Minseong Kim AhnLab
download slides (PDF)
Most anti-virus programs use signature-based approaches to detect a malicious web page as well as a malicious binary file. Unfortunately, the signature-based approaches are not as effective when they come to a malicious web page. The content of a malicious web page is armed with obfuscation or transformation so that it can disguise itself easily and evade detection. It is becoming a challenging problem which most anti-virus vendors are facing.
In this paper, we propose a new novel approach called WebStalker to monitor web browser behaviour. Since WebStalker records all the information on a web page while the web browser renders it, WebStalker gives us more information than any other similar tool. We can detect and block malicious web pages more easily even if the web page is obfuscated.
WebStalker consists of two key techniques. The first is to monitor events such as generating new objects, copying shellcode to memory, opening files and executing files. The second is to assign identifiers to objects or documents in a web page. We use the identifiers to build a logical structure of the web page. Through the structure, we can identify what objects the web page is composed of. And we can also trace back the logical structure to find out an object which has fired an event.
Our experiments demonstrate that WebStalker can effectively monitor web browser behaviour and detect malicious web pages.