Full Program »
My Script Engines Know What You Did In The Dark: Converting Engines into Script API Tracers
Malicious scripts have been crucial attack vectors in recent attacks such as malware spam (malspam) and fileless malware. Since malicious scripts are generally obfuscated, statically analyzing them is difficult due to reflections. Therefore, dynamic analysis, which is not affected by obfuscation, is used for malicious script analysis. However, despite its wide adoption, some problems remain unsolved. Existing designs of script analysis tools do not fulfill the following three requirements important for malicious script analysis.
1. Universally applicable to various script languages.
2. Capable of outputting analysis logs that can precisely recover behavior of malicious scripts.
3. Applicable to proprietary script engines.
In this paper, we propose a method for automatically generating script API tracer by analyzing the target script engine binaries. The method mine the knowledge of script engine internals that are required to append behavior analysis capability. This enables to add analysis functionalities to arbitrary script engines and generates script API tracers that can fulfill the requirements. Experimental results showed that we can apply this method for building malicious script analysis tools.