TY - JOUR
T1 - Jssandbox
T2 - A framework for analyzing the behavior of malicious JavaScript code using internal function hooking
AU - Kim, Hyoung Chun
AU - Choi, Young Han
AU - Lee, Dong Hoon
N1 - Copyright:
Copyright 2012 Elsevier B.V., All rights reserved.
PY - 2012/2/28
Y1 - 2012/2/28
N2 - Recently, many malicious users have attacked web browsers using JavaScript code that can execute dynamic actions within the browsers. By forcing the browser to execute malicious JavaScript code, the attackers can steal personal information stored in the system, allow malware program downloads in the client's system, and so on. In order to reduce damage, malicious web pages must be located prior to general users accessing the infected pages. In this paper, a novel framework (JsSandbox) that can monitor and analyze the behavior of malicious JavaScript code using internal function hooking (IFH) is proposed. IFH is defined as the hooking of all functions in the modules using the debug information and extracting the parameter values. The use of IFH enables the monitoring of functions that API hooking cannot. JsSandbox was implemented based on a debugger engine, and some features were applied to detect and analyze malicious JavaScript code: detection of obfuscation, deobfuscation of the obfuscated string, detection of URLs related to redirection, and detection of exploit codes. Then, the proposed framework was analyzed for specific features, and the results demonstrate that JsSandbox can be applied to the analysis of the behavior of malicious web pages.
AB - Recently, many malicious users have attacked web browsers using JavaScript code that can execute dynamic actions within the browsers. By forcing the browser to execute malicious JavaScript code, the attackers can steal personal information stored in the system, allow malware program downloads in the client's system, and so on. In order to reduce damage, malicious web pages must be located prior to general users accessing the infected pages. In this paper, a novel framework (JsSandbox) that can monitor and analyze the behavior of malicious JavaScript code using internal function hooking (IFH) is proposed. IFH is defined as the hooking of all functions in the modules using the debug information and extracting the parameter values. The use of IFH enables the monitoring of functions that API hooking cannot. JsSandbox was implemented based on a debugger engine, and some features were applied to detect and analyze malicious JavaScript code: detection of obfuscation, deobfuscation of the obfuscated string, detection of URLs related to redirection, and detection of exploit codes. Then, the proposed framework was analyzed for specific features, and the results demonstrate that JsSandbox can be applied to the analysis of the behavior of malicious web pages.
KW - Malicious JavaScript code
KW - Sandboxing
UR - http://www.scopus.com/inward/record.url?scp=84862183486&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84862183486&partnerID=8YFLogxK
U2 - 10.3837/tiis.2012.02.019
DO - 10.3837/tiis.2012.02.019
M3 - Article
AN - SCOPUS:84862183486
SN - 1976-7277
VL - 6
SP - 766
EP - 783
JO - KSII Transactions on Internet and Information Systems
JF - KSII Transactions on Internet and Information Systems
IS - 2
ER -