Rozzle: De-Cloaking Internet Malware

Clemens Kolbitsch, Christian Seifert , Benjamin Livshits and Benjamin Zorn

Microsoft Research Technical Report

Presentation by David Ferreras

The Problem

• The browser is exposed to malicious content that affect millions of URLs using JavaScript

• Web-based malware tends to target a particular browser, often attacking specific versions of installed plugins. – Environment matching– Fingerprinting– Client-Side cloaking

The Problem

The Problem

The Solution Proposed

• Rozzle: Multi-execution JavaScript implementation– execute both possibilities whenever it encounters

control flow branching that is dependent on the environment

The Solution Proposed

The Solution Proposed (Details)

• Symbolic Values: All environment-specific values start out as symbolic in Rozzle

• Branching on symbolic values • Looping on symbolic values• Creates a heap of values

Results

Limitations

• Server-side cloaking• Breaking existing code• Identifying that Rozzle is enabled could be

used construct denial-of service attack on Rozzle-enabled browsers.

Any questions?