Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code

JavaScript is a browser scripting language that allows developers to create sophisticated client-side interfaces for web applications. However, JavaScript code is also used to carry out attacks against the user’s browser and its extensions. These attacks usually result in the download of additional malware that takes complete con- trol of the victim’s platform, and are, therefore, called “drive-by downloads.” Unfortunately, the dynamic nature of the JavaScript language and its tight integration with the browser make it difficult to detect and block malicious JavaScript code. This paper presents a novel approach to the detection and analy- sis of malicious JavaScript code. Our approach combines anomaly detection with emulation to automatically identify malicious Java- Script code and to support its analysis. We developed a system that uses a number of features and machine-learning techniques to es- tablish the characteristics of normal JavaScript code. Then, during detection, the system is able to identify anomalous JavaScript code by emulating its behavior and comparing it to the established pro- files. In addition to identifying malicious code, the system is able to support the analysis of obfuscated code and to generate detection signatures for signature-based systems. The system has been made publicly available and has been used by thousands of analysts.