note = "4th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2011 ; Conference date: 07-02-2011 Through 10-02-2011",

}

Blanc, G, Ando, R & Kadobayashi, Y 2011, Term-rewriting deobfuscation for static client-side scripting malware detection. in 2011 4th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2011 - Proceedings., 5720649, 2011 4th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2011 - Proceedings, 4th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2011, Paris, France, 7/02/11. https://doi.org/10.1109/NTMS.2011.5720649

Term-rewriting deobfuscation for static client-side scripting malware detection. / Blanc, Gregory; Ando, Ruo; Kadobayashi, Youki.
2011 4th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2011 - Proceedings. 2011. 5720649 (2011 4th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2011 - Proceedings).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Term-rewriting deobfuscation for static client-side scripting malware detection

AU - Blanc, Gregory

AU - Ando, Ruo

AU - Kadobayashi, Youki

PY - 2011/3/25

Y1 - 2011/3/25

N2 - Ensuring users with a safe web experience has become a critical problem recently as fraud and privacy infringement on the Internet are becoming current. Web-scripting-based malware is also intensively used to carry out longer-term exploitation such as XSS worms or botnets, and server-side countermeasures are often ineffective against such threats while client-side ones seldom deal with the problem of obfuscation. In order to provide a sounder and more complete analysis, we propose to carry out deobfuscation of web-scripting-language-based malware. In this paper, we study the possibility of automating the deobfuscation process using a term rewriting system based on automated deduction. Such static approach intends to evade anti-analysis techniques and unknown obfuscation schemes. With some preliminary experiments in JavaScript, we show evidence that this is actually possible and highlight several challenges we need to tackle in order to implement an effective script-based malware deobfuscator. This approach can be generalized to web scripting languages other than JavaScript such as ActionScript or VBScript. Applications encompass script-based malware static analysis or malware distribution website crawling. This paper is included in a wider project that aims to provide a client-based defense against Web 2.0 malware.

AB - Ensuring users with a safe web experience has become a critical problem recently as fraud and privacy infringement on the Internet are becoming current. Web-scripting-based malware is also intensively used to carry out longer-term exploitation such as XSS worms or botnets, and server-side countermeasures are often ineffective against such threats while client-side ones seldom deal with the problem of obfuscation. In order to provide a sounder and more complete analysis, we propose to carry out deobfuscation of web-scripting-language-based malware. In this paper, we study the possibility of automating the deobfuscation process using a term rewriting system based on automated deduction. Such static approach intends to evade anti-analysis techniques and unknown obfuscation schemes. With some preliminary experiments in JavaScript, we show evidence that this is actually possible and highlight several challenges we need to tackle in order to implement an effective script-based malware deobfuscator. This approach can be generalized to web scripting languages other than JavaScript such as ActionScript or VBScript. Applications encompass script-based malware static analysis or malware distribution website crawling. This paper is included in a wider project that aims to provide a client-based defense against Web 2.0 malware.

KW - Automated theorem proving

KW - Client-side

KW - Deobfuscation

KW - JavaScript malware

KW - Term rewriting system

KW - Web 2.0

U2 - 10.1109/NTMS.2011.5720649

DO - 10.1109/NTMS.2011.5720649

M3 - Conference contribution

AN - SCOPUS:79952857247

SN - 9781424487042

T3 - 2011 4th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2011 - Proceedings

BT - 2011 4th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2011 - Proceedings

T2 - 4th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2011

Y2 - 7 February 2011 through 10 February 2011

ER -

Blanc G, Ando R, Kadobayashi Y. Term-rewriting deobfuscation for static client-side scripting malware detection. In 2011 4th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2011 - Proceedings. 2011. 5720649. (2011 4th IFIP International Conference on New Technologies, Mobility and Security, NTMS 2011 - Proceedings). doi: 10.1109/NTMS.2011.5720649

Term-rewriting deobfuscation for static client-side scripting malware detection

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this