Microsoft's Rozzle bolsters drive-by malware defences

Microsoft researchers have shown off a new anti-malware tool which could be used to defeat so-called drive-by attacks, where users' computers are infected without them actively installing rogue software.

Drive-by attacks typically rely on vulnerabilities in JavaScript but are near-impossible for traditional static and runtime anti-malware tools to detect, according to the researchers.

These JavaScript attacks typically target specific browsers running certain plugins. Unless the malware detects that specific set up, the trap will not be sprung, which makes it hard to detect.

But Benjamin Livshits and Benjamin Zorn of Microsoft Research, along with Clemens Kolbitsch from the Technical University of Vienna have devised a virtual machine tool, known as Rozzle [PDF], which dramatically improves detection of the JavaScript threats.

Rozzle is a JavaScript virtual machine that can simultaneously mimic different set-ups by presenting the malware with multiple execution paths, increasing the likelihood that it can be detected. In effect, it provides a tool to decloak this hidden JavaScript malware.

Rozzle was put head-to-head against a traditional runtime malware detector on more than 65,000 samples of JavaScript malware. The traditional anti-malware tool detected just 2.5 per cent, while Rozzle achieved a 17.5 per cent detection rate.

While that's far from perfect, it does validate the approach, according to the researchers.

“The goal of our work is to increase the effectiveness of dynamic crawler searching for malware so as to imitate multiple browser and environment configurations,” they wrote in their research paper.

They also showed that Rozzle was three times as effective as traditional tools for uncovering malicious URLs.

Earlier this year, security firm FireEye warned that malware writers were increasingly turning to JavaScript vulnerabilities to breach enterprise defences because it was nearly impossible for firms to lock down the volume of devices running JavaScript.

Rozzle is being presented at the IEEE Symposium on Security and Privacy in San Francisco today.