Attackers hide malicious code using new method

Attackers have designed a new way to thwart virus signatures from antivirus vendors, says a new report.

One sign that digital miscreants are growing in their level of sophistication is their method of hiding malicious code to evade detection, according to new research from San Jose, Calif.-based Finjan Inc.

Security vendors that post security updates to their customers will need to theoretically create millions of signatures for their customers.
Yuval Ben-Itzhak,
chief technology officerFinjan Inc.

Called dynamic code obfuscation, the method is being used by attackers to place encrypted virus code onto victims' computers, wreaking havoc for antivirus vendors, said Yuval Ben-Itzhak, chief technology officer of Finjan. For example, if two people visit a malicious Web site at the same time, each person will get a different encrypted or obfuscated code, generated on the fly with a different set of function and parameter names. The dynamic obfuscation method makes virus signatures virtually useless since different encryption keys change the way malicious code will exist on a victim's machine, Ben-Itzhak said.

"Security vendors that post security updates to their customers will need to theoretically create millions of signatures for their customers," Ben-Itzhak said. "This is the kind of real threat to businesses that relies only on alternative based technologies to secure their business."

Each time a surfer visits a malicious site, the encryption result is different using the dynamic obfuscation method because the key is changed, Ben-Itzhak said. This new method is being used to push out malicious code to end user machines, he said.

Code obfuscation is not new. Programmers have used the technique to hide redirect functions in pop-up, ad-driven Websites to avoid being penalized by search engines.

Additionally, security researchers plan to release a utility called VOMM, as part of the Metasploit framework for security testing. The new utility will automate the dynamic code obfuscation process, allowing hackers to break antivirus signatures by adding characters, line breaks and spaces to malicious code, Ben-Itzhak said. The utility allows virtually anyone to obfuscate code in an automated manner, he said.

Code obfuscation:
Leave no trace: Understanding attackers' motives

Digital deception: Raising the stakes on hackers

Approaches for combating malicious code

Improving employee awareness to fight malicious code

Six steps to securing your Web server

Guarding a network from malicious code

"Once this is out, there is going to be a lot of headaches for all the signature-based products in how to deal withal this obfuscation," he said.

The use of dynamic code obfuscation is broadening what Finjan calls a "cat and mouse" battle against the hackers. One way to fight hackers is through behavior-based security analysis of malicious code, regardless of its original source, Ben-Itzhak said.

A researcher can break the code into parts and learn about the execution path and the functions' call flow, he said. As a result, malicious code is blocked at the perimeter, rather than allowing it to enter the network and rely on desktop security.

Finjan also predicts that attackers will continue to target Web 2.0 Web sites, especially those using Ajax in 2007. Ajax combines several programming tools such as JavaScript and dynamic HTML to create more interactive Web applications.

"Hackers are starting to use file requests with Ajax with no visual indication that something is happening," Ben-Itzhak said.

In 2006, Finjan found that Ajax was being used to silently request malicious code without a user's knowledge. Hackers can exploit Ajax to query content on the Web that is not crawled by search engines.

"Although AJAX is fantastic and rich web experience, it is also a potential threat," Ben-Itzhak said. "Only real time analysis and making decisions based on the traffic running on the wire will be able to discover and fight this threat."

Dig deeper on Emerging Information Security Threats

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close