 Smokey Bearveritas odium paritPremium
join:2008-03-15
Annie's Pub
kudos:4 | Script fragmentation attacks to bypass anti-virus protection said by eWeek :
Security researcher Stephan Chenette opened up to eWEEK about a new Web attack vector that could potentially render desktop and gateway anti-virus products useless.
Chenette, manager of security research at Websense, calls the attack script fragmentation. Similar to TCP fragmentation attacks, it involves breaking down Web exploits into smaller pieces and distributing them in a synchronous manner to evade anti-malware signature detection.
"What this attack enables you to do is really get exploit code from the server into the browser memory and trigger the exploit," Chenette said. "Once you actually are able to trigger that exploit, you own that machine, so that means you can disable anti-virus, you can disable any protection mechanism after the fact."
The attack works like this: Malware authors write benign client code and embed it in a Web page. The only content contained on the initial page will be a small JavaScript routine utilizing XHR or XDR. This code contains no actual malicious content, and the same type of code is found on all of the major legitimate Web 2.0 sites.
When a user visits the Web page, the JavaScript and the XDR or XHR will slowly request more code from other Web servers a few bytes at a time, thereby only allowing a user's gateway anti-virus engine to analyze a few seemingly innocuous bytes as it tries to determine whether or not the Web site is malicious.
Once received by the client, the bytes are stored in an internal JavaScript variable. The client will request more and more information until all the information has been transferred. Once it has been transferred JavaScript will be used to create a Script element within the DOM (Document Object Model) of the browser and add the information as text to the node. This in turn will cause a change to the DOM and execute the code in the script element.
According to Chenette, the entire process—from data being transferred over the network to triggering JavaScript within the DOM—can slip under the radar because no malicious content touches the file system. It's done completely in memory, and any content that is transferred over the network is done in such tiny fragments that anti-virus engines parsing the information don't have enough context or information to match any signatures.
The attack, which has not been seen in the wild by Websense, works on all the major browsers. Technically, however, it is not a browser vulnerability—it merely takes advantage of the way browsers work. Resume eWeek article. Source/more: »www.eweek.com/c/a/Security/Scrip···tection/
--
Smokey's Security Forums »www.smokey-services.eu/forum/
Smokey's Security Weblog »smokeys.wordpress.com/
ASAP Site Member »asap.maddoktor2.com |
|
 nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7 | Thanks for posting.
Using firefox, noscript as a limited user should give me reasonable protection.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.3 |
|
SUMwarePremium
join:2002-05-21
kudos:2
1 edit | reply to Smokey Bear
Yep, mighty interesting.
As nwrickert stated, running Firefox with NoScript is good. Disabling DOM & UserData Persistence is a good idea. Running on Linux is even better. In Firefox add user_pref("dom.storage.enabled", false); to user.js and/or set to false in about:config.
All caching on my box goes directly to /tmp (as well as other stuff), which is set up in tmpfs in RAM, nothing to HDD. /tmp is designated as noexec, nosuid and nodev, for spiffy added protection. |
|
|
|
| reply to Smokey Bear
Well yes, that would be one method of obfuscating exploit scripts. But there are already hundreds of ways of obfuscating exploits and the AVs are already hopeless at keeping up with them.
This attack does not render desktop and gateway anti-virus products useless. Because desktop and gateway anti-virus products have been useless for quite some time now. |
|
 JTM1051Premium,MVM
join:2000-07-08
Moorpark, CA
kudos:1 | reply to Smokey Bear
Would running browser in Sandboxie provide protection from this type of exploit? |
|
| reply to Smokey Bear
NICE!
Thumbs up to the malware writers.
I must say that took some nice thought or rather inovation.
Now I can't wait to see AntiVirus companies add another program to the suite of SECURITY SOFTWARE beefing up the footprint to 3 Gigabytes and using 98% of system resources just to scan a text file....eventually we will reach a point that a smoother PC experience will come from browsing without security while playing Russian Roulette with the links and downloads then browsing with 393939 security apps running. |
|
| reply to Anon
Re: Script fragmentation attacks to bypass anti-virus protection JavaScript is a Turing-complete language. It's mathematically impossible to unwrap all possible forms of obfuscation, short of actually running the code in a JS interpreter. (At which point you may become vulnerable to the exploits themselves or non-halting logic bombs.) |
|
 jdongEat A Beaver, Save A Tree.Premium
join:2002-07-09
Rochester, MI
kudos:1 | said by bobince:JavaScript is a Turing-complete language. It's mathematically impossible to unwrap all possible forms of obfuscation, short of actually running the code in a JS interpreter. (At which point you may become vulnerable to the exploits themselves or non-halting logic bombs.) This is true, but IIRC Symantec does have a script execution interrupt hook of some sort that blows the whistle whenever a script tries to touch a sensitive API call or something else suspicious looking. It might actually be pretty difficult to work around this.
--
Ubuntu MOTU Developer and Forums Council |
|
| reply to Anon
said by zteardrop:I have tried many hundreds of obfuscation attacks using tools we have build inhouse... You men at Symantec or at home? Have any data to back up that statement? |
|
jdongEat A Beaver, Save A Tree.Premium
join:2002-07-09
Rochester, MI
kudos:1
1 edit | reply to Smokey Bear
Age: 20
MIT, Department of Electrical Engineering and Computer Science
Ubuntu Linux developer, UbuntuForums administrator. Former defense contractor.
Are we done playing this game yet? Tell me when you're ready to get back on topic 
--
Ubuntu MOTU Developer and Forums Council |
|
 koma3504AdvocatePremium
join:2004-06-22
North Richland Hills, TX
1 edit | . |
|
jdongEat A Beaver, Save A Tree.Premium
join:2002-07-09
Rochester, MI
kudos:1 | said by koma3504:I bet your nothing more than a Yahoo script kiddie that hates protection software. You should really update your profile to reflect the your real age. All exploits mostly depend on buffer overflow exploits. Umm, no. I'm a computer science major with plenty of experience with information security. Just had a credited CVE last month. All exploits do NOT depend on buffer overflows. I don't know where you're getting your statistics. In fact, with JavaScript, you're mostly worried about cross-site-scripting and drive-by downloads anyway.
--
Ubuntu MOTU Developer and Forums Council |
|
koma3504AdvocatePremium
join:2004-06-22
North Richland Hills, TX
2 edits | . |
|
jdongEat A Beaver, Save A Tree.Premium
join:2002-07-09
Rochester, MI
kudos:1 | Where'd you get that number from? |
|
koma3504AdvocatePremium
join:2004-06-22
North Richland Hills, TX
1 edit | . |
|
jdongEat A Beaver, Save A Tree.Premium
join:2002-07-09
Rochester, MI
kudos:1 | said by koma3504:the avg age of graduation from high school is 18 so add 2 years to that and that makes 20 and you claim to be a science major. hmm 2 years worth of experience. Since when did experience come only from school? I was working on Linux at the beginning of high school... But would you like to go back to your original assertion that a buffer overflow mitigation mechanism helps stop Javascript attacks?
--
Ubuntu MOTU Developer and Forums Council |
|
koma3504AdvocatePremium
join:2004-06-22
North Richland Hills, TX | Ill tell you what go make a yahoo name and go piss of some Hackers and script kiddes . And you will lern more than you ever wanted to know about exploits and attacks.
Then you ever will In a lab.
Thats where there all made to begin with Its a testing ground for them. Real time conversation between other hackers/script kiddies.
I warned the ISP'S or this many years ago if they did not get a handle on it it would only get worse and out of control. Which it has.
--
† Koma †
If YOu Don't Think It's Possable!! It's Acually A Reality!!The best way to predict the future is to invent it. Alan Kay!!
Ya Don't Know The signal Till Ya Ride It!!
Voice Break's There's Trouble!!!! |
|
