METHOD FOR DETECTING MALICIOUS JAVASCRIPT

US 20110289582A1
Filed: 06/03/2011
Published: 11/24/2011
Est. Priority Date: 08/03/2009
Status: Active Grant

First Claim

Patent Images

1. A method for scoring and grading websites by observing script behaviors in a browser emulator, comprising:

providing one or more virtual machines on a computing system comprising a processor configured by an operating system;

providing a communications link for each virtual machine to access hosts coupled to the Internet;

within a virtual machine, providing an enhanced browser emulator application wherein said enhanced browser comprises at least one enhanced script functions;

receiving a Uniform Resource Identifier (URI) for a source website for which the content is to be graded for hostile intent, wherein a URI comprises a protocol and a fully qualified domain name;

requesting by the browser a resource from said source website;

receiving said resource;

determining if shell code is contained within said resource;

determining if executable code is contained within said resource;

operating said enhanced browser emulator application wherein certain function calls are executed with enhanced visibility and analysis of its arguments, attributes, and results;

observing a behavior of the enhanced browser emulator as controlled by said javascript code contained within the said resource and scoring said behaviors for hostile intent.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and system for scoring and grading websites and method of operation. An apparatus receives one or more Uniform Resource Identifiers (URI), requests and receives a resource such as a webpage, and observes the behaviors of an enhanced browser emulator as controlled by javascript provided by the webpage. The enhanced browser emulator tracks behaviors which when aggregated imply malicious intent.

285 Citations

18 Claims

1. A method for scoring and grading websites by observing script behaviors in a browser emulator, comprising:
- providing one or more virtual machines on a computing system comprising a processor configured by an operating system;
  
  providing a communications link for each virtual machine to access hosts coupled to the Internet;
  
  within a virtual machine, providing an enhanced browser emulator application wherein said enhanced browser comprises at least one enhanced script functions;
  
  receiving a Uniform Resource Identifier (URI) for a source website for which the content is to be graded for hostile intent, wherein a URI comprises a protocol and a fully qualified domain name;
  
  requesting by the browser a resource from said source website;
  
  receiving said resource;
  
  determining if shell code is contained within said resource;
  
  determining if executable code is contained within said resource;
  
  operating said enhanced browser emulator application wherein certain function calls are executed with enhanced visibility and analysis of its arguments, attributes, and results;
  
  observing a behavior of the enhanced browser emulator as controlled by said javascript code contained within the said resource and scoring said behaviors for hostile intent.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1 whereina behavior comprises:
    - dynamically changing the location URL of the resource to force a reload of the browser with content from a host not substantially similar to the domain name of the source website.
  - 3. The method of claim 1 whereina behavior comprises:
    - attempting to get a cookie and transmit said cookie to a target other than the source website.
  - 4. The method of claim 3 further comprising:
    - determining that said target is a host not substantially similar to the domain name of the source website.
  - 5. The method of claim 3 further comprising:
    - determining that said target is a host on a list of malicious hosts.
  - 6. The method of claim 3 further comprising:
    - determining that said target is expressed in a further javascript function which requires a browser execution to resolve.
  - 7. The method of claim 1 whereinthe behavior comprises:
    - requiring a javascript element to dynamically generate an attribute of an other javascript element.
  - 8. The method of claim 1 whereinthe behavior comprises:
    - invoking the document.write element to operate on an argument containing iframe src element value of which is substantially similar to a target wherein a target contains a domain name or an Internet Protocol (IP) address.
  - 9. The method of claim 1 whereindetermining if executable code is contained within said resource comprises:
    - extracting executable code from a pdf file.
  - 10. The method of claim 1 whereindetermining if executable code is contained within said resource comprises:
    - extracting executable code from a flash file.
  - 11. The method of claim 1 whereinthe resource comprises a webpage, andthe behavior comprises:
    - inserting an iframe into the webpage.
  - 12. The method of claim 11 whereinthe behavior further comprises:
    - dynamically generating a target for the iframe.
  - 13. The method of claim 1 whereinthe behavior comprises:
    - operating an eval function on an argument which is resolved into shell code injection.
  - 14. The method of claim 1 whereinthe behavior comprises:
    - operating a document.write function on an argument which is resolved into shell code injection code.
  - 15. The method of claim 1 whereinthe behavior comprises:
    - operating a createElements function enough times to exceed a threshold whereby memory manipulation can be exploited.
  - 16. The method of claim 1 whereinthe behavior comprises:
    - operating a concatentation function to create a string large enough to exceed a threshold whereby memory can be exploited.
  - 17. The method of claim 1 whereinthe behavior comprises:
    - operating a javascript sequence previously determined to be malicious.
  - 18. The method of claim 1 further comprising:
    - determining a total score for a website from the scores of the behaviors of javascript within a browser emulator, anddetermining a grade for the website by comparing the total score to one or more thresholds.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Barracuda Networks Incorporated
Original Assignee
Barracuda Networks Incorporated
Inventors
JUDGE, PAUL, KEJRIWAL, NIDHI GOVINDRAM

Granted Patent

US 8,789,178 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/168   above the transport layer

METHOD FOR DETECTING MALICIOUS JAVASCRIPT

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

285 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD FOR DETECTING MALICIOUS JAVASCRIPT

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

285 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links