MJBlocker: A Lightweight and Run-Time Malicious JavaScript Extensions Blocker

We propose MJBlocker, a lightweight and run-time malicious JavaScript Extensions (JSEs) blocker for preventing them from hurting user security. MJBlocker can identify and block malicious JSEs whenever they are executed. It is motivated by the observation that most attack goals of malicious JSEs are accomplished via invoking Cross-Platform Component Object Model (XPCOM) calls, and the XPCOM call sequences acquired from malicious JSEs have distinct traits that are different from regular ones. We use simple regular expressions to capture these distinct traits. MJBlocker is interposed into Firefox between JSEs and XPCOMs, and intercepts all XPCOM calls made by JSEs. Whenever a JSE invokes an XPCOM call, the call is appended to its call sequence, and the sequence is checked against several regular-expression-based signatures to identify the suspicious call sequence patterns. If some suspicious patterns are found, an alarm is triggered and the XPCOM call which triggers the alarm is blocked from executing. However, some innocent JSEs may have suspicious call sequence patterns. To avoid false positives, a verifier utilizes several heuristics to filter off suspicious patterns generated by innocent JSEs. We have implemented MJBlocker atop Firefox. According to our experiments on 10 different malicious JSEs and 260 legitimate ones, MJBlocker causes negligible overhead (no more than 5%) and has zero false negative and very few false positives.