NTT works to detect and monitor these websites using a combination of high and low-interaction honeyclients. A high-interaction honeyclient is a real browser that can precisely detect browser exploits and malware downloads. A low-interaction honeyclient is a browser emulator, which can emulate many different client profiles, trace complicated redirections and hook code executions in detail. These two methods are complementary and improve our overall analysis capabilities.
To observe evasive code, we constructed redirect graphs and performed differential analysis on them. We then performed further manual analysis on the code to classify and identify particular evasion techniques based on code similarity.
We found the following evasive code by manually analysing one representative point in each cluster.
To determine whether these evasion techniques could be used as Indicators of Compromise (IOC), we investigated more than 860,000 URLs with Alexa top domain names. The setTimeout() evasive code was detected in 26 URLs, all of which were used in compromised websites. The other evasion techniques were used unintentionally in benign websites or were no longer used.
We hope these findings help incident responders understand and analyse modern malicious websites, and contribute to improving the analysis capabilities of conventional honeyclients.
This article is based on a presentation given at the 30th Annual FIRST Conference in Kuala Lumpur, Malaysia. The slides can be found here [PDF].
Dr. Yuta Takata is a researcher at NTT R&D and has been a member of NTT-CERT in Japan since 2013. He focuses on developing honeyclients that effectively analyse websites and exhaustively extract malicious behaviours, for example, browser exploitations and malware infections.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.