| Drive-by-download attack has become a popular way to distribute malicious code in recent years, and it seriously threatens Internet users and enterprises. The new type of drive-by-download attack named intelligent malicious web pages bring new challenges to information security research, which makes analysis of intelligent malicious web pages becomes an important topic.Based on this background, this paper firstly introduces the concept of intelligent malicious web pages. With this concept, this paper introduces the concept and technique of Web Exploit Kit and water-hole attack, which use intelligent malicious web pages widely. Then this paper describes the anti-detection and anti-analysis techniques of intelligent malicious web pages, which could be divided into three parts: obfuscation techniques, client detection techniques and dynamic distribution techniques. Then this paper introduces the concept, definition and characteristics of abstract syntax tree. Abstract syntax tree play an important role in deobfuscation. Also, this paper introduced the low-interactive client side honeypot Thug, and describes its architecture, functionality and characteristics. Using Thug to emulate the client makes tracking and analysis on intelligent malicious web pages possible.Through the research on the intelligent malicious web pages, this paper introduces and builds a prototype system of the automated tracking and analysis system, which is based on Thug and works with abstract syntax tree for deobfuscation in detail. A validation experiment for this prototype system is designed and performed. The result shows that the prototype system work well and has good stability, and could provide adequate help for analyzing intelligent malicious web pages. |
PDF Full Text Request