( ) ( ) ( ) ( ) ( ) ( )

Transcription

1 NAIST-IS-MT

2 ( ) ( ) ( ) ( ) ( ) ( )

3 JavaScript 100% 53%,, JavaScript, NAIST-IS-MT , i

4 A Design and Implementation of a detection method against Drive-by Download Attacks using obfuscation features Hirotaka Fujiwara Abstract Drive-by download attacks usually redirect a user to a malicious webpage where vulnerabilities in a browser or in browser plugins are exploited in order to force the download of a malware. This research presents and evaluates a detection method against drive-by download attacks. The proposed method focusces on the transformation of strings that is the characteristics of the obfuscation. The proposed method employs obfuscated domain information of JavaScript as a trigger to detect drive-by download attack. The browser plug-in implemenation of the proposed method was able to detect obfuscated redirection correctly with 100% true positives, while it showed 53% false positives against legitimate sites. Keywords: Drive-by Download Attack, Obfuscation, JavaScript Master s Thesis, Department of Information Science, Graduate School of Information Science, Nara Institute of Science and Technology, NAIST-IS-MT , March 11, ii

5 iii vi viii iii

6 Chrome Extension Google Chrome Extension Chrome Platform APIs jquery Chrome Extension Chrome Extension iv

7 v

8 (D3M ) (D3M ) (Malwr.com) (Legitimate Site) ) vi

9 URL Chrome Extension Chrome Extension Content Scripts Chrome Extension Background Chrome Extension Chrome Chrome Extension Chrome Extension vii

10 Chrome Extension JavaScript APIs(Chrome Platform APIs) webrequest viii

11 1 1.1 JavaScript PHP Java Ruby Python [1][2] ActiveX Java Flash Player [7] [10] [5] IDS : Intrusion Detection System IPS : Intrusion Prevention System 1

12 (IDS/IPS ) ( )

13 1.3 JavaScript JavaScript Google Chrome Extension 3

14 Chrome Extension

15 Gumblar [8][9] JavaScript Internet Explorer Adobe Acrobat Adobe Reader Adobe Flash Player TrendMicro [4] Youtube Java Internet Explorer Flash 11 5

16 SQL iframe referrer Java Adobe JavaScript [3] Inline Frame HTTP 1 6

17 1 2.1 Browser Malicious Web Normal Execute Javascript Redirect Execute Javascript Malicious Action Request 1 Response Redirect 2 Response File download 3 Response : 7

18 html js JavaScript iframe 2. : Referrer 3. : html js JavaScript 4. : 8

19 2.2 URL IDS IPS IDS IPS 2.2 9

20 c6c636f6465 Signature File c6c636f 6465 Signature Database Match Obfuscation Obfuscation [7] % 55.3% 45.7% JavaScript Java

21 2.2.2 URL Wepawet[11] Cuckoo Sandbox[12] [17][18] Referrer Referrer referrer 2.3 html 11

22 SandBox Browser Attack code not Execute (Cloaking) Attack code Execute Malicious.EXE not Execute (Cloaking).EXE Execute [5] 1 [16] 1 DGA ( ) DGA DGA 1 DGA 12

23 JavaScript Java JavaScript [7] , 2.6,

24 <script> function myalert(txt){ alert(txt); } var string= Hello World!! ; myalert(string); </script> <script> function _cd(ab){ alert(ab); } var ok= Hello World!! ; _cd(ok); </script> (+) eval() document.write() html ASCII Unicode unescape() 2.7 ASCII ASCII JavaScript JavaScript html JavaScript 14

25 <script> var co = ert(txt) ; var pg = ello World! ; var am = functi ; var qf = tring=\ H ; var jl = ing) ; var ne = xt);}var s ; var rh =!\ ;mya ; var wb = on myal ; var ik = lert(str ; var sd = {alert(t ; document.write(am+wb+co+sd+ne+qf+pg+rh+ik+jl); </script> 2.6 unescape() document.write() html charat() String.replace() JavaScript JavaScript JavaScript 15

26 <script> document.write(unescape(%66%75%6e%63%74%69%6f%6e %20%6d%79%41%6c%65%72%74%28%74%78%74%29%7b %61%6c%65%72%74%28%74%78%74%29%3b%7d %76%61%72%20%73%74%72%69%6e%67%3d%e2%80%9c %48%65%6c%6c%6f%20%57%6f%72%6c %64%21%21%e2%80%9d%3b%6d%79%41%6c %65%72%74%28%73%74%72%69%6e%67%29%3b)); </script>

27 alert() html js 17

28 Alexa [13] Mac OSX 10.9 Google Chrome Google Chrome Google Chrome JavaScript MWS ( ) 2014[14] D3M pcap html js D3M NTT Marionetto D3M Malwr.com[15] Recent Analysis html Malwr.com Ubuntu REMnux REMnux Python

29 3.1 Alexa D3M dataset Malwr.com Number of Files ( ) Number of Lines 30,489 16,799 17,942 Number of Script Lines 12,869 13,729 3, Alexa

30 JavaScript *+,-./!01!2!3!!4!'"""!&#""!&"""!%#""!%"""!$#"" :7:,<7. =&>%"$$ =&>%"$% =&>%"$& =&>%"$' ><?@/AB0,!$"""!#"" 1!"!"!%""""!'""""!(""""!)""""!$""""" 5.*678!01!97/:*69!;!5:*

31 3.1 (1) (2) (1) (2) replace() R ward k-means !'"""!&#"" ;<=,>76?60+@=A&,%"$$<7.*;!+@6*8!$B' ;<=,>76?60+@=A&,%"$%<7.*;!+@6*8!$B'!"##!+# =>?.@98A82-B?C%.$#"">90,=!-B8,:!"D& =>?.@98A82-B?C%.$#"$>90,=!-B8,:!"D& *+,-./!01!2!3!!4!&"""!%#""!%"""!$#""!$"""!#"",-./01!23!4!5!!6!*#!)#!(#!'#!&#!%#!$#!"#!"!"!%""""!'""""!(""""!)""""!$"""""!#!"##!$##!%##!&##!'##!(##!)##!*##!+##!"### 56*.!7.*89: 78,0!90,:;< 3.2 (D3M ) 21

32 !'"""!&#"" *+,-./!01!2!3!!4!&"""!%#""!%"""!$#""!$"""!#"",-./01!23!4!5!!6!*#!)#!(#!'#!&#!%#!$#!"#!"!"!%""""!'""""!(""""!)""""!$"""""!#!"##!$##!%##!&##!'##!(##!)##!*##!+##!"### 56*.!7.*89: 78,0!90,:;< 3.3 (D3M )!'"""!&#"" *+,-./!01!2!3!!4!&"""!%#""!%"""!$#""!$"""!#"",-./01!23!4!5!!6!*#!)#!(#!'#!&#!%#!$#!"#!"!"!%""""!'""""!(""""!)""""!$"""""!#!"##!$##!%##!&##!'##!(##!)##!*##!+##!"### 56*.!7.*89: 78,0!90,:;< 3.4 (Malwr.com) 22

33 !'"""!&#"" *+,-./!01!2!3!!4!&"""!%#""!%"""!$#""!$"""!#"",-./01!23!4!5!!6!*#!)#!(#!'#!&#!%#!$#!"#!"!"!%""""!'""""!(""""!)""""!$"""""!#!"##!$##!%##!&##!'##!(##!)##!*##!+##!"### 56*.!7.*89: 78,0!90,:;< 3.5 (Legitimate Site) D3M Malwr.com legit % 23

34 1-3% live JavaScript html!#""!+"!*" $"""? (""?$""" #""?("" "?#""!)"!("!'"!&"!%"!$"!#"!" > /3=3.3<1 2;;2.1 : ,-5 4/ ,-./0 #& #% #$ ##

35 html JavaScript html div http A : Length of Line B : total (, & ; ) C : total (div & http & :) Start 0 < A < 100 A 2000 < A 100 < A < < A/B < 95 A / B A/B < 10 A < 400 A 400 < A 95 < A/B A/B < 200 A / B 200 < A / B B:C B < C B : C B < C C < B C < B normal randam & data Encode

36 4 html Legitimate Malicious Normal ,859 16,566 Normal , Random & Data 5, Encode ASCII Unicode

37 ASCII Unicode 3.9 ASCII % 3.3 Legitimate Malicious Letter 3,185, ,521 Number 119,782 78,427 Other 1,570, ,352!"#$%&'(")!"#$%$&'() (#%!&' $(#()&'!"#$%&' *+,+-'./01+-' 234+-' )$#*$%& '"#((%&!"#!$%& +,-,.& /012,.& 345,.&

38 Python nltk other 1 JavaScript ActiveX nltk of no

39 Start ノイズ 除 去 記 号 をスペースに 置 き 換 える 無 駄 なスペースの 除 去 特 定 文 字 列 の 除 去 頻 度 分 布 の 出 力 End

40 function gud(){var qklvoan = 64; for( var cfld=0; cfld<140; cfld++){qklvoan++};return qklvoan;} 記 号 をスペースへ 変 換 function gud var qklvoan 64 for var cfld 0 cfld 140 cfld qklvoan return qklvoan 複 数 のスペースをまとめる function gud var qklvoan 64 for var cfld 0 cfld 140 cfld qklvoan return qklvoan 意 味 ある 文 字 列 の 削 除 function gud var qklvoan 64 for var cfld 0 cfld 140 cfld qklvoan return qklvoan 3.11 ) Alexa global topsite Google Chrome JavaScript 10 JavaScript % 2.3% 14.2% 1 30

41 3.4 ( ) ( ) ( ) ( ) Normal 228,342 8,534 16,471 2, ,960 1,291 3,860 1,704 Random 1,998,911 46,474 82,212 12,352 & data 37,399 5,324 10,835 6,462 Encode 11,319 3, ,555 11,850 1, ,557 5, JavaScript JavaScript 31

42 3.5 ( ) ( ) ( ) ( ) Normal 251,534 8,970 16,471 2, ,324 1,049 3,860 1,704 Random 948,018 18,664 82,212 12,352 & data 22,616 2,570 10,835 6,462 Encode 7, ,555 11, ,557 5, Yahoo.co.jp amazon.co.jp youtube.com rakuten.co.jp twitter.com livedoor.com ameblo.jp goo.ne.jp naver.jp tabelog.com Google Closure Compiler[24] 1 ASCII 32

43 html

44 4 JavaScript JavaScript 4.1 URL DNS (Domain Name System) 34

45 <body> This page is Redirected. <script> location.replace( ); </script> </body> Request User Redirect 正 規 サイト html Response Web <body> <script> document.write( This page is Redirected ); eval(unescape(%6c%6f%63%61%74%69%6f%6e%2e%72%65%70%6c %61%63%65%28%e2%80%9c%68%74%74%70%3a%2f%2f%77%65%62%2f %68%6f%67%65%2e%68%74%6d%6c%e2%80%9d%29%3b)); </script></body> Request User Redirect html Response Web 改 ざんサイト Malicious 4.1 DOM (Document Object Model) DOM HTML HTML XML API DOM 35

46 4.2 DNS html js HTTP DNS 4.2 html js HTTP DNS : html js 2. : http DNS 36

47 Browser Proxy Malicious Request Normal Response 1 Web Execute Javascript Redirect 2 Redirect 3 1 Response Execute Javascript Malicious Action File download 2 3 Response : 2 37

48 Proxy Browser Attack code Execute Malicious.EXE Detect DGA URL 38

49 4.1 DGA + DGA + DGA + DGA DGA DGA DGA 1 39

50 DGA URL Ajax HTML URL 4.4 URL JavaScript Window location URL ID URL location location location URL

51 var c=window.location.protocol + // +m.location.hostname+"/post_login ; a.location.replace(c) 4.4 URL API Google Chrome API API HTTPS API 41

52 4.4.2 Squid Apache Traffic Server API 42

53 5 4 Google Chrome Platform APIs[20] Chrome Extension Chrome Extension 4 Google Chorme Google Chrome Extension Chrome Platform APIs JavaScript APIs JavaScript 1 jquery[22] Mac OSX 10.9 Ubuntu Desktop Chrome Extension OS Mac OSX Google Chrome Version (64bit) 43

54 5.2 OS Mac OSX VirtualBox OS Ubuntu Server Desktop Desktop Chrome (64bit) Web Server Apache Google Chrome Extension Google Chrome Google Chrome Background Pages (Event Pages) Chrome Platform APIs Content Scripts 2 Google Chrome Web Page Chrome Extension (SandBox) Content Scripts Background Pages DOM 通 常 のウェブ ページ Inject Script DOMに 対 しての 操 作 が 可 能 Event Handler Chrome API の 利 用 が 可 能 常 時 起 動 5.1 Chrome Extension 44

55 5.1 Chrome Extension Content Scripts JavaScript Background Pages Manifest Contents Scripts Chrome Platform APIs JavaScript Background Pages Chrome API(Chrome Platform APIs) permission API Chrome Extension URL Manifest Background Pages Content Scripts Manifest Google Chrome Extension Background Pages Content Scripts Background Pages Content Scripts Background Pages 1 Background Pages Background Pages Chrome Platform APIs eval() settimeout() setinterval() eval() Background Pages Event Pages Background Pages Background Pages Event Pages Event Pages Background Pages 45

56 Event Pages Event Pages Event Pages Chrome APIs storage API Content Scripts Content Scripts 1 script 1 1 Content Scripts Chrome Platform APIs JavaScript Chrome Platform APIs Chrome Platform APIs Google Google Chrome API API Manifest.json API API Chrome Chrome Platform APIs 5.3 Content Scripts script script js iframe extension API Background Pages Background Pages webrequest API 46

57 5.3 JavaScript APIs(Chrome Platform APIs) Name Description Method Event extension Extension sendrequest() onrequest Extension tabs ( executescript() reload() oncreated onupdated ) webrequest ( onbeforerequest oncompleted onbeforeredirect HTTP ) windows oncreated ( ) browseraction Google Chrome onclicked alarms create() clearall() onalarm 47

58 Google Chrome Chrome Platform APIs webrequest main_frame sub_frame stylesheet script image xmlhttprequest other main_frame iframe html css script js JavaScript xmlhttprequest() 48

59 5.1.4 jquery jquery JavaScript XMLHttpRequest get() Deffered jquery get() URL sub_frame Deffered JavaScript Deffered Deffered JavaScript Chrome Extension 3 Chrome Extension Chrome Extension Content Scripts Background Pages Content Scripts Background Pages 5.2 Content Script jquery get() js Deffered Background Pages 49

60 Content Scripts WebPage Load ContentScript Inject number of js file Download.js file sendrequest() js file finish 5.2 Chrome Extension Content Scripts 5.3 Background Pages Content Scripts onrequest() webrequest onbeforerequest() Content Scripts checkdomain() onbeforerequest() 50

61 WebPage Load Background Pages set Eventhandler wait onbefore Request() wait onrequest() 1 main_frame 0 No recived jsfile Yes 1 jsflag check Domain() found 0 not found jsflag = 1 reload webpage Return cancel : false Return cancel : true 5.3 Chrome Extension Background onbeforerequest() 51

62 5.4 Chrome Extension main_frame Background Pages Content Scripts main_frame Content Scripts Background Pages Background Pages domaincheck() domaincheck() Content Scripts Background Pages WebPage DomainCheck() Script Inject() script data send to Script data beforerequest Event Connection Accept Save Script Data main_frame DomainCheck() DomainCheck() beforerequest Event Connection Accept beforerequest Event Reject Connection Benign Contents Malicious (Obfuscation) Contents Event Notification 5.4 Chrome Extension 52

63 5.1.6 Chrome Extension Chrome Extension JavaScript JavaScript Google Chrome Content Scripts onbeforerequest() Google Chrome 5.5 main_frame 5.4 main_frame WebPage WebPage Contents WebPage Contents Contents Contents Contents Contents 5.5 Chrome 53

64 onbeforerequest() onbeforerequest() 1 main_frame main_frame Content Scripts 5.6 Content Scripts Background Pages WebPage DomainCheck() Script Inject() script data beforerequest Event Connection Accept main_frame send to Script data Save Script Data DomainCheck() Page reload beforerequest Event Connection Accept main_frame DomainCheck() DomainCheck() Event Notification beforerequest Event Connection Accept beforerequest Event Reject Connection Benign Contents Malicious (Obfuscation) Contents 5.6 Chrome Extension 54

65 5.1.7 Google Facebook Twitter Chrome Extension URL Chrome Extension 55

66 図 Chrome Extension 攻撃検知時の視覚化 評価手法 提案手法の評価方法として 評価用のデータセットを作成し データセットを用 いた疑似ドライブバイダウンロード攻撃環境を構築し 疑似攻撃環境で検知率の評 価を行う また 誤検知率の評価として正規のウェブサイトを訪れた際の誤検知率 に関しての評価を行った 疑似攻撃環境では実際の脆弱性を悪用した攻撃までは行 わず 悪性のウェブサイトまでの誘導を再現した 評価環境 評価環境には Mac OSX10.9 上に VirtualBox で仮想環境を構築し リダイレク ト用の踏み台サーバおよび攻撃用のウェブサイトを構築した 仮想ユーザとして Ubuntu Desktop に Google Chrome をインストールし Chrome Extension を用 56

67 OS Ubuntu Desktop Google Chrome Ubuntu Server Apache Jump A User Malicious Download Jump B JavaScript iframe 57

68 : ASCII : : Dean.edwards.name JavaScript [23] (ASCII) ( ) 11 (ASCII) (ASCII) 12 (ASCII) 13 (ASCII) ( ) 21 (ASCII) ( ) 31 ( ) (ASCII) 32 ( ) 33 ( ) ( ) 58

69 5.7 mal-j1i mal j1 iframe r location.replace() mal iframe j1 j1 j2 down j2 down down 59

70 mal-j1i01 j1-j2r22 j2-downr13 ubu-down mal-j1i02 j1-j2r31 j2-downr23 ubu-down mal-j1i03 j1-downr02 ubu-down mal-j1i11 j1-j2r02 j2-downr12 ubu-down mal-j1i12 j1-downr02 ubu-down mal-j1i13 j1-j2r21 j2-downr23 ubu-down mal-j1i21 j1-downr11 ubu-down mal-j1i22 j1-j2r02 j2-downr12 ubu-down mal-j1i23 j1-j2r33 j2-downr03 ubu-down mal-j1i31 j1-downr21 ubu-down mal-j1i32 j1-downr31 ubu-down mal-j1i33 j1-downr33 ubu-down mal-j1r01 j1-j2r11 j2-downr22 ubu-down mal-j1r02 j1-j2r02 j2-downr12 ubu-down mal-j1r03 j1-j2r03 j2-downr03 ubu-down mal-j1r11 j1-downr13 ubu-down mal-j1r12 j1-j2r21 j2-downr23 ubu-down mal-j1r13 j1-j2r12 j2-downr23 ubu-down mal-j1r21 j1-j2r01 j2-downr12 ubu-down mal-j1r22 j1-downr03 ubu-down mal-j1r23 j1-downr13 ubu-down mal-j1r31 j1-downr31 ubu-down mal-j1r32 j1-downr13 ubu-down mal-j1r33 j1-j2r03 j2-downr03 ubu-down 60

71 % iframe onbeforerequest() onbeforesendheaders() HTTP Referer 100% 5.9 Chrome Extension iframe ( ) 529 ( 43 ) ( ) 1729 ( 203 ) 5.4 Google Chrome Extension 50% HTTP Referer 100% 61

72 1.htaccess HTTP Chrome APIs webrequest API JavaScript location.replace() webrequest API Google Chrome main_frame HTTP Referer webrequest API 1 iframe iframe 62

73 HTML script 10 8 nltk Google Chrome Extension Chrome Platform APIs 63

74 100% Google Chrome Extension HTTP Referer 53% 6.2 Google Chrome Extension Chrome Extension Chrome Extension Chrome Extension Python nltk html 64

75 Google Chrome Extension Google Chrome Extension webrequest Chrome Extension 1 js js 65

76 Institut Mines-Télécom, Télécom SudParis Gregory Blanc OB D3M Drive-by-Download Data by Marionette NTT FP NECOMA [1] Symantec Corporation, Internet Security Threat Report 2014 Volume 19, resources/b-istr_appendices_v19_ en-us.pdf, p.12,2014. [2] McAfee Labs, McAfee Labs, resources/reports/rp-quarterly-threat-q pdf, p.32, [3] Van Lam Le, Ian Welch, Xiaoying Gao, Peter Komisarczuk, Anatomy of 66

77 Drive-by Download Attack, in Proceedings of the Eleventh Australasian Information Security Conference - Vol pp , Feb [4] Trend Micro Security Intelligence Blog, Youtube Ads Lead To Exploit Kits, Hit US Victims, trendlabs-security-intelligence/youtube-ads-lead-to-exploit-kitshit-us-victims/, [5],, pp , [6] Marco Cova, Christopher Kruegel, Giovanni Vigna Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code, in Proceedings of the 19th International Conference on World Wide Web. pp , Apr [7] Wei Xu, Fangfang Zhang, Sencun Zhu, The Power of Obfuscation Techniques in Malicious JavaScript Code: A Measurement Study, in Proceedings of the 7th International Conference on Malicious and Unwanted Software (MALWARE). pp. 9-16, Oct [8] McAfee Gumblar, [9],,,, Gumblar, IA [10] Konrad RIeck, Tammo Krueger, Andreas Dewald, Cujo: Efficient Detection and Prevention of Drive-by-Download Attacks, in Proceedings of the 26th Annual Computer Security Applications Conference. pp , Dec [11] Wepawet Home, [12] Cuckoo Sandbox, [13] Alexa Internet, Alexa Top Site, [14],,,, MWS Datasets 2014,

78 [15] Malwr.com, Malwr Recent Analysis, [16] Blue Coat, ONE-DAY WONDERS: HOW MALWARE HIDES AMONG THE INTERNETS SHORT-LIVED WEBSITES, com/2014_onedaywonders_report_download, [17] Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig Schmidt, Trends in circumventing web-malware detection., Google, Google Technical Report (2011). [18],,, Web Web, ICSS, [19] W3C, Document Object Model (DOM), Jan [20] Google Chrome, Chrome Platform APIs (JavaScript APIs), developer.chrome.com/extensions/api_index, Jan [21] Google Chrome, Chrome Extension (Event Pages), developer.chrome.com/extensions/event_pages, Jan [22] jquery, Jan [23] dean edwards name packer, Jan [24] Google Developers, Closure Compiler, com/closure/compiler/, Jan