| Malicious Web pages will damage and transmission throughvulnerability in operating system, browser and relevant applications. Inorder to avoid detection, malicious code often obfuscate itself to somedegree. With the increasing popularity of Internet, the method ofobfuscation in Web Trojan is increasingly complex and causing more harmto Internet, which is a focus area in information security.Malicious Web pages are increasing and have developed manyobfuscation technique in recent years. However, the current detectionmethods are found lacking and still unable to meet accuracy. First thispaper describe the mechanism of high-obfuscation malicious Web pages,including its structure, source and detailed attack process. Then wesummarize the means of obfuscation, the anti-detection technology (eg.OSfingerprinting, domain name and the anti-honeypot technology), exploitand payload.Through the research of mechanism and features in malicious Webpages, we presented a new de-obfuscation method based on browser hooktechnique. It can get the de-obfuscation code and not run malicious code really in the system. Then it can detect Shellcode dynamically and detectstatistical characteristic and code signature statically. So we put forward astatic-dynamic combination of malicious Web pages detection system. Thedetection system is established on the Linux platform. It adopts VirtualBoxas the main virtual mechine, as well as a sandboxie to run inside of it. Thisdouble-virtual architecture offer reliable and environmentally safe solutionwith low cost.Experiments results show this system can detect almost all kinds ofhigh-obfuscated malicious Web pages and it is more effective, general andaccurate than others. |
PDF Full Text Request