The Finjan Malicious Code Research Center (MCRC) has set itself something of a Herculean task with a goal of staying not just one, but many steps ahead of those hackers who would exploit open platforms and technologies to develop spyware, Trojans, phishing attacks, worm and viruses. But, working alongside some of the world’s best known software vendors, MCRC aid in the patching of their security holes as well as helping with the development of next generation defense tools for Finjan’s proactive secure content management solutions. On top of all of that, it seems to also find time to distill the data that passes through the no doubt thick steel walls of the secret control center (or more likely an open plan office at the Finjan San Jose HQ) into a quarterly report highlighting web security trends. The latest of which has just been published.
Unsurprisingly this reveals that a key trend as we enter 2007 is the use of code obfuscation to hide malware, bypassing traditional signature based security solutions. Indeed, hackers have now developed dynamic code obfuscation techniques which enable them to generate different and unique sets of function and parameter names for every visitor to the hosting website. While stealth and polymorphic viruses can be traced way back into the 1990’s, proving that obfuscation is certainly nothing new, it is equally certain that the injection of a large dose of perverse criminal professionalism into the malware development business has led to vastly improved techniques today.
The dynamic code obfuscation process is a great example, as it means that use of the js/wonka signature by AV vendors to detect static pages holding an obfuscated script becomes redundant, it just won’t work. Indeed, in order to detect and block such a piece of code in this dynamic malware scenario would, in theory, require millions of such signatures – for every exploit. Adding to the problems is the Metasploit project, and VOMM in particular, which makes any exploit undetectable using techniques including white space randomization, string obfuscation and encoding. Finjan report that VOMM will convert any detectable exploit written in JavaScript and automatically create an undetectable version. It is an advanced malware cloaking kit for the script kiddies generation, and something we should all be very worried about indeed.
Such kits are also identified by MCRC as being particular widespread, with a version of the Web Attacker Toolkit being released in September which is completely obfuscated rather than being written in plain code as before.
None of which should come as a shock to anyone who has their eye on the IT security ball, because the world of malware has for a long time been morphing into a global crimeware empire. Malicious code has become commercialized, with a very real market governed by forces of demand and supply identified by the MCRC report. “Vulnerabilities are being traded in online auctions, commercialized products such as toolkits are being developed to serve this market” it states, continuing “the Web Attacker Toolkit was found on a Russian website and cost a remarkably low $300.”
“Dynamic code obfuscation techniques are the latest salvo from hackers in the ongoing battle of wits between security vendors and their hacker opponents,” said Yuval Ben-Itzhak, Finjan’s Chief Technology Officer. “Over the years, each time a new type of attack appears in the wild, security companies scramble to create a solution. Then, as soon as the hackers become familiar with the newest defense, they devise a new method to circumvent it. Currently, hackers have begun to take advantage of new web technologies to create complex and blended attacks. With their creation of dynamic obfuscation utilities, which enable virtually anyone to obfuscate code in an automated manner, they have dramatically escalated the threat to web security.”
