My script engines know what you did in the dark

Toshinori Usui, Yuto Otsuki, Yuhei Kawakoya, Makoto Iwamura, Jun Miyoshi, Kanta Matsuura
2019 Proceedings of the 35th Annual Computer Security Applications Conference on - ACSAC '19  
Malicious scripts have been crucial attack vectors in recent attacks such as malware spam (malspam) and fileless malware. Since malicious scripts are generally obfuscated, statically analyzing them is difficult due to reflections. Therefore, dynamic analysis, which is not affected by obfuscation, is used for malicious script analysis. However, despite its wide adoption, some problems remain unsolved. Current designs of script analysis tools do not fulfill the following three requirements
more » ... nt for malicious script analysis. (1) Universally applicable to various script languages, (2) capable of outputting analysis logs that can precisely recover the behavior of malicious scripts, and (3) applicable to proprietary script engines. In this paper, we propose a method for automatically generating script API tracer by analyzing the target script engine binaries. The method mine the knowledge of script engine internals that are required to append behavior analysis capability. This enables the addition of analysis functionalities to arbitrary script engines and generation of script API tracers that can fulfill the above requirements. Experimental results showed that we can apply this method for building malicious script analysis tools. CCS CONCEPTS • Security and privacy → Malware and its mitigation; Software reverse engineering; • Software and its engineering → Simulator / interpreter; • Computing methodologies → Optimization algorithms.
doi:10.1145/3359789.3359849 dblp:conf/acsac/UsuiOKIMM19 fatcat:lfwkkwkzmbb5xmxyjejrbbqqau