Zozzle and Blade Defender: two malware detection tools
Date : February 02, 2011
Nowadays, more and more attacks use JavaScript malware. These attacks rely on the insertion of malware in legitimate web sites, in order to exploit web browser weaknesses.
To answer these attacks, other approaches are already in use, for instance:
- filters (white lists or black lists) allow Internet users to avoid malicious web sites (such as Google Safe Browsing),
- or sandboxes embedded into the browser to separate the application from the operating system (or even to isolate the web page from other web pages that may be loaded).
In this article, we present two new projects:
- Zozzle from Microsoft,
- The Blade Defender university project.
Zozzle : the new Microsoft tool for malicious JavaScript detection
Context
Microsoft has developed a new tool named Zozzle. It is a JavaScript malware detection tool that is designed to be deployed in the browser. It is an experimental tool, not yet distributed by Microsoft. The present article describes the main characteristics of this tool.
Zozzle principle
Zozzle is a "mostly static" detector, able to determine if a web page contains a heap attack (heap spraying exploit):
- It first uses the browser JavaScript engine to bypass obfuscation issues and collect the JavaScript code generated dynamically.
- It then performs a fully static analysis of this JavaScript code.
The static analysis relies on the representation of JavaScript using AST (Abstract Syntax Tree) then on a static analysis (Bayesian) of these AST in order to identify the elements statistically malicious.
For the Bayesian analysis, a learning phase has been performed using the malicious page examples identified thanks to the Microsoft Nozzle tool.
Evaluation
Microsoft developers evaluated the tool efficiency, by answering the following questions:
- How effective is Zozzle for classifying malware and benign JavaScript?
- What is the benefit of including the abstract syntax tree during classification?
- How does Zozzle compare with other approaches for malware detection?
- What is the performance overhead of including Zozzle in a browser?
The conclusions of this evaluation are that Zozzle would yield a very low false positives rates (less than 1%), while being able to classify a kilobyte of JavaScript code in 3 ms.
Conclusions
Zozzle developers suggest to use this tool both inside the browser (to detect dynamically the malicious web pages), and outside (to build and maintain blacklist of malicious web pages). Zozzle, still in a work-in-progress phase, represents anyway an interesting approach and could indeed be used as a complement of other techniques used nowadays.
For more information:
Zozzle: Low-overhead Mostly Static JavaScript Malware Detection:
http://research.microsoft.com/pubs/141930/tr.pdf
Nozzle: A defence against heap-spraying code injection attacks:
http://research.microsoft.com/pubs/76528/tr-2008-176.pdf
Blade Defender: detection tool for « drive-by download» attacks
Blade principle
Blade is a research project developed by the Georgia Institute of Technology and SRI International. It is a project slightly older than Zozzle, as the results have been released at the beginning of 2010 (see for instance the article released on KrebsOnSecurity.com in February 2010). Blade (Block All Drive-by Download Exploit) has a totally different approach from Zozzle (it does not pay attention to JavaScript) but it is another illustration of research works currently conducted in the area of wrestle against attacks targeting web browsers.
Blade's objective is to prevent "Drive-by download" attacks: i.e. attacks in which visiting an infected web site causes the automatic download of a malware on the victim's browser.
Blade is independent from the web browser and from the attack performed by the hacker: it does not use a base of signatures (such as an IDS or an antivirus) or does not search for suspicious patterns (like Zozzle). Blade is an extension of the kernel operating system and monitors the activity of the processes that need to be protected (typically the web browser). As soon as Blade identifies that a monitored process tries to create a file, then:- it turns this I/O operation to create the file in a confined area (a specific directory on the disk that is used as a quarantine zone),
- unless Blade identifies that the user has explicitly accepted explicitly the download of this file (by clicking «yes» in the download popup).
For all the files put in the quarantine zone, Blade consequently prevent the file execution operations.
Evaluation
Blade has been implemented on Windows and the results published for the experimentations are extremely positive:
- 100% of the attacks launched by infected web sites (visited during the experimentation) have been detected and stopped. During these test campaigns, Blade automatically visited almost 2000 real infected sites. Results are available on the project evaluation page.
- None of the exploit released for recent 0-day attacks allowed to bypass the Blade protection.
- No false-positive occurs.
Conclusions
The Blade project gives extremely promising results. However, since February 2010 (date of release of the first results), the project does not seem to evolve and displays a laconic message mentioning: « Download BLADE v1.0: Coming Soon ».
Blade Defender does not really care about the source of the attack but rather about its most usual consequence: the download of an executable on the victim’s system. If the tool is very efficient today it could be less tomorrow if attackers craft attack codes built to bypass Blade. The project itself also identifies attack schemes that Blade does not detect: code execution without download of an executable on the disk (execution all in memory, use of a script language rather than an executable) or if the attacker succeeds in enticing the victim to accept explicitly the download of the malicious executable.
Blade constitutes however an interesting project by its inventiveness and its efficiency on real attacks. We can only wish that this project inspires other works in this area.
For more information on Blade Defender:
Blade official page: http://www.blade-defender.org/