I sat in on a security and privacy lecture recently on the design of a drive-by-download protection system by statically and dynamically analyzing JavaScript code. The system was able to protect against 100% of the drive-by-download attempts, as well as protect against polluted data (adding extra code, just like malware authors use no-ops to bypass antiviruses). So I decided to borrow a concept from malware: crypting. My approach uses a JavaScript obfuscation library running in PHP which takes a malicious JavaScript file, obfuscates it and encrypts it using AES with some information I gather from the client computer and browser. I package the encrypted JavaScript code with a loader. This ensures the malicious code only will run on the destination computer. If it is run on any other computer, the code will not do anything. To test, I wrote a simple drive-by-download script for chrome and a Cross-Site Scripting (XSS) vulnerable site.
The injection:
A short gif of the result:
