Browser JS Guard: Detects and Defends against

Malicious JavaScript Injection based Drive by

Download Attacks

Ravi Kishore K, Mallesh M, Jyostna G and P R L Eswari

Centre for Development of Advanced Computing,

Hyderabad

Email: {ravikishorek,malleshm,gjyostna,prleswari}@cdac.inhttp://www.cdachyd.in

Samavedam Satyanadha Sarma

CERT-IN, DIT,

New Delhi

Email: sarma@cert-in.org.in

http://www.cert-in.org.in

AbstractIn the recent times, most of the systems connectedto Internet are getting infected with the malware and some ofthese systems are becoming zombies for the attacker. When userknowingly or unknowingly visits a malware website, his systemgets infected. Attackers do this by exploiting the vulnerabilitiesin the web browser and acquire control over the underlyingoperating system. Once attacker compromises the users webbrowser, he can instruct the browser to visit the attackers websiteby using number of redirections. During the process, users webbrowser downloads the malware without the intervention of theuser. Once the malware is downloaded, it would be placed inthe file system and responds as per the instructions of theattacker. These types of attacks are known as Drive by Downloadattacks. Now-a-days, Drive by Download is the major channelfor delivering the Malware. In this paper, Browser JS Guardan extension to the browser is presented for detecting anddefending against Drive by Download attacks via HTML tagsand JavaScript.

KeywordsMalware, HTML tags, DOM Change Methods,JavaScript Functions, Web Browser, Web Browser Extensions, Driveby Download Attacks.

I. INTRODUCTION

With the increasing usage of Internet, the attacking chan-nels are flagging towards the usage of web browsers and webapplications widely. Browsers have evolved from static doc-ument renderers to todays sophisticated execution platformsfor web applications. Browsers are very much susceptibleto attacks through exploitable vulnerabilities. Attacker usesbrowser/ browser plug-in/ webpage as vehicles to infect endsystem without directly connecting to them.

Attacks are launching through memory, web content, webmarkup or scripting language level exploits. In a typicalXSS attack, due to the vulnerability in validating the input,attacker can inject malicious JavaScript code as a commentin the blog or reply to a post. This injection leads to theexecution of malicious JavaScript code with the privileges ofweb application. This injection affects the users who visit thesewebsites. This makes attacker get unauthorized access to datastored at users end system without their knowledge.

Now-a-days, it became very easy for any user to downloadand install the required software from web without checking

whether they are trusted or untrusted sites. Attackers aretaking this as an advantage and tricking the users to downloadmalicious software. This is one of the easy channels for anattacker, as he can enter into the users end system withoutexploiting any vulnerability. It is also possible for attackerto exploit browser vulnerabilities and download maliciouscode into end system when user visits compromised websites,knowingly or unknowingly. One such type of popular attackis Drive by Download attack [16], [17].

In this attack, initially the attacker compromises a legit-imate web server and inserts a script in web application.When user accesses the web site that was compromised bythe attacker, web server sends the injected script along withthe requested page. This script is either an exploit script or itimports exploit from a central server which is controlled bythe attacker and this import is either a direct inclusion of theresources from the remote server or through a number of redi-rections the browser is instructed to follow. A redirection startsfrom one web server to the other that actually plays part ofhop points. After following a number of redirections the usersrequest reaches the central exploit server. The central exploitserver sends the exploit script depending on the fingerprintof the user end system. Fingerprinting is done by using theUser-Agent field present in the HTTP request coming from theusers web browser. Fingerprinting includes web browser typeand underlying operating system along with version details.Imported exploit script is used to exploit the vulnerabilitypresent either in the browser/ browser plug-in/ webpage. Thisexploit instructs the browser to visit the malware distributionsite. This is, actually, when the Drive by Download starts.Malware executables are downloaded and users end systemautomatically installs and executes the malicious code.

II. BACKGROUND

In the earlier days attackers used vulnerabilities in theoperating system configuration or installed applications forexploitation. With the advent of web, attackers have changedtheir target to web browser and its plug-ins. Some of thecurrent day attacks such as XSS (Cross Site Scripting) andCSRF (Cross Site Request Forgery) does not require exploitingthe vulnerabilities in the clients browser or system. In these

978-1-4799-2259-14/$31.002014 92

Fig. 1: Drive by Download attack scenario - Exploit coderesides on Target server

attacks, malicious code is injected into the webpage andattacker tricks the client to visit the infected webpage forgetting access to users web browser. Through this Drive byDownload attack is carried out.

In some scenarios, Drive by Download attack is initiatedfrom a genuine web server. Attacker initially injects themalicious code into the web server and then tricks the userto visit the web page in which the malicious code is injected.This injected malicious code typically written in JavaScriptlanguage redirects browser requests and downloads exploitcode. Injected malicious code allows execution of downloadedexploit code by exploiting vulnerabilities in web browser.

If successful, the attack will be able to execute arbitrarycode with the privileges of the user. During this process it usesRedirections (to other malicious websites), Fingerprinting andObfuscations. Drive by Download attack is explained in detailwith the following scenarios.

In the first scenario, attacker prepares the attack usinga genuine web server. Attacker injects into the target webserver, PHP code as well as web content to redirect theuser to PHP code through iframe tag. Web browser accessesthe injected web page when connected to the target webserver. After accessing the injected web page from the server,web browser gets redirected to PHP page. This redirection ispossible through iframe tag. Now the web server sends theattack code or payload to the web browser if it is vulnerable.Target browser runs the exploit script received from the targetweb server as it is from the same origin. This is one scenariofor Drive by Download attack, where the exploit code alsoresides in the target web server as shown in Figure 1.

In second scenario exploit code resides on attacker serveras shown in Figure 2. In this scenario, attacker injects thecontent into target web server. Injected content refers to ascript residing in attackers web server. Target browser fetchesthe injected web page from the target web server. Wheneverbrowser renders the fetched web page, client browser is beingredirected to a script on attackers web server which is referredby using Script src tag. Attackers web server delivers theexploit code to the target browser if it is vulnerable. Target

Fig. 2: Drive by Download attack scenario Exploit coderesides on Attacker Server

web browser runs the exploit code received from the attackersserver.

Detailed analysis on mechanisms used by JavaScript injec-tion attacks is carried out and the result is shown in Figure3. From the analysis, it is understood that Hidden iframe andJS Obfuscation are the main mechanisms for initializing theattack. Sample obfuscated codes found in various attacks arepresented below.

Sample 1: Obfuscated Code:

eval(unescape(%64%6F%63%75%6D%65%6E%74%2E

%77%72%69%......(some bytes skipped) .......3E%3

C%2F%69%66%72%61%6D%65%3E%27%29));

De Obfuscated Code:

document.write();

Sample 2: Obfuscated Code:

p=parseInt;ss=(123)?

String.fromCharCode:0;asgq="28!66!75!6e!63!74!6@

!6f!6e!20!28!2@!20!7b! ... (some bytes skipped)

.... 7a!74!2@!3b!d!a!20!20!20!20!7d!d!a!7d!2@

!28!2@!3b".replace(/@/g,"9").split("!");try{

document.body&=0.1}catch(gdsgsdg){zz=3;dbshre

=62;if(dbshre){vfvwe=0;try{document;}catch(agdsg

){vfvwe=1;}if(!vfvwe){e=eval;}s="";if(zz)for(i

=0;i-485!=0;i++){if(window.document)s+=ss(p(asgq

[i],16));}if(window.document)e(s);}}

De Obfuscated Code:

(function() {

var pzt = document.createElement(iframe);

pzt.src = http://www.betterbailbonds.net/

VLNSec01/cnt.php;

pzt.style.position = absolute;

pzt.style.border = 0;

pzt.style.height = 1px;

pzt.style.width = 1px;

pzt.style.left = 1px;

pzt.style.top = 1px;

if (!document.getElementById(pzt)) {

93

Fig. 3: Mechanisms used by JavaScript Injection Attacks

document.write();

document.getElementById(pzt).appendChild(

pzt);

} })();

If the obfuscated code of the Sample code is de-obfuscatedthen it is leading to a hidden iframe which redirects the userto an evil URL.

Consider an example of a website compromised in therecent times. PHP.net has been compromised and it is beingredirected to an exploit kit as per the sources and this attackis a form of Drive by Download attack [19].

In this attack, the attackers built a connection to inject amalicious iframe in the PHP.net website that was redirectingto an Exploit Kit. It seems that as reported by Google theJavaScript file www.php.net/userprefs.js had some injectedobfuscated content at the end of the file. Part of injectedobfuscated code is as shown below

(function(Anv){var LUI="M\xaa\xb0\xa9\xf5n-\x92\xe0\

xb5S\xc7\x81,\x0b\x0f\x1e\x15\xb0\xa6BL\x16\x7f

%\x0aCDkFDt{bszH2qEdpNFX\x173\x18@Y\x7fZ}\x1bk\

x08%\x05*:7{bedFmHi\x0a%\x0f\x20NKDnBSIww

z8fol;pxoo:\x0a%\x00n]nA C o l

..(some bytes skipped)).

De-obfuscated content for the above obfuscated JavaScriptcode is shown below

It contains an iframe which is redirecting the user to anevil URL (http://url.whichusb.co.uk/stat.htm). The content ofthe file stat.htm is shown below

try{

var os=PluginDetect.OS;}

... (some bytes skipped).

try{

var adobe=PluginDetect.getVersion("AdobeReader");}

... (some bytes skipped).

The JavaScript code uses a publicly available JavaScriptlibrary to collect information about browser plugins. Onceit has collected the information it makes a POST request tothe server indicating whether the victim has Java and AdobeAcrobat Reader installed in the system.

The server redirects the browser to a server that makesanother redirection very likely depending on the plugins de-tected on the victim. The server has returned HTML codethat is embedding some Flash content in the browser aswell as a new iframe and encoded JavaScript content withString.fromCharCode() function.

The exploit code in this exploit is matching with the ExploitKit known as Magnitude/Popads.

III. RELATED WORK

WANG has done some good work in this area. In hisapproach he is extracting the features of malicious javascriptstatically[1].

In inline code analyzer, authors discussed inline code anal-ysis for malicious JavaScript elements. The elements includestring functions and HTML tags[2].

In Browser guard, authors discussed about the file down-load scenario and depending on the scenario, blocking theexecution of any file that is automatically downloaded withoutany knowledge of the user. This tool is developed for IEbrowser only[3].

Various types of hidden iframe injections into the web pageare well explained by Bin Liang [4].

JStill captures some essential characteristics of obfuscatedmalicious code by function invocation based analysis. It alsoleverages the combination of static analysis and lightweightruntime inspection so that it not only detects, but also preventsthe execution of the obfuscated malicious JavaScript code inbrowsers [5].

An integrated approach of using honey client with theabnormal visibility recognition detection is chosen in thisapproach for increasing the malicious website detection rateand speed. This integrated approach consists of Spidering,HTML Parser, JavaScript Engine, Honey client and abnormalvisibility detector [6].

Prophiler does not execute any code associated with theweb page and the specified features are extracted from thewebpage statically [7].

The idea of ADSandbox is executing any embeddedjavascript objects in separate isolated sandbox environmentand logging all the critical activities. Compare the activities

94

with the heuristics and decide whether the page is maliciousor not[8].

Sarma has examined the current trends in malware propaga-tion and functionalities of large scale botnets such as operatingFast Flux DNS, hosting of malicious websites and injectingmalicious links on legitimate websites [15]. Various types ofattacks on Indian websites, observed by CERT-In are examinedand also discussed various attack scenarios like Remote FileInclusion through malicious scripts on PHP based websites,SQL Injection attacks on ASP based websites.

Various tools were designed for identifying maliciousjavascript objects in web pages such as Google Safe BrowsingDiagnostic page [9], McAfee Site Advisor [10], DeFusinator[11] and Trafficlight addon [12]. Most of the tools use thecloud database for checking the malicious URLs. Databaseshould be updated frequently and also there is a possibility ofnot detecting zero day attacks. Browser JS Guard protects theuser from zero day attacks as it is content based JavaScriptmalware filtering solution.

IV. OUR APPROACH

Drive by Download attacks made through maliciousJavaScripts are detected by examining The structure of thestatic HTML page, Dynamic JavaScript Code and the DOMchanges in a web page. These characteristics are interceptedfor every incoming webpage and intercepted behavior is com-pared against the ruleset for analyzing and deciding whetherthe webpage is malicious or not. Ruleset is designed by an-alyzing various malicious JavaScript injection attack patterns.This detection approach is implemented as an extension to webbrowser.

A. Monitoring Structure of the static HTML page

The incoming web page can be monitored and the vulner-able HTML tag properties can be extracted from it [13], [14],[17], [18].

TABLE I: Monitorable Behaviors in HTML Tags of awebpage

HTML Tag Monitorable behaviours

frame/ iframe Cross Domain Source File

Invisible/Hidden Iframes

script

Cross Domain Source File

Wrong File name Extensions

Monitoring inline Script

img Cross Domain Source File

Wrong File name Extensions

anchor/link/area Cross Domain Source File

meta If contentType = refresh then monitor

src attribute

object Cross Domain Source File

Class ID of the plug-in to be invoked

The extracted properties specify the behavior of the webpage and are compared against the Ruleset and if any matchis found then the web page is treated as malicious page. The

HTML tags and their vulnerable properties to be monitoredare presented in Table I.

B. Monitoring HTML DOM Changes of a Web Page

Browsers provide an API through JavaScript, called theDocument Object Model (DOM), which represents the page asa tree of nodes with methods and properties. Scripts existingin the web page use the DOM to examine and change theweb page behavior. Table II shows the methods and propertiesof DOM through which a web page can be customized dy-namically. A script can be implemented using DOM methodsand properties. These methods and properties are used todynamically create any HTML tag elements [14], [17] andredirect the user to any evil URL respectively.

TABLE II: Monitorable DOM Change Methods of a WebPage

DOM Change Methods Monitorable behaviours

document.write() Presence of Vulnerable Tags

Presence of Obfuscated JS Code

document.createElement() Presence of Vulnerable Tags

document.location()

document.location.href

document.URL

Redirection Source

The arguments of DOM methods can consist of scriptswith obfuscated code which can be executed dynamically. Thisobfuscated code may be a shellcode which can be used toexecute any executable or a hidden iframe used to redirect anuser to any evil URL.

C. Dynamic JavaScript Code Execution Functions

Code generation at runtime is fairly common in JavaScript.The most widely used technique is the use of eval. Theincoming web page is intercepted and the vulnerable JavaScriptfunction arguments are extracted [17], [18]. The extractedproperties specify the behavior of the dynamic JavaScript codeexecution.

TABLE III: Monitorable dynamic code execution JavaScriptfunctions in a webpage

JS Functions Monitorable behaviours

eval()

String analysis in its argument

Presence of Shellcode / Non-printable

characters

setTimeout() Malicious JavaScript

unescape()

String analysis in its argument

Presence of Shellcode / Non-printable

characters

setInterval() Periodic Redirections

fromCharCode()

String analysis in its argument

Presence of Shellcode / Non-printable

characters

The argument of these functions may be obfuscated forescaping itself from being detected by Anti Virus solutions.

95

Fig. 4: Block Diagram of Browser JS Guard

Obfuscation of the code is being detected by calculating thepercentage of whitespaces present in a string, ratio of Key-words to Words, Word size in each String, Entropy, N-gram[20], [5] and checking for Non Printable ASCII characters inthe string.

If the extracted argument is an obfuscated code then checkthe maliciousness of the obfuscated code. if not, compareagainst the vulnerable HTML tags and the vulnerable HTMLtag properties are extracted and compared against the genuineproperties of the HTML tag. If any deviation is found thenthe web page is treated as malicious page. The vulnerableJavaScript dynamic code execution functions to be monitoredare shown in Table III.

The above specified features are implemented and thefunctionality is added to the web browser as part of Browser JSGuard extension. The above mechanism is implemented withthe help of JavaScript, HTML, HTML DOM, Ajax, jQueryand CSS technologies.

D. System Design

Whenever user is browsing a webpage, client initiates aHTTP request for the required resource and the server responseis called as HTTP Response.

HTTP Response includes the requested resource. TheHTTP Response is the incoming webpage and this webpage ismonitored for determining whether it has any malicious con-tents or not. In this incoming webpage, vulnerable tags, DOMchange functions and dynamic code execution functions aremonitored for determining the maliciousness of the webpage.

Block diagram of the JSGuard is shown in Figure 4.Incoming web page is intercepted for detecting vulnerableHTML tags, DOM change functions and runtime JS codeexecution functions in it. If any of them are detected in thewebpage then the respective properties are sent to Analyzermodule. Analyzer module gets the extracted properties and it

Fig. 5: Architecture of Static Monitoring Engine

checks for Hidden iframe redirections, Unauthorized Redi-rections and Obfuscated code. Analysis report is sent to theUser Alert & Decision Making component in which user willbe alerted if the webpage contains any malicious behaviorspresent. Webpage may be either rendered in the web browseror blocked depending on the decision taken by the user.

JSGuard works with two different types of engines forachieving its functionality at different phases of the web-page rendering. First one is Static Monitoring Engine, whichstatically analyses the vulnerabilities in source code of thewebpage and second one is Runtime Monitoring Engine, whichanalyses for the vulnerabilities in DOM changing functions anddynamic JS code execution functions.

The architecture of Static Monitoring Engine is shown inFigure 5.

In Static Monitoring Engine, Intercept module behaves asHTML tag Extractor. This Extractor detects the vulnerableHTML tags in the incoming webpage and if they are foundin the webpage, the properties of them are extracted and sendthem to Analyzer. Analyzer analyses them to detect Hiddenbehaviors, Unauthorized Redirections and Encoded JavaScript.Analysis report is sent to the User Alert & Decision Makingmodule.

The second component of JSGuard is Runtime MonitoringEngine and its architecture is shown in Figure 6.

In Runtime Monitoring Engine, Intercept module behavesas DOM and JS Function Extractor. This Extractor detectsthe vulnerable DOM change functions and dynamic codeexecution functions in the incoming webpage and if they arefound in the webpage, the arguments of them are extractedand send them to Analyzer. Analyzer analyses them to detectObfuscated code and HTML tags created at runtime.

If any HTML tags are created dynamically in the argu-ments of the intercepted functions then send them to Static

96

Fig. 6: Architecture of Runtime Monitoring Engine

Monitoring Engine for deciding whether the tags are behavingmaliciously or not. The details collected from Analyzer aresent to the User Alert & Decision Making module.

E. Implementation of Browser JS Guard

The detection mechanism is implemented in JavaScriptlanguage. Implemented security mechanism consists of variousJavaScript components namely tagMonitor.js, dynamicJSMon-itor.js, reportGenerator.js and jQueryAlert.

tagMonitor.js monitors the vulnerable HTML tags andspecified attributes of tags in every webpage by using DOMlanguage. The list of HTML tags is presented in Tables 1 and2. The HTML tags are stored in an array.

monitorTags = new Array("iframe", "script", "img", "

area", "link", "a", "frame", "form", "embed", "

applet", "meta", "object", "html", "head", "

title", "body");

dynamicJSMonitor.js tracks the function calls that are usedto dynamically interpret JavaScript code (e.g., eval, setTime-out, unescape), and DOM changes that may lead to codeexecution (e.g., document.write, document.createElement, doc-ument.location). It also retrieves the parameters of thesefunctions and verifies whether any vulnerable HTML tagsare dynamically created. For tracking the specified functions,hooks are being created for each function.

Internal function hooking (IFH) mechanism implementedfor monitoring eval() function is given below

var evalp=[];

var oldEval = eval;

eval = function eval(param)

{

evalp.push(param);

return oldEval(param);

Fig. 7: Browser JS Guard User Alert for Hidden iframe

}

console.log(evalp);

reportGenerator.js generates the report of the webpage byconsolidating the result from tagMonitor.js and dynamicJS-Monitor.js components and it includes the mechanism foralerting the user if the webpage is malicious.

Report(Result1, Result2)

{

//Writing the result to panel

finalReport = Result1 + Result2;

}

Result1 is the webpage analysis report received fromcomponent 1, i.e., tagMonitor.js and Result2 is the webpageanalysis report received from component 2, i.e., dynamicJS-Monitor.js.

jQueryAlert component uses jQueryAlert.js andjQueryAlert.css files which internally handles jConfirm()method for alerting the user.

jConfirm (MaliciousResult, Warning by Browser JS

Guard);

User can confirm whether to continue browsing the web-page or quit the website from the popup given by the Add-on.

The implemented extension functionality is compatiblewith various web browsers and the details are given in TableIV.

TABLE IV: Compatible Browsers for Browser JS Guard

Web BrowserCompatible

VersionSupported OS

Firefox >= 14.0 Windows & Linux

Google Chrome >=14.0 Windows & Linux

Iceweasel >=14.0 Windows & Linux

Opera >=11.0 Windows & Linux

Internet Explorer >=9.0 Windows

V. EXPERIMENTAL RESULTS

Implemented extension was deployed in various systems,tested the detection rate, calculated false positives, false nega-tives and performance overhead of the web browser when theJS Guard extension is installed.

97

A. Environment

Browser JS Guard extension has been deployed and testedin various systems of our organization. JSGuard has beendeployed for Firefox, Google Chrome, Opera web browsersin Windows and Linux operating systems. Also deployed forInternet Explorer in Windows OS.

B. Testing

Functional testing has been performed using various com-promised websites. Deployed extension is detecting the mali-cious injections in the compromised websites. Figure 7 showsthe hidden iframe injected in the website and the victim isbeing redirected to bedfer.com. The URL bedfer.com maybe a landing site or exploit server.

The JSGuard extension is initially tested on test systemswith both genuine and compromised URLs and compared withother existing content based online URL scanners.

Implemented Security extension is also tested with knownmalicious URLs received from CERT-IN and other onlineresources. The test results of JSGuard are compared againstvarious online URL scanners (Quettera, Sucuri, Wepawet andeVuln) as shown in Table V. Online URL scanners are theservices available in Internet to check whether a specificdomain is malicious or genuine. URL scanners require userto manually specify the URL and it downloads and scans theentire website source for the presence of JavaScript Malware.This entire process requires user interaction and lot of timeto download and scan entire website. But JS Guard is anextension to the browser and it scans each and every incomingwebpage for JavaScript Malware without any user interaction.Sucuri says a webpage as malicious if any blacklisted domainis present in the webpage source even though the webpageis not containing any malware code in it. JS Guard does notreport the presence of blacklisted domains in the source codeof the webpage but it detects whenever the blacklisted domainexhibits any malicious behavior.

C. False Positive and False Negatives

False Positive is a result of a test that shows as presentsomething that is absent.

False Positives are because of the presence of third partyadvertising and tracking code in the web page. Popular adver-tisement links are Doubleclick.net and Tribalfusion.net. Oneof the popular tracking sites is Google analytics. If webpageincludes advertisements in frame / iframe and if they are hiddenthen the extension detects it as hidden and injected iframe.

False Negative is a result of a test shows as absentsomething that is present.

False Negatives are because of malicious process creationon the target machine and presence of blacklisted domains inthe webpage source. When the extension is tested with theURL, Google Safe Browsing reported as Malicious softwareincludes 3 exploit(s). Successful infection resulted in newprocess (es) on the target machine. But JS Guard does notcheck for the newly created processes in the system and alsoit does not report a web page as malicious if any blacklisteddomains are present in the webpage source.

Fig. 9: Detailed report on Hidden iframe Redirections

Accuracy refers to the number of correctly classified webpages among the total number of web pages tested.

F.P =No.ofBenignWebpagesDetectedasMalicious

TotalNumberofBeningnWebpages100

(1)

F.N =No.ofMaliciousWebpagesDetectedasBenign

TotalNumberofMaliciousWebpages100

(2)

Accuracy =N.C

TotalNumberofWebpages 100 (3)

N.C = TotalNumberofWebPagesN.W (4)

F.P = False PositivesF.N = False NegativesN.C = No.of WebPages Classified CorrectlyN.W = No.of WebPages Classified Wrongly

Figure 8(a),(b) and (c) shows the False Positive rate, FalseNegative rate and Accuracy of Browser JSGuard extensionrespectively. Equations 1, 2 and 3 shows the calculationof False Positive, False Negative and Accuracy respectively.

D. Reporting

A detailed report of the visiting website can be viewedby clicking on the icon present at the right hand side bottomcorner of the browser status bar. By clicking on the icon, awindow is opened and displays the report of the requestedwebpage.

98

TABLE V: Comparison of JS Guard Detection Rate against other online URL Scanners

Product Name Browser JSGuard Quettera Sucuri Wepawet eVuln

Tested URLs 641 641 641 641 641

URLs Detected as Malicious 583 510 594 382 573

Detection Rate(%) 90.95 79.56 92.66 59.59 89.39

Fig. 8: Testing Results

Fig. 10: Detailed report on Encoded JavaScript Malware

Figure 9 shows a threat under Hidden iframe Redi-rections tab. The visiting website is injected with a hiddeniframe by using either HTML iframe tag or dynamic JS codeexecution functions. As the result of functional testing, wehave identified various mechanisms for injecting maliciousJavaScript and Encoded JavaScript is majorly used. Figure 10shows the detailed report for Encoded JavaScript Malware.

E. Performance

For evaluating the browser performance when the extensionis installed to it, LORI (Life Of Request Info) addon is usedfor Firefox web browser. The experiment of calculating thepage load time is repeated number of times for the Firefox

Fig. 11: Performance Testing Results

browser with and without JS Guard extension and the resultsare noted and analysed.

Web Page load time is calculated with and without JSGuard extension and the results are shown in Figures 11 and12. Average page load time of the web browser is increasedby 180 ms for loading any webpage.

Figure 12 shows the performance graph of the webbrowser. Graph is drawn with number of times tested on x-axis and time in secs on y-axis.

99

Fig. 12: Performance Testing Results

VI. CONCLUSION

In this paper, Browser JS Guard is presented for analyzingand detecting malicious JavaScript injections in the incom-ing web pages. JS Guard resides as part of the client webbrowser and detects the malicious web pages. In addition tothe detection, JS Guard extension provides the flexibility touser for viewing the detailed analysis report of the webpage.Furthermore this extension gives an option for user to decidewhether to continue browsing the webpage or not. Testinghas been performed on JSGuard using known Genuine andMalicious URLs. JSGuard has detected the malicious webpages with lesser rates of false positives (0.72 %) and falsenegatives (9.04 %). JS Guard installed web browser have taken180 ms more time for loading a webpage when compared withthe page load time of the web browser when JSGuard is notinstalled.

In the future, we plan to evaluate more number of URLsand try to improve the detection mechanism to further reducethe false positive and false negative rates by analyzing newattack trends and building intelligence. Further, we want toimprove the performance by applying various code optimiza-tion techniques.

ACKNOWLEDGMENT

Our sincere thanks to Department of Electronics & Infor-mation Technology (Deity), Ministry of Communications andInformation Technology, Government of India for supportingthis research work.

REFERENCES

[1] WANG Wei-Hong, LV Yin-Jun, CHEN Hui-Bing and FANG Zhao-Lin.A Static Malicious Javascript Detection Using SVM. In proceedings ofthe 2nd International Conference on Computer Science and ElectronicsEngineering (ICCSEE 2013)

[2] D.Nandhini, Kalpana.G and Abhilash.R. Browser Authentication andInline Code Analyzer with Common Centralized Browser Security

Violation Report Management System for Mitigating Web Attacks.In proceedings of International Journal of Engineering Research andDevelopment

[3] Pratik Upadhya, Farhan Meer, Acquin Dmello and Nikita Dmello.Runtime Solution for Minimizing Drive-By-Download Attacks. Inproceedings of International Journal of Modern Engineering Research(IJMER)

[4] Bin Liang, Jianjun Huang, Fang Liu, Dawei Wang, Daxiang Dong andZhaohui Liang. Malicious Web Pages Detection Based on AbnormalVisibility Recognition. In proceedings of IEEE 2009

[5] Wei Xu, Fangfang Zhang and Sencun Zhu. JStill: Mostly Static De-tection of Obfuscated Malicious JavaScript Code. In proceedings ofACM, February 1820, 2013

[6] Krishnaveni Raju, C.Chellappan. Integrated Approach of MaliciousWebsite Detection. In proceedings of International Journal Communi-cation & Network Security (IJCNS), Volume-I, Issue-II, 2011

[7] D. Canali, M. Cova, G. Vigna, and C.Kruegel. Prophiler: A fast filterfor the large-scale detection of malicious web pages. In Proceedings ofthe 20th international conference on World Wide Web, pages 197-206.ACM, 2011

[8] Andreas Dewald, Thorsten Holz, Felix C. Freiling. PADSandbox: Sand-boxing JavaScript to fight Malicious Websites. In proceedings ofSAC10 March 22-26, 2010

[9] Google Inc. Safe Browsing for Firefox. Google Inc. Safe Browsing forFirefox

[10] McAfee SiteAdvisor. http://www.siteadvisor.com

[11] DeFusinator: https://code.google.com/p/defusinator

[12] Trafficlight: https://addons.mozilla.org/En-us/firefox/addon/trafficlight

[13] D.J.Guan, Chia-Mei Chen, Jing-Siang Luo, and Yung-Tsung Hou.Malicious Web Page Detection Based on Anomaly Semantics.

[14] Birhanu Eshete, Adolfo Villa orita, and Komminist Weldemariam.BINSPECT: Holistic Analysis and Detection of Malicious Web Pages.

[15] S.S. Sarma. Propagation of Malware Through Compromised Web-sites: Attack Trends and Countermeasures. In proceedings of 11thAssociation of Anti-Virus Asia Researchers International Conference,December 2008

[16] Aikaterinaki Niki. Drive by Download attacks: Effects and Detectionmethods. In proceedings of IT Security Conference for the NextGeneration

[17] M. Cova, C. Kruegel, and G. Vigna. Detection and analysis of Drive byDownload attacks and malicious javascript code. In Proceedings ofthe 19th international conference on World Wide Web, pages 281-290.ACM, 2010

[18] Jaeun Choi, Gisung Kim, Tae Ghyoon Kim, and Sehun Kim. AnEfficient Filtering Method for Detecting Malicious Web Pages. Inproceedings of 13th International Workshop, WISA 2012, Jeju Island,Korea, 2012

[19] PHP.net Article: http://www.alienvault.com/open-threat-exchange/blog/phpnet-potentially-compromised-and-redirecting-to-

an-exploit-kit

[20] YoungHan Choi, TaeGhyoon Kim, SeokJin Choi. Automatic Detectionfor JavaScript Obfuscation Attacks in Web Pages through String Pattern

Analysis. In proceedings of International Journal of Security and itsapplications, April 2010

100