Called dynamic code obfuscation, the method is being used by attackers to place encrypted virus code onto victims' computers, wreaking havoc for antivirus vendors, said Yuval Ben-Itzhak, chief technology officer of Finjan. For example, if two people visit a malicious Web site at the same time, each person will get a different encrypted or obfuscated code, generated on the fly with a different set of function and parameter names. The dynamic obfuscation method makes virus signatures virtually useless since different encryption keys change the way malicious code will exist on a victim's machine, Ben-Itzhak said.
"Security vendors that post security updates to their customers will need to theoretically create millions of signatures for their customers," Ben-Itzhak said. "This is the kind of real threat to businesses that relies only on alternative based technologies to secure their business."
Each time a surfer visits a malicious site, the encryption result is different using the dynamic obfuscation method because the key is changed, Ben-Itzhak said. This new method is being used to push out malicious code to end user machines, he said.
Code obfuscation is not new. Programmers have used the technique to hide redirect functions in pop-up, ad-driven Websites to avoid being penalized by search engines.
Additionally, security researchers plan to release a utility called VOMM, as part of the Metasploit framework for security testing. The new utility will automate the dynamic code obfuscation process, allowing hackers to break antivirus signatures by adding characters, line breaks and spaces to malicious code, Ben-Itzhak said. The utility allows virtually anyone to obfuscate code in an automated manner, he said.
"Once this is out, there is going to be a lot of headaches for all the signature-based products in how to deal withal this obfuscation," he said.
The use of dynamic code obfuscation is broadening what Finjan calls a "cat and mouse" battle against the hackers. One way to fight hackers is through behavior-based security analysis of malicious code, regardless of its original source, Ben-Itzhak said.
A researcher can break the code into parts and learn about the execution path and the functions' call flow, he said. As a result, malicious code is blocked at the perimeter, rather than allowing it to enter the network and rely on desktop security.
"Hackers are starting to use file requests with Ajax with no visual indication that something is happening," Ben-Itzhak said.
In 2006, Finjan found that Ajax was being used to silently request malicious code without a user's knowledge. Hackers can exploit Ajax to query content on the Web that is not crawled by search engines.
"Although AJAX is fantastic and rich web experience, it is also a potential threat," Ben-Itzhak said. "Only real time analysis and making decisions based on the traffic running on the wire will be able to discover and fight this threat."