Microsoft Research Develops Zozzle JavaScript Malware Detection Tool

As browser-based exploits and specifically JavaScript malware have shouldered their way to the top of the list of threats, browser vendors have been scrambling to find effective defenses to protect users. Few have been forthcoming, but Microsoft Research has developed a new tool called Zozzle that can be deployed in the browser and can detect JavaScript-based malware at a very high effectiveness rate.

ZozzleAs browser-based exploits and specifically JavaScript malware have shouldered their way to the top of the list of threats, browser vendors have been scrambling to find effective defenses to protect users. Few have been forthcoming, but Microsoft Research has developed a new tool called Zozzle that can be deployed in the browser and can detect JavaScript-based malware at a very high effectiveness rate.

Zozzle is designed to perform static analysis of JavaScript code on a given site and quickly determine whether the code is malicious and includes an exploit. In order to be effective, the tool must be trained to recognize the elements that are common to malicious JavaScript, and the researchers behind it stress that it works best on de-obfuscated code. In the paper, the researchers say that they trained Zozzle by crawling millions of Web sites and using a similar tool, called Nozzle, to process the URLs and see whether malware was present.

“ZOZZLE makes use of a statistical classifier to efficiently identify malicious JavaScript. The classifier needs training data to accurately classify JavaScript source, and we describe
the process we use to get that training data here. We start by augmenting the JavaScript engine in a browser with a “deobfuscator” that extracts and collects individual fragments
of JavaScript. As discussed above, exploits are frequently buried under multiple levels of JavaScript eval. Unlike Nozzle, which observes the behavior of running JavaScript code,
ZOZZLE must be run on an unobfuscated exploit to reliably detect malicious code,” the researchers wrote in a paper written on Zozzle by Benjamin Livshits and Benjamin Zorn of Microsoft Research, Christian Seifert of Microsoft and Charles Curtsinger of the University of Massachusetts at Amherst.

The researchers say that Zozzle is specifically designed to detect and defend against heap-spraying exploits launched by malicious JavaScript found on Web sites. In many cases these days, that kind of exploit is hosted on a legitimate site that’s been compromised and is being used as part of a drive-by download attack. Often, the code is hosted on a specific page for a day or even a few hours and then is taken down, either by the attacker or the site owner. The Microsoft researchers say that this, along with the multiple layers of obfuscation that attackers use to cloak JavaScript exploits, can make it difficult for automated tools to identify such malware with a high degree of accuracy.

The approach that they take with Zozzle is a multi-stage one.

“Once we have labeled JavaScript contexts, we need to extract features from them that are predictive of malicious or benign intent. For ZOZZLE, we create features based on the hierarchical structure of the JavaScript abstract syntax tree (AST). Specifically, a feature consists of two parts: a context in which it appears (such as a loop, conditional, try/catch block, etc.) and the text (or some substring) of the AST node,” the paper says. “For a given JavaScript context, we only track whether a feature appears or not, and not the number of occurrences. To efficiently extract features from the AST, we traverse the tree from the root, pushing AST contexts onto a stack as we descend and popping them as we ascend.”

The new tool is still in the research phase and it’s not clear when or if Microsoft Research might release Zozzle. But the researchers say that Zozzle has an extremely low overhead when deployed in a browser–on the order of 2-5 milliseconds per JavaScript file–and has a false-positive rate of less than one percent. 

“Much of the novelty of ZOZZLE comes from its hooking into the JavaScript engine of a browser to get the final, expanded version of JavaScript code to address the issue of deobfuscation. Compared to other classifier-based tools, ZOZZLE uses contextual information available in the program Abstract Syntax Tree (AST) to perform fast, scalable, yet precise malware detection,” the researchers write in the paper. “We see tools like ZOZZLE deployed both in the browser to provide “first response” for users affected by JavaScript malware and used for offline dynamic crawling, to contribute to the creation and maintenance of various blacklists.”

Suggested articles

Discussion

  • Anonymous on

    Gee whiz, novel. Now what AV solutions might not be compatible because they have been hooking the javascript engine for the past five years or so?

  • ghostwriter2012 on

    terrific...good for you msn...

  • ghostwriter2012 on

    i've encountered malicious attacks via javascrypt and i am glad msn is dealing with these worthless scum who make life miserable and cause an untold loss of revenue due to the destruction of private property.

  • oiaohm on

    False faith. I use noscript now that simply restricts where I run scripts in the first place. Anti-virus design is false faith makes you think you are safe until someone finds a hole. Better sandboxing solves most of the problem with no loop hole issues.
  • Anonymous on

    dont worry

    we will find a way round this tool soon

    and when we do it'll be just like the old days ;)

  • stueycaster on

    Maybe if they get this thing going I'll be allowed to stop using NoScript. It might be nice to see some of those cute video things that websites do.
  • Anonymous on

    why can't people stop going after the small guys, steal from the rich and give to the poor?

  • Anonymous on

    i want to down

  • Egbert on

    Dear readers and posters,

    My name is Egbert. I am the moron that is not too chicken to use my name. Anonymous is just another word for 'I call the world a bunch of idiots, but are scared shitless to be a real person'.

    That said, dear firends, I applaud the people who devellop anti-scamware in the benefit of protecting us all. Zozzle seems to be a fine example of that. To bad that all this is needed, but there are al lot of 'Anonymous' out there who make it necessary!

    Now lets devellop a tool that lifts the masks of all the 'Anonymous' and plaster all their private date on the net, so that the real people with names can all send them a heart felt 'Thank you'!

    WIth best regards,

    Egbert

  • Anonymous on

    try it 

  • wangyu on

    try it

  • hipdad on

    Nice app... It will protect me.... OH WAIT... I use Ubuntu Ultimate Edition 2.8 Gamer!! No Need for stupid protection from Microsoft malware/Virii/spyware!

  • Anonymous on

    "We evaluated ZOZZLE in terms of performance and malware detection rates (both false positives and false negatives) using thousands of pre-categorized code samples. We conclude that ZOZZLE yields a very low rate of false positives (a fraction of 1%), while being able to classfify a kilobyte of JavaScipt code in 3–4 ms."

    I'm kind of disappointed that they state that they evaluated ZOZZLE in terms of its malware detection rates, but then go to say that it has a low false positive rate.  I didn't see any numbers about their detection rate--did ZOZZLE catch 99% of the code samples?  Someone please correct me if I missed it in the article.

     

  • Anonymous on

    The previous comment regarding detection rates is mine.  I only skimmed the abstract and conclusion.  The accuracy or detection rate is contained in section 5, on page 10.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.