One sign that digital miscreants are growing in their level of
sophistication is their method of hiding malicious code to evade
detection, according to new research from San Jose, Calif.-based
Finjan Inc.
 | | | | | Security vendors that post
security updates to their customers will need to theoretically
create millions of signatures for their customers.
Yuval Ben-Itzhak,
chief technology officerFinjan
Inc. |
| | | | | |
| |
|
Called dynamic code obfuscation, the method is being used by
attackers to place encrypted virus code onto victims' computers,
wreaking havoc for antivirus vendors, said Yuval Ben-Itzhak, chief
technology officer of Finjan. For example, if two people visit a
malicious Web site at the same time, each person will get a
different encrypted or obfuscated code, generated on the fly with a
different set of function and parameter names. The dynamic
obfuscation method makes virus signatures virtually useless since
different encryption keys change the way malicious code will exist
on a victim's machine, Ben-Itzhak said.
"Security vendors that post security updates to their customers
will need to theoretically create millions of signatures for their
customers," Ben-Itzhak said. "This is the kind of real threat to
businesses that relies only on alternative based technologies to
secure their business."
Each time a surfer visits a malicious site, the encryption
result is different using the dynamic obfuscation method because
the key is changed, Ben-Itzhak said. This new method is being used
to push out malicious code to end user machines, he said.
Code obfuscation is not new. Programmers have used the technique
to hide redirect functions in pop-up, ad-driven Websites to avoid
being penalized by search engines.
Additionally, security researchers plan to release a utility
called VOMM, as part of the Metasploit framework for security
testing. The new utility will automate the dynamic code obfuscation
process, allowing hackers to break antivirus signatures by adding
characters, line breaks and spaces to malicious code, Ben-Itzhak
said. The utility allows virtually anyone to obfuscate code in an
automated manner, he said.
"Once this is out, there is going to be a lot of headaches for
all the signature-based products in how to deal withal this
obfuscation," he said.
The use of dynamic code obfuscation is broadening what Finjan
calls a "cat and mouse" battle against the hackers. One way to
fight hackers is through behavior-based security analysis of
malicious code, regardless of its original source, Ben-Itzhak
said.
A researcher can break the code into parts and learn about the
execution path and the functions' call flow, he said. As a result,
malicious code is blocked at the perimeter, rather than allowing it
to enter the network and rely on desktop security.
Finjan also predicts that attackers will continue to target Web
2.0 Web sites, especially those using Ajax in 2007. Ajax combines
several programming tools such as JavaScript and dynamic HTML to
create more interactive Web applications.
"Hackers are starting to use file requests with Ajax with no
visual indication that something is happening," Ben-Itzhak
said.
In 2006, Finjan found that Ajax was being used to silently
request malicious code without a user's knowledge. Hackers can
exploit Ajax to query content on the Web that is not crawled by
search engines.
"Although AJAX is fantastic and rich web experience, it is also
a potential threat," Ben-Itzhak said. "Only real time analysis and
making decisions based on the traffic running on the wire will be
able to discover and fight this threat."