1. Field of the Invention
The present invention relates to an apparatus and method for detecting an obfuscated malicious web page, and more particularly, to an apparatus and method for detecting a malicious web page that can detect an obfuscated code in order to detect a malicious code concealed in an obfuscated form within a web page, insert a function for deobfuscating the obfuscated code, and deobfuscate the obfuscated code using the inserted deobfuscation function.
2. Discussion of Related Art
The development of Internet technology has been accompanied by the development of ever more intelligent methods for applying malicious codes to a web page to unlawfully steal or collect important information. Specifically, a problem occurs in a method for installing an unlawful program in a computer accessing a web page by concealing a specific code in a normal web page.
FIG. 1 conceptually illustrates a web attack using a concealed code.
Referring to FIG. 1, an attacker 110 attempting a web attack using a malicious code distributes a malicious program using a malicious program distribution server 130 (step 101). The malicious program distribution server 130 may be configured in a method for installing the malicious program by hacking an existing server, etc.
Then, a malicious code or Java script for linking a user accessing a target server 100 to the distribution sever 130 is inserted by hacking the target server 100 frequently used by a user 140 as an attack target (step 103).
On the other hand, a user 140 who does not know whether the target server 100 has been hacked normally accesses the target server 100 (step 105). Then, the user involuntarily downloads (step 109) a malicious program, etc. by automatically accessing (step 107) the distribution server 130 according to a link code concealed in the target server 100.
Once a malicious code is installed in a computer of the user 140, the attacker 110 manipulates or acquires information of the user 140 using information sent by the malicious code (step 111).
There are many methods for this type of hacking. For example, there is an i-frame method in which a frame is made tiny so as not to alert a user that the target server 100 is being hacked. Also, there is a Java script method in which Java script is used to obfuscate a malicious code inserted into the target server 100, thereby making it difficult for a security manager to detect insertion of the malicious code.
To defend against such attacks, conventional technology uses a method for detecting a malicious code by collecting traffic and events when a user web browser accesses a web site in a virtual environment independent of an execution environment or an environment interworking with the user browser by proxy. Other technology uses a method for detecting a function or method call sequence used to execute a malicious code, checking a value or parameter associated with each composition belonging to the call sequence, and inserting an anomaly monitoring function after or before the call composition.
However, the first method has a problem in that it may not prevent damage to a user computer in advance, and the second method has a problem in that it may not detect an obfuscated malicious code.
Therefore, a method is needed of detecting a malicious code by automatically finding and deobfuscating an obfuscated source code.