Hoffman to demonstrate new hacking techniques

By Dennis Fisher, Executive Editor 31 Jul 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Analysts planning to take apart a piece of malware to get a look at its inner workings have any number of techniques at their disposal. But these tactics are well-known in the hacker community as well, and they have become less effective over time as attackers have learned to evade them.

If I figured this out, you better believe other people have. The fact that it's not public means they just haven't told anyone. Billy Hoffman, manager of the Web Security Research Group, HP Software Inc.

At the Black Hat conference next week, Billy Hoffman, a researcher who has done work on application security and JavaScript security, will demonstrate several new techniques that malware authors can use to shield their programs from analysis. The techniques take advantage of some of the special capabilities of JavaScript, a language that has become a favorite of malware authors of late.

"None of the existing sandboxes are sophisticated enough to circumvent these techniques. That's exactly why I want to talk about it publicly," Hoffman said. "If I figured this out, you better believe other people have. The fact that it's not public means they just haven't told anyone."

Hoffman, manager of the Web Security Research Group at HP Software Inc., plans to discuss five new tactics he's developed, most of which enable JavaScript malware to detect whether it's actually running in a full browser, or just an emulated browser inside a sandbox. For example, JavaScript gives authors the ability to define a block of code to act as an error handler. When a sandbox comes across code with syntax or runtime errors, it typically will stop running. A browser, however, will run the code and run the error handler. So, if malware can discover that the environment it's running in can't handle the error, it can identify the environment as not being a full-on browser and simply shut down.

"Some malware could have deliberate syntax errors that force the error handler to run and clean things up," Hoffman said. "If that doesn't run, the malware knows it's in a sandbox."

Another of Hoffman's techniques revolve around the ways in which browsers and sandboxes handle events and timers. The technique is designed to determine whether user events are being run in the correct order. Hoffman said sandboxes tend to run events and timers either too quickly or even out of order at times, which can be detected by the JavaScript malware.

SearchSecurity radio:

JavaScript has come into favor with malware authors recently as they look for new and better ways to get their creations past perimeter defenses and into the hands of unsuspecting users. Some attackers have begun using JavaScript as a kind of wrapper to protect their programs, Hoffman said.

"It's the versatility they like and the vector they can deliver it through. More and more we see people exploited by drive-by downloads," he said. "Still, attackers have to use JavaScript because defenses are good at monitoring straight traffic. This allows them to wrap malware in JavaScript, get it past the defenses, unpack it through the browser and compromise the system without anything knowing it went by.

"You can do really nasty things like keylog, steal history and steal passwords. We see all the iFrame and Google hijacking attacks, Hoffman said. "People are injecting JavaScript into malware to package traditional desktop vulnerabilities. We've seen the mass SQL attacks. It's becoming the vector of choice for an attacker. The next step is how do we analyze that?"

Hoffman said that at least one of the techniques he'll be discussing at Black Hat has been used in the wild. And while he said none of the techniques are a giant technological leap forward, Hoffman said they're all perfectly capable of defeating the current state of the art in sandboxing and analysis.

"These were really just the next logical step forward," Hoffman said. "But they can get around pretty much every sandbox that exists."

Tags: Emerging Information Security Threats,  Malware, Viruses, Trojans and Spyware,  Security Industry Market Trends, Predictions and Forecasts,  Hacker Tools and Techniques: Underground Sites and Hacking Groups,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging Information Security Threats RSA security conference 2010: news, interviews and updates Hackers to sharpen malware, malicious software in 2010 Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Malware, Viruses, Trojans and Spyware Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Security Industry Market Trends, Predictions and Forecasts Hackers to sharpen malware, malicious software in 2010 Part 1: Marcus Ranum on the state of information security Part 2: Marcus Ranum on the state of information security Part 4: Marcus Ranum on the state of information security Part 3: Marcus Ranum on the state of information security Part 5: Marcus Ranum on the state of information security Layoffs prompt insider threat fears, cybersecurity survey finds Healthcare security spending remains sluggish, report shows How to use Internet security threat reports M86 buys Web security gateway vendor Finjan Security Industry Market Trends, Predictions and Forecasts Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) pulsing zombie  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary