The creators of Wepawet bring you a tool for the analysis of malicious web pages and PDF files.

llweb

Malicious web pages and PDF files have become the primary instrument of cyber criminals to perform their attacks on the Internet. A common and insidious form of such attacks are drive-by downloads. In a drive-by download, a victim is lured to a malicious web page. The page contains code, typically written in the JavaScript language, that exploits vulnerabilities in the user's browser or in the browser's plugins (such as for example the Adobe PDF viewer). If successful, the exploit downloads malware on the victim machine and typically joins a botnet.

To defend against client-side attacks and drive-by exploits, it is imperative to quickly and accurately identify web pages and PDF files that contain malicious scripts. llweb is an analysis tool that does just that. As input, one simply provides a URL or a web page. First, llweb visits this URL (or page) with a customized browser and records all the JavaScript activity and the interactions of the page with the browser. Using our proprietary analysis technology, llweb then checks whether these interactions are normal or anomalous. Anomalous activity is suspicious and an indication for a malicious page. Finally, based on a collection of features, llweb returns a verdict that classifies a page as malicious or benign. A similar technique is used to analyze PDF files such that attacks involving this type of documents can also be detected.

In addition to the classification result, llweb provides a plethora of information that allows a human analyst to determine the reasons why a page or PDF file is marked as bad. This includes the de-obfuscated version of malicious scripts, as well as links to malware binaries that an exploit might try to download. Because llweb does not use signatures, it can also handle zero-day exploits (such as the Aurora exploit against IE, which was correctly detected by Wepawet). The comprehensive list of features allows us to detect many different exploits, both against plug-ins and the browser, with minimal false positives. If you already know and like Wepawet, then llweb will be familiar to you. llweb was developed by the creators of Wepawet.

Features

  • Analyzes web pages, PDF files and JavaScript for presence of malicious code
  • Advanced anomaly detection for zero-day exploit discovery
  • Accurate detection with almost no false positives
  • Use of dynamic analysis to easily handle even heavily-obfuscated scripts
  • Rich and detailed results to support further analysis
  • Scalable analysis through parallel processing by multiple worker nodes
  • Supports automated and batch analysis
  • Comfortable configuration via web interface

Get it!

llweb is available for licensing. If you are interested in pricing information, please contact us at sales@tllod.com.