Drive by Download Interceptor using Abstract Syntax Tree

  • Authors

    • Patrick Adolf Telnoni
    • Muhammad Barja Sanjaya
    https://doi.org/10.14419/ijet.v8i1.9.26687
  • Product design, malware, drive by download, code obfuscation

  • Rapid increase of malware attacks cause many malware propagation techniques to arise. One most common techniques is using web browser. Drive by download attacks is the highest attack in web browser used by malware to propagate itself. Drive by download attack download malicious program by executing script -commonly javascript- without user's consent. Drive by script varies from simple one to the hard one. The code become harder to detect when the malware developer craft the code using obfuscation technique. Obfuscated code often slip away from detection and requires high computing process to recognize its original form. This paper will present design of tools to intercept drive by download attack without using excessive computation resource when it comes to obfuscated code by using Abstract Syntax Tree to detect code duplication and de-obfustication technique using DeFusinator plugin. As far this research went, we able to extract AST from a benign javascript, but we also find obstacle to find active malicious page to be extracted. This research will provide tools to prevent user from visiting malicious web pages infected with drive by script.

     

     

  • References

    1. [1] M. Priya, L. Sandhya, and C. Thomas, “A static approach to detect drive-by-download attacks on webpages,†in Control Communication and Computing (ICCC), 2013 International Conference on, Dec 2013, pp. 298–303.

      [2] Cisco. (2013) Cisco 2013 annual security report. Website. Last checked: 24.11.2014. [Online]. Available: http://www.cisco.com/c/en/us/products/security/annual security report.html

      [3] A. Kapravelos, Y. Shoshitaishvili, M. Cova, C. Kruegel, and G. Vigna, “Revolver: An automated approach to the detection of evasiveweb-based malware,†in Proceedings of the 22Nd USENIX Conference on Security, ser. SEC’13. Berkeley, CA, USA: USENIX Association, 2013, pp. 37–652. [Online]. Available:http://dl.acm.org/citation.cfm?id=2534766.2534821

      [4] V. Sachin and N. Chiplunkar, “Surfguard javascript instrumentation-based defense against drive-by downloads,†in Recent Advances in Computing and Software Systems (RACSS), 2012 International Conference on,April 2012, pp. 267–272.

      [5] T. Matsunaka, J. Urakawa, and A. Kubota, “Detecting and preventing drive-by download attack via participative monitoring of the web,†in Information Security (Asia JCIS), 2013 Eighth Asia Joint Conference on, July 2013, pp. 48–55.

      [6] I. Baxter, A. Yahin, L. Moura, M. Sant’Anna, and L. Bier, “Clone detection using abstract syntax trees,†in Software Maintenance, 1998. Proceedings., International Conference on, Nov 1998, pp. 368–377.

      [7] I. Neamtiu, J. S. Foster, and M. Hicks, “Understanding source code evolution using abstract syntax tree matching,†in Proceedings of the 2005 International Workshop on Mining Software Repositories, ser. MSR ’05. New York, NY, USA: ACM, 2005, pp. 1–5. [Online]. Available: http://doi.acm.org/10.1145/1082983.1083143

      [8] R. C. Holt, A. Winter, and A. Schurr, “Gxl: toward a standard exchange format,†in Reverse Engineering, 2000. Proceedings. Seventh Working Conference on, 2000, pp. 162–171.

      [9] E. Mamas and K. Kontogiannis, “Towards portable source code representations using xml,†in Reverse Engineering, 2000. Proceedings. Seventh Working Conference on, 2000, pp. 172–182.Microsoft. (2000) Biztalk framework 2.0 draft:

      [10] Document and message specification. Website.Last checked: 24.11.2014. [Online]. Available: http://www.xml.com/pub/r/686

      [11] W3C. (2000) Extensible markup language (xml) 1.0 (fifth edition). Website. Last checked: 25.10.2016. [Online]. Available: https://www.w3.org/TR/xml/

      [12] N. Nurseitov, M. Paulson, R. Reynolds, and C. Izurieta, “Comparison of JSON and XML Data Interchange Formats: A Case Study.†CAINE, 2009, pp. 157–162. [Online]. Available: http://www.mendeley.com/research/comparison-json-xml-data-interchange-formats-case-study-4/

      [13] A. Nappa, M. Z. Rafique, and J. Caballero, “The malicia dataset: Identification and analysis of drive-by download operations,†Int. J. Inf. Secur., vol. 14, no. 1, pp. 15–33, Feb. 2015. [Online]. Available:http://dx.doi.org/10.1007/s10207-014-0248-7

      [14] “Malware domain list,†http://www.malwaredomainlist.com/, accessed: 2015-10-30.

      [15] “hphost online,†http://www.hosts-file.net, accessed: 2016-08-30.

      [16] “Suspicious domain - sans internet storm center,†https://isc.sans.edu/suspicious domains.html, accessed: 2016-08-30.

      [17] “Free online tools for lookup malicious websites,†https://

      [18] zeltser.com/lookup-malicious-websites/, accessed: 2015-10-30. “Malicious website list with securit report — quttera,â€https://quttera.com/lists/malicious, accessed: 2016-08-30.

      [19] “Malc0de database,†http://malc0de.com/database/, accessed: 2015-10-30.

      [20] 32.2. ast — abstract syntax trees – python 2.7.11 documentation. [Online]. Available: https://docs.python.org/2/library/ast.html

      [21] Google code arhive. [Online]. Available: https://code. google.com/archive/p/defusinator/

  • Downloads

  • How to Cite

    Adolf Telnoni, P., & Barja Sanjaya, M. (2019). Drive by Download Interceptor using Abstract Syntax Tree. International Journal of Engineering & Technology, 8(1.9), 364-368. https://doi.org/10.14419/ijet.v8i1.9.26687