Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Microsoft Research Develops Zozzle Javascript Malware Detection Tool

Microsoft Research Develops Zozzle Javascript Malware Detection Tool

Ratings: (0)|Views: 23 |Likes:
Published by Yasir Ahmed

More info:

Published by: Yasir Ahmed on Dec 08, 2010
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





As browser-based exploits and specifically JavaScript malware have shouldered theirway to the top of the list of threats, browser vendors have been scrambling to find effective defensesto protect users. Few have been forthcoming, but Microsoft Research has developed a new toolcalled Zozzle that can be deployed in the browser and can detect JavaScript-based malware at avery high effectiveness rate.Zozzle is designed to perform static analysis of JavaScript code on a given site and quicklydetermine whether the code is malicious and includes an exploit. In order to be effective, the toolmust be trained to recognize the elements that are common to malicious JavaScript, and theresearchers behind it stress that it works best on de-obfuscated code. In the paper, the researcherssay that they trained Zozzle by crawling millions of Web sites and using a similar tool, called Nozzle,to process the URLs and see whether malware was present."ZOZZLE makes use of a statistical classifier to efficiently identify malicious JavaScript. Theclassifier needs training data to accurately classify JavaScript source, and we describethe process we use to get that training data here. We start by augmenting the JavaScript engine in a
browser with a “deobfuscator” that extracts and collects individual fragments
 of JavaScript. As discussed above, exploits are frequently buried under multiple levels of JavaScripteval. Unlike Nozzle, which observes the behavior of running JavaScript code,ZOZZLE must be run on an unobfuscated exploit to reliably detect malicious code," the researcherswrote in a paper written on Zozzle by Benjamin Livshits and Benjamin Zorn of Microsoft Research, Christian Seifert of Microsoft and Charles Curtsinger of the University of Massachusetts at Amherst.The researchers say that Zozzle is specifically designed to detect and defend against heap-sprayingexploits launched by malicious JavaScript found on Web sites. In many cases these days, that kindof exploit is hosted on a legitimate site that's been compromised and is being used as part of a drive-by download attack. Often, the code is hosted on a specific page for a day or even a few hours andthen is taken down, either by the attacker or the site owner. The Microsoft researchers say that this,along with the multiple layers of obfuscation that attackers use to cloak JavaScript exploits, canmake it difficult for automated tools to identify such malware with a high degree of accuracy.The approach that they take with Zozzle is a multi-stage one.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->