Term-Rewriting Deobfuscation for Static Client-Side Scripting Malware Detection

Ensuring users with a safe web experience has become a critical problem recently as fraud and privacy infringement on the Internet are becoming current. Web-scripting-based malware is also intensively used to carry out longer-term exploitation such as XSS worms or botnets, and server-side countermeasures are often ineffective against such threats while client-side ones seldom deal with the problem of obfuscation. In order to provide a sounder and more complete analysis, we propose to carry out deobfuscation of web-scripting-language-based malware. In this paper, we study the possibility of automating the deobfuscation process using a term rewriting system based on automated deduction. Such static approach intends to evade anti-analysis techniques and unknown obfuscation schemes. With some preliminary experiments in JavaScript, we show evidence that this is actually possible and highlight several challenges we need to tackle in order to implement an effective script-based malware deobfuscator. This approach can be generalized to web scripting languages other than JavaScript such as ActionScript or VBScript. Applications encompass script-based malware static analysis or malware distribution website crawling. This paper is included in a wider project that aims to provide a client-based defense against Web 2.0 malware.