Wednesday, December 29, 2010

Zozzle: The Microsoft Answer to Javascript Malware.

Hi Folks,
today I came through this interesting paper entitled: Zozzle: Low-overhead Mostly Static JavaScript Malware Detection. Born in Microsoft Research Laboratories seems to be a very promising Anti Static Javascript Malware Detection. It should run in background checking if in the browsed page there are traces of javascript malware.

JavaScript malware-based attacks account for a large fraction of successful mass-scale exploitation happeningtoday. From the standpoint of the attacker, the attraction is that these drive-by attacks that can be mounted against an unsuspecting user visiting a seemingly innocent webpage. While several techniques for addressing these types of exploits have been proposed, in browser adoption has been slow, in part because of the performance overhead these methods tend to incur.

In this paper, we propose ZOZZLE, a low-overhead solution for detecting and preventing JavaScript malware that can be deployed in the browser. Our approach uses Bayesian classification of hierarchical features of the JavaScript abstract syntax tree to identify syntax elements that are highly predictive of malware. Our extensive experimental evaluation shows that ZOZZLE is able to effectively detect JavaScript malware through mostly static code analysis with very low false positive rates (fractions of 1%), and with a typical overhead of only 2-5 milliseconds per JavaScript file. Our experience also suggests that ZOZZLE may be used as a lightweight filter for a more costly detection technique or for standalone offline malware detection.

Some interesting results:

discovering more exploit samples over time. The x axis shows the number of examined malware samples, the y axis shows the number of unique ones.

Transience of detected malicious URLs after several days. The number of days is shown of the x axis, the percentage of remaining malware is shown on the y axis.

Even if this study is based on preliminary results, and even if in the real life analyzing dynamically Javascript could be time and resource consuming, I think the results they got are very interesting and worthy of being followed. To know more about Zoozle please read the full paper.

No comments: