( ) ( ) ( ) ( ) ( ) ( )

Similar documents

2 [2] Flow Visualizer 1 DbD 2. DbD [4] Web (PV) Web Web Web 3 ( 1) ( 1 ) Web ( 2 ) Web Web ( 3 ) Web DbD DbD () DbD DbD DbD 2.1 DbD DbD URL URL Google

29 jjencode JavaScript

Drive-by-Download JavaScript

(a) (b) 1 JavaScript Web Web Web CGI Web Web JavaScript Web mixi facebook SNS Web URL ID Web 1 JavaScript Web 1(a) 1(b) JavaScript & Web Web Web Webji

Landing Landing Intermediate Exploit Exploit Distribution Provos [1] Drive-by Download (Exploit Distribution ) Drive-by Download (FCDBD: Framework for

2 web high interaction web low interaction Capture- HPC[11] HoneyClient[5] HoneyC[12] SpyBye[7] HoneyC SpyBye snort exploit 3 Drive-by-download Web (

2.3 1 RIG Exploit Kit (4) 4 Exploit Kit 2.2 RIG Exploit Kit RIG Exploit Kit 1 5 (1) Web Web (2) RIG Exploit Kit URL (3) URL iframe RIG Exploit Kit (4)

[2][3] 2.1 Web 1 var s=0;for(var i=0;i<=10;i++){s+=i}alert(s) Web sum s Web % JavaScript [4] Web 1 var a = void 0; // var a = undefined; 2 va

07_経営論集2010　小松先生.indd

Drive-by Download RIG Exploit Kit

WebRTC P2P Web Proxy P2P Web Proxy WebRTC WebRTC Web, HTTP, WebRTC, P2P i

Firefox Firefox Mozilla addons.mozilla.org (AMO) AMO Firefox Mozilla AMO Firefox Firefox Mozilla Firefox Firefox Firefox 年間登録数

nopcommerce Adobe Flash ( 1 ) 1 nopcommerce 2.2 ( [5, p.3-4] )

Microsoft Word - 11_thesis_08k1131_hamada.docx

28 Docker Design and Implementation of Program Evaluation System Using Docker Virtualized Environment

Web Web Web Web Web, i

FileMaker Server 9 Getting Started Guide

山梨県ホームページ作成ガイドライン

WebRTC P2P,. Web,. WebRTC. WebRTC, P2P, i

Metasploit 2012.indb

Introduction to Information and Communication Technology (a)

農研機構食品総合研究所研究報告 77号

DNS: Domain Name

IPSJ SIG Technical Report Vol.2014-EIP-63 No /2/21 1,a) Wi-Fi Probe Request MAC MAC Probe Request MAC A dynamic ads control based on tra

AlertCon SOC SOC IBM X-Force SOC SOC

FileMaker Server Getting Started Guide

Flash Player ローカル設定マネージャー

CAS Yale Open Source software Authentication Authorization (nu-cas) Backend Database Authentication Authorization Powered by A

: Name, Tel name tel (! ) name : Name! Tel tel ( % ) 3. HTML. : Name % Tel name tel 2. 2,., [ ]!, [ ]!, [ ]!,. [! [, ]! ]!,,. ( [ ], ),. : [Name], nam

¥Í¥Ã¥È¥ï¡¼¥¯¥×¥í¥°¥é¥ß¥ó¥°ÆÃÏÀ

IPSJ SIG Technical Report Vol.2013-CE-122 No.16 Vol.2013-CLE-11 No /12/14 Android 1,a) 1 1 GPS LAN 2 LAN Android,,, Android, HTML5 LAN 1. ICT(I

Lotus Domino XML活用の基礎!

FileMaker Server Getting Started Guide

Web Basic Web SAS-2 Web SAS-2 i

ii II Web Web HTML CSS PHP MySQL Web Web CSS JavaScript Web SQL Web

DEIM Forum 2010 D Development of a La

,,,,., C Java,,.,,.,., ,,.,, i

1 Fig. 2 2 Fig. 1 Sample of tab UI 1 Fig. 1 that changes by clicking tab 5 2. Web HTML Adobe Flash Web ( 1 ) ( 2 ) ( 3 ) ( 4 ) ( 5 ) 3 Web 2.1 Web Goo

JavaScript の使い方

Adobe AIR のセキュリティ

Cisco ASA Firepower ASA Firepower

, IT.,.,..,.. i

1., 1 COOKPAD 2, Web.,,,,,,.,, [1]., 5.,, [2].,,.,.,, 5, [3].,,,.,, [4], 33,.,,.,,.. 2.,, 3.., 4., 5., ,. 1.,,., 2.,. 1,,

27 YouTube YouTube UGC User Generated Content CDN Content Delivery Networks LRU Least Recently Used UGC YouTube CGM Consumer Generated Media CGM CGM U

これわかWord2010_第1部_ indd

パワポカバー入稿用.indd

これでわかるAccess2010

08encode part 2

事例に見るSCORMの・・・

活用ガイド　（ソフトウェア編）

E MathML W3C MathJax 1.3 MathJax MathJax[5] TEX MathML JavaScript TEX MathML [8] [9] MathSciNet[10] MathJax MathJax MathJax MathJax MathJax MathJax We

e-learning e e e e e-learning 2 Web e-leaning e 4 GP 4 e-learning e-learning e-learning e LMS LMS Internet Navigware

Transcription:

NAIST-IS-MT1351095 2015 3 11

( ) ( ) ( ) ( ) ( ) ( )

JavaScript 100% 53%,, JavaScript, NAIST-IS-MT1351095, 2015 3 11. i

A Design and Implementation of a detection method against Drive-by Download Attacks using obfuscation features Hirotaka Fujiwara Abstract Drive-by download attacks usually redirect a user to a malicious webpage where vulnerabilities in a browser or in browser plugins are exploited in order to force the download of a malware. This research presents and evaluates a detection method against drive-by download attacks. The proposed method focusces on the transformation of strings that is the characteristics of the obfuscation. The proposed method employs obfuscated domain information of JavaScript as a trigger to detect drive-by download attack. The browser plug-in implemenation of the proposed method was able to detect obfuscated redirection correctly with 100% true positives, while it showed 53% false positives against legitimate sites. Keywords: Drive-by Download Attack, Obfuscation, JavaScript Master s Thesis, Department of Information Science, Graduate School of Information Science, Nara Institute of Science and Technology, NAIST-IS-MT1351095, March 11, 2015. ii

iii vi viii 1 1 1.1.................................... 1 1.2................. 2 1.3.................................. 3 1.4.................................. 4 2 5 2.1................... 5 2.1.1............. 6 2.2............. 9 2.2.1..................... 9 2.2.2............... 11 2.2.3........ 12 2.3................................... 13 2.3.1........................... 13 2.3.2........................... 13 2.3.3....................... 15 iii

3 17 3.1........................ 17 3.2.......................... 17 3.3............................... 18 3.3.1....................... 19 3.3.2 1............. 20 3.3.3 1................. 23 3.4................... 25 3.5................. 26 3.5.1..................... 26 3.5.2..................... 28 3.6......................... 32 4 34 4.1.............................. 34 4.2.............................. 36 4.3.................... 38 4.4.................................. 41 4.4.1...................... 41 4.4.2............................ 42 5 43 5.1 Chrome Extension.................... 43 5.1.1............................. 43 5.1.2 Google Chrome Extension................... 44 5.1.3 Chrome Platform APIs..................... 46 5.1.4 jquery.............................. 49 5.1.5 Chrome Extension.................... 49 5.1.6 Chrome Extension........ 53 5.1.7................ 55 5.1.8......................... 55 iv

5.1.9.......................... 55 5.2.................................. 56 5.2.1............................. 56 5.2.2.................... 57 5.3............................. 61 5.4.................................... 61 6 63 6.1................................... 63 6.1.1........................... 63 6.1.2............................. 63 6.2................................ 64 66 66 v

2.1................ 7 2.2....................... 10 2.3................... 12 2.4.......................... 14 2.5............................ 14 2.6............................. 15 2.7.......................... 16 3.1 1..................... 20 3.2 (D3M2011-2012)........... 21 3.3 (D3M2013-2014)........... 22 3.4 (Malwr.com)............. 22 3.5 (Legitimate Site)........... 23 3.6 1........................... 24 3.7................ 25 3.8...................... 27 3.9...................... 28 3.10......................... 29 3.11 )........................ 30 4.1....... 35 4.2............................. 37 vi

4.3............................ 38 4.4 URL........................... 41 5.1 Chrome Extension....................... 44 5.2 Chrome Extension Content Scripts........ 50 5.3 Chrome Extension Background.......... 51 5.4 Chrome Extension.................. 52 5.5 Chrome................... 53 5.6 Chrome Extension......... 54 5.7 Chrome Extension.............. 56 5.8..................... 57 vii

1.1........................ 2 3.1............. 19 3.2................... 26 3.3............................ 27 3.4........... 31 3.5...... 32 3.6.................. 32 3.7................. 33 4.1................ 39 5.1 Chrome Extension.................... 43 5.2............................... 44 5.3 JavaScript APIs(Chrome Platform APIs)..... 47 5.4 webrequest................ 48 5.5............................... 57 5.6...................... 58 5.7............................... 60 5.8................. 61 5.9....................... 61 viii

1 1.1 JavaScript PHP Java Ruby Python [1][2] ActiveX Java Flash Player [7] [10] [5] IDS : Intrusion Detection System IPS : Intrusion Prevention System 1

1.2 1.1 (IDS/IPS ) ( ) 1.1 2.3 2

1.3 JavaScript JavaScript Google Chrome Extension 3

1.4 2 1 3 4 5 4 Chrome Extension 6 3 5 4

2 2.1 2.2 2.3 2.1 2009 Gumblar [8][9] JavaScript Internet Explorer Adobe Acrobat Adobe Reader Adobe Flash Player TrendMicro [4] 2014 10 Youtube Java Internet Explorer Flash 11 5

SQL iframe referrer Java Adobe 2.1.1 JavaScript [3] Inline Frame HTTP 1 6

1 2.1 Browser Malicious Web Normal Execute Javascript Redirect Execute Javascript Malicious Action Request 1 Response Redirect 2 Response File download 3 Response 4 2.1 1. : 7

html js JavaScript iframe 2. : Referrer 3. : html js JavaScript 4. : 8

2.2 URL IDS IPS 1 2.2.1 IDS IPS 2.2 9

7368656c6c636f6465 Signature File 736865 6c6c636f 6465 Signature Database Match Obfuscation 3663363536373639373 436393664363137343635 Obfuscation 333636333336333533 3633373336333933373334 3336333933363634333633 313337333433363335 2.2 [7] 20 3 86.85% 55.3% 45.7% JavaScript Java 2.2 10

2.2.2 URL Wepawet[11] Cuckoo Sandbox[12] [17][18] Referrer Referrer referrer 2.3 html 11

SandBox Browser Attack code not Execute (Cloaking) Attack code Execute Malicious.EXE not Execute (Cloaking).EXE Execute 2.3 2.2.3 [5] 1 [16] 1 DGA ( ) DGA DGA 1 DGA 12

2.3 2.3.1 JavaScript Java 2.3.2 JavaScript [7] 2.4 2.5, 2.6, 2.7 2.5 13

<script> function myalert(txt){ alert(txt); } var string= Hello World!! ; myalert(string); </script> <script> function _cd(ab){ alert(ab); } var ok= Hello World!! ; _cd(ok); </script> 2.4 2.5 2.6 1 2.6 (+) eval() document.write() html ASCII Unicode unescape() 2.7 ASCII ASCII JavaScript JavaScript html JavaScript 14

<script> var co = ert(txt) ; var pg = ello World! ; var am = functi ; var qf = tring=\ H ; var jl = ing) ; var ne = xt);}var s ; var rh =!\ ;mya ; var wb = on myal ; var ik = lert(str ; var sd = {alert(t ; document.write(am+wb+co+sd+ne+qf+pg+rh+ik+jl); </script> 2.6 unescape() document.write() html charat() String.replace() JavaScript 2.3.3 JavaScript JavaScript 15

<script> document.write(unescape(%66%75%6e%63%74%69%6f%6e %20%6d%79%41%6c%65%72%74%28%74%78%74%29%7b %61%6c%65%72%74%28%74%78%74%29%3b%7d %76%61%72%20%73%74%72%69%6e%67%3d%e2%80%9c %48%65%6c%6c%6f%20%57%6f%72%6c %64%21%21%e2%80%9d%3b%6d%79%41%6c %65%72%74%28%73%74%72%69%6e%67%29%3b)); </script> 2.7 16

3 3.1 3.2 3.3 3.4 3.3 3.5 3.4 3.1 2.4 alert() 2.5 2.6 2.7 3.2 html js 17

Alexa [13] Mac OSX 10.9 Google Chrome Google Chrome Google Chrome JavaScript MWS ( ) 2014[14] D3M 2011 2014 pcap html js D3M NTT Marionetto D3M Malwr.com[15] Recent Analysis html Malwr.com Ubuntu REMnux REMnux Python 3.1 3.3 18

3.1 Alexa D3M dataset Malwr.com 2011-2014 Number of Files 98 79 20 (31+16+18+14) Number of Lines 30,489 16,799 17,942 Number of Script Lines 12,869 13,729 3,770 2000 3.3.1 Alexa 100 19

3.3.2 1 1 1 1 1 JavaScript 1 3.1 1 *+,-./!01!2!3!!4!'"""!&#""!&"""!%#""!%"""!$#"" 2 3 5.6:7:,<7. =&>%"$$ =&>%"$% =&>%"$& =&>%"$' ><?@/AB0,!$"""!#"" 1!"!"!%""""!'""""!(""""!)""""!$""""" 5.*678!01!97/:*69!;!5:*. 3.1 1 3.1 3.1 1 20

3.1 (1) (2) 1 3.1 (1) (2) replace() R ward k-means 3.2 3.3 3.4 3.5 4000 11 100 1000!'"""!&#"" ;<=,>76?60+@=A&,%"$$<7.*;!+@6*8!$B' ;<=,>76?60+@=A&,%"$%<7.*;!+@6*8!$B'!"##!+# =>?.@98A82-B?C%.$#"">90,=!-B8,:!"D& =>?.@98A82-B?C%.$#"$>90,=!-B8,:!"D& *+,-./!01!2!3!!4!&"""!%#""!%"""!$#""!$"""!#"",-./01!23!4!5!!6!*#!)#!(#!'#!&#!%#!$#!"#!"!"!%""""!'""""!(""""!)""""!$"""""!#!"##!$##!%##!&##!'##!(##!)##!*##!+##!"### 56*.!7.*89: 78,0!90,:;< 3.2 (D3M2011-2012) 21

!'"""!&#"" ;<=,>76?60+@=A&,%"$&<7.*;!+@6*8!$B' ;<=,>76?60+@=A&,%"$'<7.*;!+@6*8!$B'!"##!+# =>?.@98A82-B?C%.$#"%>90,=!-B8,:!"D& =>?.@98A82-B?C%.$#"&>90,=!-B8,:!"D& *+,-./!01!2!3!!4!&"""!%#""!%"""!$#""!$"""!#"",-./01!23!4!5!!6!*#!)#!(#!'#!&#!%#!$#!"#!"!"!%""""!'""""!(""""!)""""!$"""""!#!"##!$##!%##!&##!'##!(##!)##!*##!+##!"### 56*.!7.*89: 78,0!90,:;< 3.3 (D3M2013-2014)!'"""!&#"" ;<=,>76?60+@=,>7A/<7.*;!+@6*8!$B'!"##!+# =>?.@98A82-B?.@9C1>90,=!-B8,:!"D& *+,-./!01!2!3!!4!&"""!%#""!%"""!$#""!$"""!#"",-./01!23!4!5!!6!*#!)#!(#!'#!&#!%#!$#!"#!"!"!%""""!'""""!(""""!)""""!$"""""!#!"##!$##!%##!&##!'##!(##!)##!*##!+##!"### 56*.!7.*89: 78,0!90,:;< 3.4 (Malwr.com) 22

!'"""!&#"" ;<=7.8696,>9.=7.869<7.*;!+?6*8!$@'!"##!+# =>?90:8;8.@;0?90:8;>90,=!-A8,:!"B& *+,-./!01!2!3!!4!&"""!%#""!%"""!$#""!$"""!#"",-./01!23!4!5!!6!*#!)#!(#!'#!&#!%#!$#!"#!"!"!%""""!'""""!(""""!)""""!$"""""!#!"##!$##!%##!&##!'##!(##!)##!*##!+##!"### 56*.!7.*89: 78,0!90,:;< 3.5 (Legitimate Site) 1 0-100 1 100 1 500 3.3 3.5 3.3.3 1 1 3.6 1 0 100 600 2000 3.6 5 1 D3M Malwr.com legit 10 1 0-100 100-600 600 2000 100 3.6 1 600 12% 23

1-3% 3.6 3.6 live 3.6 1 1 600 2000 100 JavaScript html!#""!+"!*" $"""? (""?$""" #""?("" "?#""!)"!("!'"!&"!%"!$"!#"!" 4861 9-> /3=3.3<1 2;;2.1 :6 16-9 6-378 -,-5 4/34.1234,-./0 #& #% #$ ## 3.6 1 24

3.4 3.7 1 html JavaScript html div http A : Length of Line B : total (, & ; ) C : total (div & http & :) Start 0 < A < 100 A 2000 < A 100 < A < 2000 10 < A/B < 95 A / B A/B < 10 A < 400 A 400 < A 95 < A/B A/B < 200 A / B 200 < A / B B:C B < C B : C B < C C < B C < B normal 100-400 randam & data Encode 3.7 3.2 8 10 4 25

4 html 1 0-100 3.2 Legitimate Malicious Normal 0-100 4,859 16,566 Normal 100-400 2,328 600 Random & Data 5,672 275 Encode 10 58 3.5 3.5.1 3.3 3.8 10 3.8 ASCII Unicode 3.9 26

ASCII Unicode 3.9 ASCII % 3.3 Legitimate Malicious Letter 3,185,888 203,521 Number 119,782 78,427 Other 1,570,242 138,352!"#$%&'(")!"#$%$&'() (#%!&' $(#()&'!"#$%&' *+,+-'./01+-' 234+-' )$#*$%& '"#((%&!"#!$%& +,-,.& /012,.& 345,.& 3.8 27

3.9 3.5.2 3.4 Python nltk 3.10 3.8 3.9 3.3 other 1 JavaScript ActiveX nltk of no 2 3 12 5 3.11 28

Start ノイズ除去記号をスペースに置き換える無駄なスペースの除去特定文字列の除去頻度分布の出力 End 3.10 29

function gud(){var qklvoan = 64; for( var cfld=0; cfld<140; cfld++){qklvoan++};return qklvoan;} 記号をスペースへ変換 function gud var qklvoan 64 for var cfld 0 cfld 140 cfld qklvoan return qklvoan 複数のスペースをまとめる function gud var qklvoan 64 for var cfld 0 cfld 140 cfld qklvoan return qklvoan 意味ある文字列の削除 function gud var qklvoan 64 for var cfld 0 cfld 140 cfld qklvoan return qklvoan 3.11 ) 3.4 3.3 Alexa global topsite Google Chrome JavaScript 10 JavaScript 1 3.4 15.0% 2.3% 14.2% 1 30

3.4 ( ) ( ) ( ) ( ) Normal 228,342 8,534 16,471 2,945 100-400 10,960 1,291 3,860 1,704 Random 1,998,911 46,474 82,212 12,352 & data 37,399 5,324 10,835 6,462 Encode 11,319 3,914 299,555 11,850 1,548 662 9,557 5,058 3.4 JavaScript 3.5 3.6 JavaScript 31

3.5 ( ) ( ) ( ) ( ) Normal 251,534 8,970 16,471 2,945 100-400 6,324 1,049 3,860 1,704 Random 948,018 18,664 82,212 12,352 & data 22,616 2,570 10,835 6,462 Encode 7,355 663 299,555 11,850 245 131 9,557 5,058 3.6 Yahoo.co.jp amazon.co.jp youtube.com rakuten.co.jp twitter.com livedoor.com ameblo.jp goo.ne.jp naver.jp tabelog.com 3.6 3.7 Google Closure Compiler[24] 1 ASCII 32

html 1 100-400 1 14.5 1 3.7 33

4 JavaScript 4.1 4.2 4.3 4.1 JavaScript 4.1 URL DNS (Domain Name System) 34

<body> This page is Redirected. <script> location.replace( http://web/hoge.html ); </script> </body> Request User Redirect 正規サイト html Response Web <body> <script> document.write( This page is Redirected ); eval(unescape(%6c%6f%63%61%74%69%6f%6e%2e%72%65%70%6c %61%63%65%28%e2%80%9c%68%74%74%70%3a%2f%2f%77%65%62%2f %68%6f%67%65%2e%68%74%6d%6c%e2%80%9d%29%3b)); </script></body> Request User Redirect html Response Web 改ざんサイト Malicious 4.1 DOM (Document Object Model) DOM HTML HTML XML API DOM 35

4.2 DNS html js HTTP DNS 4.2 html js HTTP DNS 4.2 1. : html js 2. : http DNS 36

Browser Proxy Malicious Request Normal Response 1 Web Execute Javascript Redirect 2 Redirect 3 1 Response Execute Javascript Malicious Action File download 2 3 Response 4.2 3. : 2 37

4.3 1 2.3 4.3 Proxy Browser Attack code Execute Malicious.EXE Detect 4.3 4.1 DGA URL 38

4.1 DGA + DGA + DGA + DGA DGA DGA DGA 1 39

DGA 4.2 2 URL Ajax HTML URL 4.4 URL JavaScript Window location URL ID URL location location location URL 4.3 40

var c=window.location.protocol + // +m.location.hostname+"/post_login ; a.location.replace(c) 4.4 URL 4.4 2 1 2 4.4.1 API Google Chrome API API HTTPS API 41

4.4.2 Squid Apache Traffic Server API 42

5 4 Google Chrome Platform APIs[20] 5.1 5.2 Chrome Extension 5.3 5.4 5.1 Chrome Extension 4 Google Chorme Google Chrome Extension Chrome Platform APIs JavaScript APIs JavaScript 1 jquery[22] 5.1.1 Mac OSX 10.9 Ubuntu Desktop 14.04 5.1 5.2 5.1 Chrome Extension OS Mac OSX 10.9.5 Google Chrome Version 39.0.2171.95 (64bit) 43

5.2 OS Mac OSX 10.9.5 VirtualBox 4.3.14 OS Ubuntu Server Desktop 14.04 Desktop Chrome 39.0.2171.95 (64bit) Web Server Apache 2.4.7 5.1.2 Google Chrome Extension Google Chrome Google Chrome Background Pages (Event Pages) Chrome Platform APIs Content Scripts 2 Google Chrome Web Page Chrome Extension (SandBox) Content Scripts Background Pages DOM 通常のウェブページ Inject Script DOMに対しての操作が可能 Event Handler Chrome API の利用が可能常時起動 5.1 Chrome Extension 44

5.1 Chrome Extension Content Scripts JavaScript Background Pages Manifest Contents Scripts Chrome Platform APIs JavaScript Background Pages Chrome API(Chrome Platform APIs) permission API Chrome Extension URL Manifest Background Pages Content Scripts Manifest Google Chrome Extension Background Pages Content Scripts Background Pages Content Scripts Background Pages 1 Background Pages Background Pages Chrome Platform APIs eval() settimeout() setinterval() eval() Background Pages Event Pages Background Pages Background Pages Event Pages Event Pages Background Pages 45

Event Pages Event Pages Event Pages Chrome APIs storage API Content Scripts Content Scripts 1 script 1 1 Content Scripts Chrome Platform APIs JavaScript 5.1.3 Chrome Platform APIs Chrome Platform APIs Google Google Chrome API API Manifest.json API API Chrome Chrome Platform APIs 5.3 Content Scripts script script js iframe extension API Background Pages Background Pages webrequest API 46

5.3 JavaScript APIs(Chrome Platform APIs) Name Description Method Event extension Extension sendrequest() onrequest Extension tabs ( executescript() reload() oncreated onupdated ) webrequest ( onbeforerequest oncompleted onbeforeredirect HTTP ) windows oncreated ( ) browseraction Google Chrome onclicked alarms create() clearall() onalarm 47

Google Chrome Chrome Platform APIs 5.4 5.4 webrequest main_frame sub_frame stylesheet script image xmlhttprequest other main_frame iframe html css script js JavaScript xmlhttprequest() 48

5.1.4 jquery jquery JavaScript XMLHttpRequest get() Deffered jquery get() URL sub_frame Deffered JavaScript Deffered Deffered JavaScript 5.1.5 Chrome Extension 3 Chrome Extension 5.2 5.3 5.4 Chrome Extension Content Scripts Background Pages Content Scripts Background Pages 5.2 Content Script jquery get() js Deffered Background Pages 49

Content Scripts WebPage Load ContentScript Inject number of js file Download.js file sendrequest() js file finish 5.2 Chrome Extension Content Scripts 5.3 Background Pages Content Scripts onrequest() webrequest onbeforerequest() Content Scripts checkdomain() onbeforerequest() 50

WebPage Load Background Pages set Eventhandler wait onbefore Request() wait onrequest() 1 main_frame 0 No recived jsfile Yes 1 jsflag check Domain() found 0 not found jsflag = 1 reload webpage Return cancel : false Return cancel : true 5.3 Chrome Extension Background onbeforerequest() 51

5.4 Chrome Extension main_frame Background Pages Content Scripts main_frame Content Scripts Background Pages Background Pages domaincheck() domaincheck() Content Scripts Background Pages WebPage DomainCheck() Script Inject() script data send to Script data beforerequest Event Connection Accept Save Script Data main_frame DomainCheck() DomainCheck() beforerequest Event Connection Accept beforerequest Event Reject Connection Benign Contents Malicious (Obfuscation) Contents Event Notification 5.4 Chrome Extension 52

5.1.6 Chrome Extension Chrome Extension JavaScript JavaScript Google Chrome Content Scripts onbeforerequest() Google Chrome 5.5 main_frame 5.4 main_frame WebPage WebPage Contents WebPage Contents Contents Contents Contents Contents 5.5 Chrome 53

onbeforerequest() onbeforerequest() 1 main_frame main_frame Content Scripts 5.6 Content Scripts Background Pages WebPage DomainCheck() Script Inject() script data beforerequest Event Connection Accept main_frame send to Script data Save Script Data DomainCheck() Page reload beforerequest Event Connection Accept main_frame DomainCheck() DomainCheck() Event Notification beforerequest Event Connection Accept beforerequest Event Reject Connection Benign Contents Malicious (Obfuscation) Contents 5.6 Chrome Extension 54

5.1.7 Google Facebook Twitter 5.1.8 5.7 5.1.9 Chrome Extension URL Chrome Extension 55

図 5.7 5.2 Chrome Extension 攻撃検知時の視覚化評価手法提案手法の評価方法として評価用のデータセットを作成しデータセットを用いた疑似ドライブバイダウンロード攻撃環境を構築し疑似攻撃環境で検知率の評価を行うまた誤検知率の評価として正規のウェブサイトを訪れた際の誤検知率に関しての評価を行った疑似攻撃環境では実際の脆弱性を悪用した攻撃までは行わず悪性のウェブサイトまでの誘導を再現した 5.2.1 評価環境評価環境には Mac OSX10.9 上に VirtualBox で仮想環境を構築しリダイレクト用の踏み台サーバおよび攻撃用のウェブサイトを構築した仮想ユーザとして Ubuntu Desktop に Google Chrome をインストールし Chrome Extension を用 56

5.5 5.8 5.5 OS Ubuntu Desktop 14.04 Google Chrome Ubuntu Server 14.04 Apache 2.4.7 Jump A User Malicious Download Jump B 5.8 5.2.2 JavaScript iframe 57

: ASCII : : Dean.edwards.name JavaScript [23] 1 2 5.6 5.7 5.6 1 2 01 (ASCII) 02 03 ( ) 11 (ASCII) (ASCII) 12 (ASCII) 13 (ASCII) ( ) 21 (ASCII) 22 23 ( ) 31 ( ) (ASCII) 32 ( ) 33 ( ) ( ) 58

5.7 mal-j1i01 5.8 mal j1 iframe 5.6 01 r location.replace() mal iframe j1 j1 j2 down j2 down down 59

5.7 1 2 mal-j1i01 j1-j2r22 j2-downr13 ubu-down mal-j1i02 j1-j2r31 j2-downr23 ubu-down mal-j1i03 j1-downr02 ubu-down mal-j1i11 j1-j2r02 j2-downr12 ubu-down mal-j1i12 j1-downr02 ubu-down mal-j1i13 j1-j2r21 j2-downr23 ubu-down mal-j1i21 j1-downr11 ubu-down mal-j1i22 j1-j2r02 j2-downr12 ubu-down mal-j1i23 j1-j2r33 j2-downr03 ubu-down mal-j1i31 j1-downr21 ubu-down mal-j1i32 j1-downr31 ubu-down mal-j1i33 j1-downr33 ubu-down mal-j1r01 j1-j2r11 j2-downr22 ubu-down mal-j1r02 j1-j2r02 j2-downr12 ubu-down mal-j1r03 j1-j2r03 j2-downr03 ubu-down mal-j1r11 j1-downr13 ubu-down mal-j1r12 j1-j2r21 j2-downr23 ubu-down mal-j1r13 j1-j2r12 j2-downr23 ubu-down mal-j1r21 j1-j2r01 j2-downr12 ubu-down mal-j1r22 j1-downr03 ubu-down mal-j1r23 j1-downr13 ubu-down mal-j1r31 j1-downr31 ubu-down mal-j1r32 j1-downr13 ubu-down mal-j1r33 j1-j2r03 j2-downr03 ubu-down 60

5.3 5.8 100% iframe onbeforerequest() onbeforesendheaders() HTTP Referer 100% 5.9 Chrome Extension 1729 529 5.8 24 iframe 12 12 5.9 1000 ( ) 529 ( 43 ) ( ) 1729 ( 203 ) 5.4 Google Chrome Extension 50% HTTP Referer 100% 61

1.htaccess HTTP Chrome APIs webrequest API JavaScript location.replace() webrequest API Google Chrome main_frame HTTP Referer webrequest API 1 iframe iframe 62

6 6.1 6.2 6.1 6.1.1 HTML script 10 8 nltk 6.1.2 Google Chrome Extension Chrome Platform APIs 63

100% Google Chrome Extension HTTP Referer 53% 6.2 Google Chrome Extension Chrome Extension Chrome Extension Chrome Extension Python nltk html 64

Google Chrome Extension Google Chrome Extension webrequest Chrome Extension 1 js js 65

Institut Mines-Télécom, Télécom SudParis Gregory Blanc OB D3M Drive-by-Download Data by Marionette NTT FP7 608533 NECOMA [1] Symantec Corporation, Internet Security Threat Report 2014 Volume 19, http://www.symantec.com/content/en/us/enterprise/other_ resources/b-istr_appendices_v19_221284438.en-us.pdf, p.12,2014. [2] McAfee Labs, McAfee Labs, http://www.mcafee.com/jp/ resources/reports/rp-quarterly-threat-q3-2014.pdf, p.32, 2014 11. [3] Van Lam Le, Ian Welch, Xiaoying Gao, Peter Komisarczuk, Anatomy of 66

Drive-by Download Attack, in Proceedings of the Eleventh Australasian Information Security Conference - Vol. 138. pp. 49-58, Feb 2013. [4] Trend Micro Security Intelligence Blog, Youtube Ads Lead To Exploit Kits, Hit US Victims, http://blog.trendmicro.com/ trendlabs-security-intelligence/youtube-ads-lead-to-exploit-kitshit-us-victims/, 2014. [5],, pp. 25-30, 2012 5. [6] Marco Cova, Christopher Kruegel, Giovanni Vigna Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code, in Proceedings of the 19th International Conference on World Wide Web. pp. 281-290, Apr 2010. [7] Wei Xu, Fangfang Zhang, Sencun Zhu, The Power of Obfuscation Techniques in Malicious JavaScript Code: A Measurement Study, in Proceedings of the 7th International Conference on Malicious and Unwanted Software (MALWARE). pp. 9-16, Oct 2012. [8] McAfee Gumblar, http://www.mcafee.com/japan/security/gumblar.asp [9],,,, Gumblar, IA 2010 6. [10] Konrad RIeck, Tammo Krueger, Andreas Dewald, Cujo: Efficient Detection and Prevention of Drive-by-Download Attacks, in Proceedings of the 26th Annual Computer Security Applications Conference. pp. 31-39, Dec 2010. [11] Wepawet Home, https://wepawet.iseclab.org/, 2014. [12] Cuckoo Sandbox, http://www.cuckoosandbox.org/, 2014. [13] Alexa Internet, Alexa Top Site, http://www.alexa.com/topsites, 2014. [14],,,, MWS Datasets 2014, 2014 6. 67

[15] Malwr.com, Malwr Recent Analysis, https://malwr.com/analysis/, 2014. [16] Blue Coat, ONE-DAY WONDERS: HOW MALWARE HIDES AMONG THE INTERNETS SHORT-LIVED WEBSITES, http://dc.bluecoat. com/2014_onedaywonders_report_download, 2014. [17] Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig Schmidt, Trends in circumventing web-malware detection., Google, Google Technical Report (2011). [18],,, Web Web, ICSS, 2014 3. [19] W3C, Document Object Model (DOM), http://www.w3.org/dom/, Jan 2015. [20] Google Chrome, Chrome Platform APIs (JavaScript APIs), https:// developer.chrome.com/extensions/api_index, Jan 2015. [21] Google Chrome, Chrome Extension (Event Pages), https:// developer.chrome.com/extensions/event_pages, Jan 2015. [22] jquery, http://semooh.jp/jquery/, Jan 2015. [23] dean edwards name packer, http://dean.edwards.name/packer/, Jan 2015. [24] Google Developers, Closure Compiler, https://developers.google. com/closure/compiler/, Jan 2015. 68