Drive-by download attacks are among the most common methods for spreading malware today. These attacks typically exploit memory
corruption vulnerabilities in web browsers and browser plug-ins to execute shellcode, and in consequence, gain control of
a victim’s computer. Compromised machines are then used to carry out various malicious activities, such as joining botnets,
sending spam emails, or participating in distributed denial of service attacks.
To counter drive-by downloads, we propose a technique that relies on x86 instruction emulation to identify JavaScript string
buffers that contain shellcode. Our detection is integrated into the browser, and performed before control is transfered to the shellcode, thus, effectively thwarting the attack. The solution maintains fair performance by
avoiding unnecessary invocations of the emulator, while ensuring that every buffer with potential shellcode is checked. We
have implemented a prototype of our system, and evaluated it over thousands of malicious and legitimate web sites. Our results
demonstrate that the system performs accurate detection with no false positives.
Keywords Drive-by download - malicious script - emulation - shellcode