Optimizing Away JavaScript Obfuscation
This addresses the challenge for malware analysts in dealing with obfuscated JavaScript attacks, though it appears incremental as it builds on existing compiler techniques.
The paper tackles the problem of detecting malicious JavaScript by presenting SAFE-Deobs, a tool that automatically deobfuscates JavaScript malware using static analyses inspired by compiler theory, enabling analysts to more rapidly determine malicious intent.
JavaScript is a popular attack vector for releasing malicious payloads on unsuspecting Internet users. Authors of this malicious JavaScript often employ numerous obfuscation techniques in order to prevent the automatic detection by antivirus and hinder manual analysis by professional malware analysts. Consequently, this paper presents SAFE-Deobs, a JavaScript deobfuscation tool that we have built. The aim of SAFE-Deobs is to automatically deobfuscate JavaScript malware such that an analyst can more rapidly determine the malicious script's intent. This is achieved through a number of static analyses, inspired by techniques from compiler theory. We demonstrate the utility of SAFE-Deobs through a case study on real-world JavaScript malware, and show that it is a useful addition to a malware analyst's toolset.