Zozzle: Low-overhead Mostly Static JavaScript Malware Detection

Road MapBackgroundArchitecture and Evaluation

Heap Spraying Create NOP sled/shellcode:

◦Create the shellcode and precedes the shell code with a block of NOP sled.

Spray the NOP sled/shellcode:◦Allocate many copies of the NOP

sled/shellcode in heap to increase the chance of success.

Trigger the vulnerability. ◦ In order to redirect the program to Heap,

where it is possible to hit the NOP sled and then shellcode.

Malware CloakingGenerally, two ways to check

JavaScript Malware.◦Signatures◦Machine Learning

All Need Source Code

Architecture of Zozzle

Deobfuscate

Feature Extraction

Feature Selection

Classifier Training

Samples

Bayesian Classifier

Bayesian Classifier

UnknownJavaScript Benign

Malicious

De-obfuscated

An exploit must unpack itself to run.◦That is, before an exploit is

executed, it mush show its real source code.

Zozzle intercept calls to Compile function in JavaScript Engine.◦eval() is called◦New code is included in

<iframe> tag◦New code is included in <script>

tag

Feature ExtractionFlat Features VS Hierarchical

Features◦Flat Feature: Text from Source Code◦1-level Hierarchical Feature:

<Context Info, Text>◦n-level Hierarchical Feature:

<Context Info…,Text> Abstract Syntax Tree

function f(){ shellcode… …}

for(i=0; i<5000;i++){…

…Shellcode…⋯}

Feature SelectionZozzle only selects those

features that are most likely to be predictive.

Use χ2 to test correlation

Classifier TrainingZOZZLE uses a naïve Bayesian

classifier, for its simplicity and efficiency

How to calculate P(Fk|Li)? Open Questions

Li = Benign or Malicious

Feature & Throughput

Feature Extraction

Accuracy & Feature

False Positive&False Negative

Compare With Others

Zozzle

AV1 AV2 AV3 AV4 AV50

2

4

6False Positive

False Positive

ZOZZ

LE AV1

AV2

AV3

AV4

AV5

0%

40%

80%

False Negative

False Nega-tive

Questions