Transcript Zozzle: Low-overhead Mostly Static JavaScript Malware Detection

Zozzle: Low-overhead Mostly Static
JavaScript Malware Detection
Road Map
 Background
 Architecture
 Evaluation
and
Heap Spraying

Create NOP sled/shellcode:
◦ Create the shellcode and precedes the shell code
with a block of NOP sled.

Spray the NOP sled/shellcode:
◦ Allocate many copies of the NOP sled/shellcode
in heap to increase the chance of success.

Trigger the vulnerability.
◦ In order to redirect the program to Heap, where
it is possible to hit the NOP sled and then
shellcode.
Malware Cloaking

Generally, two ways to check JavaScript
Malware.
All Need Source
Code
◦ Signatures
◦ Machine Learning
Architecture of Zozzle
Samples
Deobfuscate
Unknown
JavaScript
Bayesian
Classifier
Feature
Extraction
Bayesian
Classifier
Feature
Selection
Classifier
Training
Malicious
Benign
De-obfuscated

An exploit must unpack itself to run.
◦ That is, before an exploit is executed, it
mush show its real source code.

Zozzle intercept calls to Compile
function in JavaScript Engine.
◦ eval() is called
◦ New code is included in <iframe> tag
◦ New code is included in <script> tag
Feature Extraction

Flat Features VS Hierarchical Features
◦ Flat Feature: Text from Source Code
◦ 1-level Hierarchical Feature: <Context Info,
Text>
◦ n-level Hierarchical Feature: <Context
Info…,Text>

Abstract Syntax Tree
function f(){
shellcode…
…
}
for(i=0; i<5000;i++){
…
…Shellcode…
⋯}
Feature Selection
Zozzle only selects those features that
are most likely to be predictive.
 Use χ2 to test correlation

Classifier Training
ZOZZLE uses a naïve Bayesian classifier,
for its simplicity and efficiency
 How to calculate P(Fk|Li)? Open
Questions

Li = Benign or Malicious
Feature & Throughput
Feature Extraction
Accuracy &
Feature
False Positive&
False Negative
Compare With Others
False Positive
6
5
4
3
2
1
0
False Positive
False Negative
100%
80%
60%
40%
20%
0%
False Negative
Questions