Attackers hide malicious code using new method

By Robert Westervelt, News Editor 09 Jan 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Security vendors that post security updates to their customers will need to theoretically create millions of signatures for their customers. Yuval Ben-Itzhak, chief technology officer, Finjan Inc.

Called dynamic code obfuscation, the method is being used by attackers to place encrypted virus code onto victims' computers, wreaking havoc for antivirus vendors, said Yuval Ben-Itzhak, chief technology officer of Finjan. For example, if two people visit a malicious Web site at the same time, each person will get a different encrypted or obfuscated code, generated on the fly with a different set of function and parameter names. The dynamic obfuscation method makes virus signatures virtually useless since different encryption keys change the way malicious code will exist on a victim's machine, Ben-Itzhak said.

"Security vendors that post security updates to their customers will need to theoretically create millions of signatures for their customers," Ben-Itzhak said. "This is the kind of real threat to businesses that relies only on alternative based technologies to secure their business."

Each time a surfer visits a malicious site, the encryption result is different using the dynamic obfuscation method because the key is changed, Ben-Itzhak said. This new method is being used to push out malicious code to end user machines, he said.

Code obfuscation is not new. Programmers have used the technique to hide redirect functions in pop-up, ad-driven Websites to avoid being penalized by search engines.

Additionally, security researchers plan to release a utility called VOMM, as part of the Metasploit framework for security testing. The new utility will automate the dynamic code obfuscation process, allowing hackers to break antivirus signatures by adding characters, line breaks and spaces to malicious code, Ben-Itzhak said. The utility allows virtually anyone to obfuscate code in an automated manner, he said.

Code obfuscation: Leave no trace: Understanding attackers' motives Digital deception: Raising the stakes on hackers Approaches for combating malicious code Improving employee awareness to fight malicious code Six steps to securing your Web server Guarding a network from malicious code

"Once this is out, there is going to be a lot of headaches for all the signature-based products in how to deal withal this obfuscation," he said.

The use of dynamic code obfuscation is broadening what Finjan calls a "cat and mouse" battle against the hackers. One way to fight hackers is through behavior-based security analysis of malicious code, regardless of its original source, Ben-Itzhak said.

A researcher can break the code into parts and learn about the execution path and the functions' call flow, he said. As a result, malicious code is blocked at the perimeter, rather than allowing it to enter the network and rely on desktop security.

Finjan also predicts that attackers will continue to target Web 2.0 Web sites, especially those using Ajax in 2007. Ajax combines several programming tools such as JavaScript and dynamic HTML to create more interactive Web applications.

"Hackers are starting to use file requests with Ajax with no visual indication that something is happening," Ben-Itzhak said.

In 2006, Finjan found that Ajax was being used to silently request malicious code without a user's knowledge. Hackers can exploit Ajax to query content on the Web that is not crawled by search engines.

"Although AJAX is fantastic and rich web experience, it is also a potential threat," Ben-Itzhak said. "Only real time analysis and making decisions based on the traffic running on the wire will be able to discover and fight this threat."

Tags: Emerging Information Security Threats,  Malware, Viruses, Trojans and Spyware,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging Information Security Threats Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Hathaway joins Harvard to contribute to DOD project Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated Web Application Security Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Scanning with N-Stalker offers basic Web application security assessment Attackers target PDF, DirectShow flaws with malicious banner ads New Bahama botnet evades search engines, fuels click fraud

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) pulsing zombie  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary