CaffeineMonkey: Automated Collection, Detection and Analysis of Malicious JavaScript

Presented at DEF CON 15 (2007), Aug. 4, 2007, 6 p.m. (50 minutes)

The web browser is ever increasing in its importance to many organizations. Far from its origin as an application for fetching and rendering HTML, today's web browser offers an expansive attack surface to exploit. All the major browsers now include full-featured runtime engines for a variety of interpreted scripting languages, including the popular JavaScript. The web experience now depends more than ever on the ability of the browser to dynamically interpret JavaScript on the client. We will present a software framework for the automated collection of JavaScript from the wild, the subsequent identification of malicious code, and characteristic analysis of malicious code once identified. Building on the work of several existing client honeypot implementations, our goal is to largely automate the painstaking work of malicious software collection. Our focus is on attacks using JavaScript for obfuscation or exploitation. We will also discuss the findings based on the deployment of a network of CaffeineMonkeys. The analysis and conclusions will focus on identifying new in-the-wild obfuscation / evasion techniques and JavaScript browser exploits, quantifying the prevalence and distribution of well-known and newly discovered obfuscation and evasion techniques, as well as quantifying the prevalence and distribution of known and newly discovered JavaScript browser exploits.

Presenters:

• Ben Feinstein - Security Researcher, Secureworks
  Ben Feinstein is a Security Researcher at SecureWorks. He was introduced to IDS when working on a DARPA/Air Force contract 2000-2001 while getting his B.Sci in Computer Science at Harvey Mudd College. He is the author of RFC4765 and RFC4767. He has worked professionally designing and implementing security-related software since 2001. Feinstein worked in the areas of next-gen firewall systems, IDS/IPS, log analysis and visualization, vuln scanning, secure messaging, and security appliances, among other things. Feinstein was a panelist at RAID and presented at ACSAC and several IETF meetings and achieved his CISSP certification in 2005.
• Daniel Peck - Security Researcher, Secureworks
  Daniel Peck is a Security Researcher at Secureworks. His team is responsible for day to day discovery and documentation of vulnerabilities, as well as crafting countermeasures for several product lines and training security analysts to detect attacks patterns and trends. He has also been a critical team member in creating numerous internal tools and contributing to the design of future products and services. He has a BS in Computer Science from the Georgia Institute of Technology

Links:

• https://defcon.org/html/defcon-15/dc-15-speakers.html#Peck
• https://infocon.org/cons/DEF CON/DEF CON 15/DEF CON 15 video/DEF CON 15 - Peck and Feinstein - CaffeineMonkey - Video.mp4
• https://www.youtube.com/watch?v=qyboyb1ckCw

Similar Presentations:

• AppSec USA 2014 / Warning Ahead: Security Storms are Brewing in Your JavaScript
• Summercon 2017 / Breaking the JavaScript ASLR
• Black Hat USA 2013 / Javascript Static Security Analysis Made Easy with JSPrime