Friday, March 19, 2010

Malicious Code Evolution from IE Zero-Day Exploit Code

Via Websense Security Labs Blog -

Internet Explorer zero-day exploits are not new to the world: we have been suffering from them since the beginning of IE. This latest IE zero-day exploit, known as CVE-2010-0806, as usual is no surprise, but we can't help noticing that something behind it has changed. Just a week after the exploit code was exposed to the world we have seen many variants come out. Based on the records from the Websense® Security Labs™ ThreatSeeker™ Network, we are setting out the evolution history of the exploit code.

We know that every security company tries to detect exploits, and malware authors try their best to avoid it. Code evasion is the key point in this endless war, and the following 3 aspects are what hackers like most and are still focused on:

  • Core Code Obfuscation
    Core code is the core of the malicious code, where the main purpose of the attack resides. Typically it is a piece of shellcode which will download and execute remote files after successful exploitation. By obfuscating core code, the real intent of hackers is hidden right in front of your face.
  • Algorithm Code Obfuscation.
    Algorithm code is the helper part to ensure that core code executes. Actually algorithm code is the pick of the basket in the whole exploit code and people will pay large amounts to get it. Normally it is some JavaScript code to set up the exploitable environments. Hackers may encrypt this part to make their code less fingerprinted and hence avoid detection.
  • Code Position Obfuscation.
    When checking for malicious code, people often first try searching the code in script and iframe tags, which is where malicious code usually resides. However, other HTML tags are also a good place to embed bad code. Typically hackers choose P and DIV tags as their first choices; sometimes they change their taste to use INPUT and TEXTAREA tags. Another common way to hide code is code fragmentation, which is putting the malcode in separate files; of course the reason for this is to avoid detection.

Here to hoping they release the 'Gustav' tool to the community ;)

No comments:

Post a Comment