GENIE: Guarding the npm Ecosystem with Semantic Malware Detection

GENIE: Guarding the npm Ecosystem with Semantic Malware Detection

연구 분야: Strategies

학회: 2024 IEEE Secure Development Conference (SecDev)

Package managers and public repositories such as npm streamline the distribution and maintenance of open source code. At the same time, they have become attractive targets for malicious actors to spread malware to many potential victims. In malware campaigns, families of malicious JavaScript packages exhibit common malicious behavior but differ in their names and syntactic details. We propose to thwart malware campaigns by developing semantic specifications to match similar malware with a single behavioral signature. Specifically, we report on our experience in using CodeQL to describe malicious behavior in JavaScript code, which allows us to employ an existing and mature static analysis framework as a robust building block. We describe a methodology and tool set for developing queries for newly reported and previously undetected malware, so that a single report can be used to take down entire families of similar malware. Applying our approach, we were able to discover 125 previously unreported malicious packages, which we reported and had removed from npm, without producing a single false alarm. As a result, we find that the upfront investment of developing semantic signatures in comparison to automatically learning classifiers pays off with the increased reliability of results by saving on manual effort for validation and relabeling.