Abstract
New computing paradigms, modern feature-rich programming languages and off-the-shelf software libraries enabled the development of new sophisticated malware families. Evidence of this phenomena is the recent growth of fileless malware attacks. Fileless malware or memory resident malware is an example of an Advanced Volatile Threat (AVT). In a fileless malware attack, the malware writes itself directly onto the main memory (RAM) of the compromised device without leaving any trace on the compromised device’s file system. For this reason, fileless malware presents a difficult challenge for traditional malware detection tools and in particular signature-based detection. Moreover, fileless malware forensics and reverse engineering are nearly impossible using traditional methods. The majority of fileless malware attacks in the wild take advantage of MS PowerShell, however, fileless malware are not limited to MS PowerShell. In this paper, we designed and implemented a fileless malware by taking advantage of new features in Javascript and HTML5. The proposed fileless malware could infect any device that supports Javascript and HTML5. It serves as a proof-of-concept (PoC) to demonstrate the threats of fileless malware in web applications. We used the proposed fileless malware to evaluate existing methods and techniques for malware detection in web applications. We tested the proposed fileless malware with several free and commercial malware detection tools that apply both static and dynamic analysis. The proposed fileless malware bypassed all the anti-malware detection tools included in our study. In our analysis, we discussed the limitations of existing approaches/tools and suggested possible detection and mitigation techniques.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Adas, H., Shetty, S., Tayib, W.: Scalable detection of web malware on smartphones. In: 2015 International Conference on Information and Communication Technology Research (ICTRC), pp. 198–201, May 2015
AL-Taharwa, I.A., et al.: RedJsod: a readable JavaScript obfuscation detector using semantic-based analysis. In: 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 1370–1375, June 2012
Arias, D.: Speedy introduction to web workers, August 2018. https://auth0.com/blog/speedy-introduction-to-web-workers/
Barkly. The 2017 state of endpoint security risk (2017). https://www.barkly.com/ponemon-2018-endpoint-security-risk
Blanc, G., Miyamoto, D., Akiyama, M., Kadobayashi, Y.: Characterizing obfuscated JavaScript using abstract syntax trees: experimenting with malicious scripts. In: 2012 26th International Conference on Advanced Information Networking and Applications Workshops, pp. 344–351, March 2012
Cosovan, D., Benchea, R., Gavrilut, D.: A practical guide for detecting the Java script-based malware using hidden Markov models and linear classifiers. In: 2014 16th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, pp. 236–243, September 2014
Google Developers. Introduction to service worker—web, May 2019. https://developers.google.com/web/ilt/pwa/introduction-to-service-worker
Fang, Y., Huang, C., Liu, L., Xue, M.: Research on malicious JavaScript detection technology based on LSTM. IEEE Access 6, 59118–59125 (2018)
Global Research and Analysis Team: KASPERSKY Lab. Fileless attack against enterprise network, White Paper (2017)
INFOSEC. Websocket security issues, December 2014. https://resources.infosecinstitute.com/websocket-security-issues/
Kishore, K.R., Mallesh, M., Jyostna, G., Eswari, P.R.L., Sarma, S.S.: Browser JS guard: detects and defends against malicious JavaScript injection based drive by download attacks. In: The Fifth International Conference on the Applications of Digital Information and Web Technologies (ICADIWT 2014), pp. 92–100, February 2014
Magnusardottir, A.: Fileless ransomware: how it works & how to stop it?, June 2018. https://www.infosecurityeurope.com/en/Sessions/58302/Fileless-Ransomware-How-It-Works-How-To-Stop-It
Maiorca, D., Russu, P., Corona, I., Biggio, B., Giacinto, G.: Detection of malicious scripting code through discriminant and adversary-aware API analysis. In: Armando, A., Baldoni, R., Focardi, R. (eds.) Proceedings of the First Italian Conference on Cybersecurity (ITASEC17), Venice, Italy, 17–20 January 2017. CEUR Workshop Proceedings, vol. 1816, pp. 96–105. CEUR-WS.org (2017)
Mao, J., Bian, J., Bai, G., Wang, R., Chen, Y., Xiao, Y., Liang, Z.: Detecting malicious behaviors in JavaScript applications. IEEE Access 6, 12284–12294 (2018)
McAfee. Fileless malware execution with powershell is easier than you may realize, March 2017. https://www.mcafee.com/enterprise/en-us/assets/solution-briefs/sb-fileless-malware-execution.pdf
Ndichu, S., Ozawa, S., Misu, T., Okada, K.: A machine learning approach to malicious JavaScript detection using fixed length vector representation. In: 2018 International Joint Conference on Neural Networks (IJCNN), pp. 1–8, July 2018
Mozilla Developer Network. Glossary: websockets (2015). https://developer.mozilla.org/en-US/docs/Glossary/WebSockets
Oh, S., Bae, H., Yoon, S., Kim, H., Cha, Y.: Malicious script blocking detection technology using a local proxy. In: 2016 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), pp. 495–498, July 2016
Kaazing Corporation Peter Lubbers & Frank Greco. HTML5 websocket: a quantum leap in scalability for the web. www.websocket.org/quantum.html
Shen, V.R.L., Wei, C.-S., Juang, T.T.-Y.: JavaScript malware detection using a high-level fuzzy Petri net, pp. 511–514, July 2018
Sachin, V., Chiplunkar, N.N.: SurfGuard JavaScript instrumentation-based defense against drive-by downloads. In: 2012 International Conference on Recent Advances in Computing and Software Systems, pp. 267–272, April 2012
Sayed, B., Traoré, I., Abdelhalim. A.: Detection and mitigation of malicious JavaScript using information flow control. In: 2014 Twelfth Annual International Conference on Privacy, Security and Trust, pp. 264–273, July 2014
Seshagiri, P., Vazhayil, A., Sriram, P.: AMA: static code analysis of web page for the detection of malicious scripts. Procedia Comput. Sci. 93, 768–773 (2016). Proceedings of the 6th International Conference on Advances in Computing and Communications
Netsparker Security Team. DOM based cross-site scripting vulnerability, May 2019. https://www.netsparker.com/blog/web-security/dom-based-cross-site-scripting-vulnerability/
TrendMicro. Analyzing the fileless, code-injecting sorebrect ransomware, June 2017. https://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-fileless-code-injecting-sorebrect-ransomware/
Wang, C., Zhou, Y.: A new cross-site scripting detection mechanism integrated with HTML5 and CORS properties by using browser extensions. In: 2016 International Computer Symposium (ICS), pp. 264–269, December 2016
Wang, Y., Cai, W.-D., Wei, P.: A deep learning approach for detecting malicious JavaScript code. Secur. Commun. Netw. 9, 1520–1534 (2016)
Xu, W., Zhang, F., Zhu, S.: The power of obfuscation techniques in malicious JavaScript code: a measurement study. In: 2012 7th International Conference on Malicious and Unwanted Software, pp. 9–16, October 2012
Yoon, S., Jung, J., Noh, M., Chung, K., Im, C.: Automatic attack signature generation technology for malicious JavaScript. In: Proceedings of 2014 International Conference on Modelling, Identification Control, pp. 351–354, December 2014
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Saad, S., Mahmood, F., Briguglio, W., Elmiligi, H. (2019). JSLess: A Tale of a Fileless Javascript Memory-Resident Malware. In: Heng, SH., Lopez, J. (eds) Information Security Practice and Experience. ISPEC 2019. Lecture Notes in Computer Science(), vol 11879. Springer, Cham. https://doi.org/10.1007/978-3-030-34339-2_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-34339-2_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-34338-5
Online ISBN: 978-3-030-34339-2
eBook Packages: Computer ScienceComputer Science (R0)