Malicious Script Blocking Detection Technology Using a Local Proxy

Oh, Sang‐Hwan; Bae, HanChul; Yoon, Soojin; Kim, Hwankuk; Cha, YoungTae

doi:10.1109/imis.2016.125

Cited by 1 publication

(1 citation statement)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One controversial issue in this area of research is the physical location where the detection mechanism takes place. One approach is to collect and analyze HTTP traffic via local proxy and implement the detection algorithm on the proxy side [18]. Another approach is to implement the detection mechanism on the client side, such as the work done by V. Sachin et al, who used lightweight JavaScript instrumentation that enables static and dynamic analysis of the visited webpage to detect malicious behavior [21].…”

Section: Related Workmentioning

confidence: 99%

JSLess: A Tale of a Fileless Javascript Memory-Resident Malware

Saad

Mahmood

Briguglio

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

New computing paradigms, modern feature-rich programming languages and off-the-shelf software libraries enabled the development of new sophisticated malware families. Evidence of this phenomena is the recent growth of fileless malware attacks. Fileless malware or memory resident malware is an example of an Advanced Volatile Threat (AVT). In a fileless malware attack, the malware writes itself directly onto the main memory (RAM) of the compromised device without leaving any trace on the compromised device's file system. For this reason, fileless malware presents a difficult challenge for traditional malware detection tools and in particular signature-based detection. Moreover, fileless malware forensics and reverse engineering are nearly impossible using traditional methods. The majority of fileless malware attacks in the wild take advantage of MS PowerShell, however, fileless malware are not limited to MS PowerShell. In this paper, we designed and implemented a fileless malware by taking advantage of new features in Javascript and HTML5. The proposed fileless malware could infect any device that supports Javascript and HTML5. It serves as a proof-of-concept (PoC) to demonstrate the threats of fileless malware in web applications. We used the proposed fileless malware to evaluate existing methods and techniques for malware detection in web applications. We tested the proposed fileless malware with several free and commercial malware detection tools that apply both static and dynamic analysis. The proposed fileless malware bypassed all the anti-malware detection tools included in our study. In our analysis, we discussed the limitations of existing approaches/tools and suggested possible detection and mitigation techniques.

show abstract

Section: Related Workmentioning

confidence: 99%