High speed JavaScript malware sandbox

Rajesh Mony Webroot

  download slides (PDF)

Malware delivery through malicious JavaScript continues to be very evasive and detection rates continue to be low for signature-based systems. This paper describes some of the challenges and techniques used by such a system based on our experiece in building out a production-quality gateway sandbox for JavaScript.

The topics covered are:

  • Parser-level heuristics and transformed parse signatures.
  • Document fingerprinting/matching for variants matching.
  • Methods of reducing parse trees/seeding to eliminate anti-debugging and incomplete scripts.
  • Effective DOM emulation and JS engine run issues to decode scripts.
  • Techniques for late inspection of variables and at point of scope exit.
  • Shellcode analysis tuned to JS embedded shellcodes.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.