High speed JavaScript malware sandbox presented at Virus Bulletin 2010

by Rajesh Mony (Webroot),

Tags: Security

URL : http://www.virusbtn.com/conference/vb2010/abstracts/Mony.xml

Summary : Malware delivery through malicious JavaScript continues to be very evasive and detection rates continue to be low for
signature-based systems. This paper describes some of the challenges and techniques used by such a system based on our
experiece in building out a production-quality gateway sandbox for JavaScript.
The topics covered are:
Parser-level heuristics and transformed parse signatures.
Document fingerprinting/matching for variants matching.
Methods of reducing parse trees/seeding to eliminate anti-debugging and incomplete scripts.
Effective DOM emulation and JS engine run issues to decode scripts.
Techniques for late inspection of variables and at point of scope exit.
Shellcode analysis tuned to JS embedded shellcodes.