[Back]

P. Wurzinger, M. Egele, E. Kirda, C. Krügel:
"Defending Browsers against Drive-by Downloads: Mitigating Heap-spraying Code Injection Attacks";
Talk: Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), Milan, Italy; 2009-07-09 - 2009-07-10; in: "Sixth Conference on Detection of Intrusions and Malware & Vulnerability Assessment", (2009).

Drive-by download attacks are among the most common methods for spreading malware today. These attacks typically exploit memory corruption vulnerabilities in web browsers and browser plug-ins to execute shellcode, and in consequence, gain control of a victim's computer. Compromised machines are then used to carry out various malicious activities, such as joining botnets, sending spam emails, or participating in distributed denial of service attacks. To counter drive-by downloads, we propose a technique that relies on x86 instruction emulation to identify JavaScript string buffers that contain shellcode. Our detection is integrated into the browser, and performed before control is transfered to the shellcode, thus, effectively thwarting the attack. The solution maintains fair performance by avoiding unnecessary invocations of the emulator, while ensuring that every buffer with potential shellcode is checked. We have implemented a prototype of our system, and evaluated it over thousands of malicious and legitimate web sites. Our results demonstrate that the system performs accurate detection with no false positives.

http://publik.tuwien.ac.at/files/PubDat_180223.pdf

Project Head Paolo Milani Comparetti:
Worldwide Observatory of Malicious Behaviors and Attack Threats

Project Head Christian Platzer:
SECoverer - Finding Security Vulnerabilities in Web Applications