Method for detecting malicious javascript

US 8,789,178 B2
Filed: 06/03/2011
Issued: 07/22/2014
Est. Priority Date: 08/03/2009
Status: Active Grant

First Claim

Patent Images

1. A method for scoring and grading websites by observing script behaviors in a browser emulator, comprising:

providing one or more virtual machines on a computing system comprising a processor configured by an operating system;

providing a communications link for each virtual machine to access hosts coupled to the Internet;

within a virtual machine, providing an enhanced browser emulator application wherein said enhanced browser emulator is enhanced by replacing standard Application Programming Interfaces (APIs), libraries, and functions in a resource from a source website with instrumented operations, wherein the instrumented operations check the number of invocations of any of the APIs, libraries, and functions against a threshold and take action upon reaching the threshold;

receiving a Uniform Resource Identifier (URI) for the source website for which content is to be graded for hostile intent, wherein a URI comprises a protocol and a fully qualified domain name;

requesting by the browser a resource from said source website;

receiving said resource;

determining if shell code is contained within said resource from said source website;

determining if executable code is contained within said resource;

observing a behavior of the enhanced browser emulator as controlled by said executable code contained within the said resource and scoring said behaviors for hostile intent.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and system for scoring and grading websites and method of operation. An apparatus receives one or more Uniform Resource Identifiers (URI), requests and receives a resource such as a webpage, and observes the behaviors of an enhanced browser emulator as controlled by javascript provided by the webpage. The enhanced browser emulator tracks behaviors which when aggregated imply malicious intent.

Citations

20 Claims

1. A method for scoring and grading websites by observing script behaviors in a browser emulator, comprising:
- providing one or more virtual machines on a computing system comprising a processor configured by an operating system;
  
  providing a communications link for each virtual machine to access hosts coupled to the Internet;
  
  within a virtual machine, providing an enhanced browser emulator application wherein said enhanced browser emulator is enhanced by replacing standard Application Programming Interfaces (APIs), libraries, and functions in a resource from a source website with instrumented operations, wherein the instrumented operations check the number of invocations of any of the APIs, libraries, and functions against a threshold and take action upon reaching the threshold;
  
  receiving a Uniform Resource Identifier (URI) for the source website for which content is to be graded for hostile intent, wherein a URI comprises a protocol and a fully qualified domain name;
  
  requesting by the browser a resource from said source website;
  
  receiving said resource;
  
  determining if shell code is contained within said resource from said source website;
  
  determining if executable code is contained within said resource;
  
  observing a behavior of the enhanced browser emulator as controlled by said executable code contained within the said resource and scoring said behaviors for hostile intent.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1 whereina behavior comprises:
    - dynamically changing the location URL of the resource to force a reload of the browser with content from a host not substantially similar to the domain name of the source website.
  - 3. The method of claim 1 whereina behavior comprises:
    - attempting to get a cookie and transmit said cookie to a target other than the source website.
  - 4. The method of claim 3 further comprising:
    - determining that said target is a host not substantially similar to the domain name of the source website.
  - 5. The method of claim 3 further comprising:
    - determining that said target is a host on a list of malicious hosts.
  - 6. The method of claim 3 further comprising:
    - determining that said target is expressed in a further javascript function which requires a browser execution to resolve.
  - 7. The method of claim 1 whereinthe behavior comprises:
    - requiring a javascript element to dynamically generate an attribute of another javascript element.
  - 8. The method of claim 1 whereinthe behavior comprises:
    - invoking a document write function to operate on an argument containing iframe src element value of which is substantially similar to a target wherein a target contains a domain name or an Internet Protocol (IP) address.
  - 9. The method of claim 1 whereindetermining if executable code is contained within said resource comprises:
    - extracting executable code from a pdf file.
  - 10. The method of claim 1 whereindetermining if executable code is contained within said resource comprises:
    - extracting executable code from a flash file.
  - 11. The method of claim 1 whereinthe resource comprises a webpage, andthe behavior comprises:
    - inserting an iframe into the webpage.
  - 12. The method of claim 11 whereinthe behavior further comprises:
    - dynamically generating a target for the iframe.
  - 13. The method of claim 1 whereinthe behavior comprises:
    - operating an eval function on an argument which is resolved into shell code injection.
  - 14. The method of claim 1 whereinthe behavior comprises:
    - operating a document write function on an argument which is resolved into shell code injection code.
  - 15. The method of claim 1 whereinthe behavior comprises:
    - operating a createElements function enough times to exceed a threshold whereby memory manipulation can be exploited.
  - 16. The method of claim 1 whereinthe behavior comprises:
    - operating a concatentation function to create a string large enough to exceed a threshold whereby memory can be exploited.
  - 17. The method of claim 1 whereinthe behavior comprises:
    - operating a javascript sequence previously determined to be malicious.
  - 18. The method of claim 1 further comprising:
    - determining a total score for a website from the scores of the behaviors of javascript within a browser emulator, anddetermining a grade for the website by comparing the total score to one or more thresholds.
  - 19. The method of claim 1 whereinsome of the instrumented operations examine attributes of the APIs, libraries, and functions and determine if any of the attributes require evaluation.
  - 20. The method of claim 1 whereinsaid enhanced browser comprises at least one enhanced script function which flags when it is invoked, writes details to a log and self analyzes the result of its execution.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Barracuda Networks Incorporated
Original Assignee
Barracuda Networks Incorporated
Inventors
Judge, Paul, Kejriwal, Nidhi Govindram
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US13/152,269
Publication Number

US 20110289582A1
Time in Patent Office

1,145 Days
Field of Search

726/22, 726/25
US Class Current

726/22
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/168   above the transport layer

Method for detecting malicious javascript

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method for detecting malicious javascript

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links