Jssandbox: A framework for analyzing the behavior of malicious JavaScript code using internal function hooking

Hyoung Chun Kim, Young Han Choi, Dong Hoon Lee

Research output: Contribution to journalArticle

6 Citations (Scopus)

Abstract

Recently, many malicious users have attacked web browsers using JavaScript code that can execute dynamic actions within the browsers. By forcing the browser to execute malicious JavaScript code, the attackers can steal personal information stored in the system, allow malware program downloads in the client's system, and so on. In order to reduce damage, malicious web pages must be located prior to general users accessing the infected pages. In this paper, a novel framework (JsSandbox) that can monitor and analyze the behavior of malicious JavaScript code using internal function hooking (IFH) is proposed. IFH is defined as the hooking of all functions in the modules using the debug information and extracting the parameter values. The use of IFH enables the monitoring of functions that API hooking cannot. JsSandbox was implemented based on a debugger engine, and some features were applied to detect and analyze malicious JavaScript code: detection of obfuscation, deobfuscation of the obfuscated string, detection of URLs related to redirection, and detection of exploit codes. Then, the proposed framework was analyzed for specific features, and the results demonstrate that JsSandbox can be applied to the analysis of the behavior of malicious web pages.

Original languageEnglish
Pages (from-to)766-783
Number of pages18
JournalKSII Transactions on Internet and Information Systems
Volume6
Issue number2
DOIs
Publication statusPublished - 2012 Feb 28

Keywords

  • Malicious JavaScript code
  • Sandboxing

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems

Fingerprint Dive into the research topics of 'Jssandbox: A framework for analyzing the behavior of malicious JavaScript code using internal function hooking'. Together they form a unique fingerprint.

  • Cite this