Abstract

In recent years, the drive-by malware space has undergone significant consolidation. Today, the most common source of drive-by downloads are the so-called exploit kits. Exploit kits signify a drastic consolidation of the process of malware creation and delivery. This paper presents Kizzle, the first prevention technique specifically designed for finding exploit kits.

Our analysis of exploit kits shows that while the actual JavaScript delivered by kits varies greatly, the code observed after it is sufficiently unpacked and deobfuscated varies much less. The approach taken by Kizzle is based in our observation that, while exploit kits change the malware they deliver frequently, kit authors generally \emph{reuse} much of their code from version to version. Ironically, this well-regarded software engineering practice allows us to build a scalable and precise detector that is able to quickly respond to superficial but frequent changes in exploit kits.

Kizzle is able to generate anti-virus signatures for detecting exploit kits. These signatures compare favorably to those created by hand by security analysts. Yet Kizzle is highly responsive in that able to automatically generate new {signatures} within hours. %Our approach aims to reduce the imbalance between the attacker who often only needs to make cosmetic changes to their malware to thwart detection, and the defender, whose role requires much manual effort. Our experiments show that Kizzle produces high-accuracy signatures using a scalable cloud-based analysis. When evaluated over a four-week period, false positive rates for Kizzle are under 0.03%, while the false negative rates are under 5%. Both of these numbers compare favorably with the performance of commercial AV engines that use hand-written signatures.