Last-minute presentation: WebStalker - detection of malicious web pages through monitoring web browser behaviour

Minseong Kim AhnLab

  download slides (PDF)

Most anti-virus programs use signature-based approaches to detect a malicious web page as well as a malicious binary file. Unfortunately, the signature-based approaches are not as effective when they come to a malicious web page. The content of a malicious web page is armed with obfuscation or transformation so that it can disguise itself easily and evade detection. It is becoming a challenging problem which most anti-virus vendors are facing.

In this paper, we propose a new novel approach called WebStalker to monitor web browser behaviour. Since WebStalker records all the information on a web page while the web browser renders it, WebStalker gives us more information than any other similar tool. We can detect and block malicious web pages more easily even if the web page is obfuscated.

WebStalker consists of two key techniques. The first is to monitor events such as generating new objects, copying shellcode to memory, opening files and executing files. The second is to assign identifiers to objects or documents in a web page. We use the identifiers to build a logical structure of the web page. Through the structure, we can identify what objects the web page is composed of. And we can also trace back the logical structure to find out an object which has fired an event.

Our experiments demonstrate that WebStalker can effectively monitor web browser behaviour and detect malicious web pages.



We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.