Jssandbox

A framework for analyzing the behavior of malicious JavaScript code using internal function hooking

Hyoung Chun Kim, Young Han Choi, Dong Hoon Lee

Research output: Contribution to journalArticle

5 Citations (Scopus)

Abstract

Recently, many malicious users have attacked web browsers using JavaScript code that can execute dynamic actions within the browsers. By forcing the browser to execute malicious JavaScript code, the attackers can steal personal information stored in the system, allow malware program downloads in the client's system, and so on. In order to reduce damage, malicious web pages must be located prior to general users accessing the infected pages. In this paper, a novel framework (JsSandbox) that can monitor and analyze the behavior of malicious JavaScript code using internal function hooking (IFH) is proposed. IFH is defined as the hooking of all functions in the modules using the debug information and extracting the parameter values. The use of IFH enables the monitoring of functions that API hooking cannot. JsSandbox was implemented based on a debugger engine, and some features were applied to detect and analyze malicious JavaScript code: detection of obfuscation, deobfuscation of the obfuscated string, detection of URLs related to redirection, and detection of exploit codes. Then, the proposed framework was analyzed for specific features, and the results demonstrate that JsSandbox can be applied to the analysis of the behavior of malicious web pages.

Original languageEnglish
Pages (from-to)766-783
Number of pages18
JournalKSII Transactions on Internet and Information Systems
Volume6
Issue number2
DOIs
Publication statusPublished - 2012 Feb 28

Fingerprint

Websites
Computer systems
Web browsers
Application programming interfaces (API)
Engines
Monitoring
Malware

Keywords

  • Malicious JavaScript code
  • Sandboxing

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems

Cite this

Jssandbox : A framework for analyzing the behavior of malicious JavaScript code using internal function hooking. / Kim, Hyoung Chun; Choi, Young Han; Lee, Dong Hoon.

In: KSII Transactions on Internet and Information Systems, Vol. 6, No. 2, 28.02.2012, p. 766-783.

Research output: Contribution to journalArticle

@article{deb8c2ac2998480993756bf1c34843cb,
title = "Jssandbox: A framework for analyzing the behavior of malicious JavaScript code using internal function hooking",
abstract = "Recently, many malicious users have attacked web browsers using JavaScript code that can execute dynamic actions within the browsers. By forcing the browser to execute malicious JavaScript code, the attackers can steal personal information stored in the system, allow malware program downloads in the client's system, and so on. In order to reduce damage, malicious web pages must be located prior to general users accessing the infected pages. In this paper, a novel framework (JsSandbox) that can monitor and analyze the behavior of malicious JavaScript code using internal function hooking (IFH) is proposed. IFH is defined as the hooking of all functions in the modules using the debug information and extracting the parameter values. The use of IFH enables the monitoring of functions that API hooking cannot. JsSandbox was implemented based on a debugger engine, and some features were applied to detect and analyze malicious JavaScript code: detection of obfuscation, deobfuscation of the obfuscated string, detection of URLs related to redirection, and detection of exploit codes. Then, the proposed framework was analyzed for specific features, and the results demonstrate that JsSandbox can be applied to the analysis of the behavior of malicious web pages.",
keywords = "Malicious JavaScript code, Sandboxing",
author = "Kim, {Hyoung Chun} and Choi, {Young Han} and Lee, {Dong Hoon}",
year = "2012",
month = "2",
day = "28",
doi = "10.3837/tiis.2012.02.019",
language = "English",
volume = "6",
pages = "766--783",
journal = "KSII Transactions on Internet and Information Systems",
issn = "1976-7277",
publisher = "Korea Society of Internet Information",
number = "2",

}

TY - JOUR

T1 - Jssandbox

T2 - A framework for analyzing the behavior of malicious JavaScript code using internal function hooking

AU - Kim, Hyoung Chun

AU - Choi, Young Han

AU - Lee, Dong Hoon

PY - 2012/2/28

Y1 - 2012/2/28

N2 - Recently, many malicious users have attacked web browsers using JavaScript code that can execute dynamic actions within the browsers. By forcing the browser to execute malicious JavaScript code, the attackers can steal personal information stored in the system, allow malware program downloads in the client's system, and so on. In order to reduce damage, malicious web pages must be located prior to general users accessing the infected pages. In this paper, a novel framework (JsSandbox) that can monitor and analyze the behavior of malicious JavaScript code using internal function hooking (IFH) is proposed. IFH is defined as the hooking of all functions in the modules using the debug information and extracting the parameter values. The use of IFH enables the monitoring of functions that API hooking cannot. JsSandbox was implemented based on a debugger engine, and some features were applied to detect and analyze malicious JavaScript code: detection of obfuscation, deobfuscation of the obfuscated string, detection of URLs related to redirection, and detection of exploit codes. Then, the proposed framework was analyzed for specific features, and the results demonstrate that JsSandbox can be applied to the analysis of the behavior of malicious web pages.

AB - Recently, many malicious users have attacked web browsers using JavaScript code that can execute dynamic actions within the browsers. By forcing the browser to execute malicious JavaScript code, the attackers can steal personal information stored in the system, allow malware program downloads in the client's system, and so on. In order to reduce damage, malicious web pages must be located prior to general users accessing the infected pages. In this paper, a novel framework (JsSandbox) that can monitor and analyze the behavior of malicious JavaScript code using internal function hooking (IFH) is proposed. IFH is defined as the hooking of all functions in the modules using the debug information and extracting the parameter values. The use of IFH enables the monitoring of functions that API hooking cannot. JsSandbox was implemented based on a debugger engine, and some features were applied to detect and analyze malicious JavaScript code: detection of obfuscation, deobfuscation of the obfuscated string, detection of URLs related to redirection, and detection of exploit codes. Then, the proposed framework was analyzed for specific features, and the results demonstrate that JsSandbox can be applied to the analysis of the behavior of malicious web pages.

KW - Malicious JavaScript code

KW - Sandboxing

UR - http://www.scopus.com/inward/record.url?scp=84862183486&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84862183486&partnerID=8YFLogxK

U2 - 10.3837/tiis.2012.02.019

DO - 10.3837/tiis.2012.02.019

M3 - Article

VL - 6

SP - 766

EP - 783

JO - KSII Transactions on Internet and Information Systems

JF - KSII Transactions on Internet and Information Systems

SN - 1976-7277

IS - 2

ER -