Revolver: An automated approach to the detection of evasive web-based malware

Alexandros Kapravelos, Yan Shoshitaishvili, Marco Cova, Christopher Kruegel, Giovanni Vigna

Research output: Chapter in Book/Report/Conference proceedingConference contribution

68 Scopus citations

Abstract

In recent years, attacks targeting web browsers and their plugins have become a prevalent threat. Attackers deploy web pages that contain exploit code, typically written in HTML and JavaScript, and use them to compromise unsuspecting victims. Initially, static techniques, such as signature-based detection, were adequate to identify such attacks. The response from the attackers was to heavily obfuscate the attack code, rendering static techniques insufficient. This led to dynamic analysis systems that execute the JavaScript code included in web pages in order to expose malicious behavior. However, today we are facing a new reaction from the attackers: evasions. The latest attacks found in the wild incorporate code that detects the presence of dynamic analysis systems and try to avoid analysis and/or detection. In this paper, we present Revolver, a novel approach to automatically detect evasive behavior in malicious JavaScript. Revolver uses efficient techniques to identify similarities between a large number of JavaScript programs (despite their use of obfuscation techniques, such as packing, polymorphism, and dynamic code generation), and to automatically interpret their differences to detect evasions. More precisely, Revolver leverages the observation that two scripts that are similar should be classified in the same way by web malware detectors (either both scripts are malicious or both scripts are benign); differences in the classification may indicate that one of the two scripts contains code designed to evade a detector tool. Using large-scale experiments, we show that Revolver is effective at automatically detecting evasion attempts in JavaScript, and its integration with existing web malware analysis systems can support the continuous improvement of detection techniques.

Original languageEnglish (US)
Title of host publicationProceedings of the 22nd USENIX Security Symposium
PublisherUSENIX Association
Pages637-651
Number of pages15
ISBN (Electronic)9781931971034
StatePublished - Jan 1 2013
Event22nd USENIX Security Symposium - Washington, United States
Duration: Aug 14 2013Aug 16 2013

Publication series

NameProceedings of the 22nd USENIX Security Symposium

Conference

Conference22nd USENIX Security Symposium
CountryUnited States
CityWashington
Period8/14/138/16/13

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Fingerprint Dive into the research topics of 'Revolver: An automated approach to the detection of evasive web-based malware'. Together they form a unique fingerprint.

  • Cite this

    Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., & Vigna, G. (2013). Revolver: An automated approach to the detection of evasive web-based malware. In Proceedings of the 22nd USENIX Security Symposium (pp. 637-651). (Proceedings of the 22nd USENIX Security Symposium). USENIX Association.