New Anti-Virus Evasion Technique Discovered

Terry Olaes

Terry Olaes

I Used to be the [H] News Guy
Joined
Nov 27, 2006
Messages
4,646
A security researcher told eWeek about a new Web attack vector that could evade current anti-virus detection technology, rendering them obsolete. Dubbed ‘Script Fragmentation,’ it basically breaks down current exploits into smaller pieces and delivers them synchronously to the victim’s machine to be reassembled once triggered. Pretty ingenious.

According to Chenette, the entire process—from data being transferred over the network to triggering JavaScript within the DOM—can slip under the radar because no malicious content touches the file system.
Click to expand...
 
Anyone have more details on this? Does the browser have to have admin privileges to be affective? Is it a cross platform exploit?

It seems like if it affects you even if you're not logged on as an Admin, then it must affect all systems that have a web browser with JavaScript enabled.
 
This doesn't really change how an existing exploit would work, its just a method of hiding the exploit code from av software. Its a very similar concept to fragging packets to avoid poorly coded firewall rules. If the bad code is reassembled after it passes any filtering, it can still deliver whatever load it is carrying.

The javascript part of the exploit may work on any system, but the return location and payload are the important parts that need to be customized. Exploits would likely still be coded just to affect windows boxes just due to the number of them.
 
This was the crux of a storyline in a few episodes of Ghost in the Shell Stand Alone Complex.
 
darkpaw said:
This doesn't really change how an existing exploit would work, its just a method of hiding the exploit code from av software. Its a very similar concept to fragging packets to avoid poorly coded firewall rules. If the bad code is reassembled after it passes any filtering, it can still deliver whatever load it is carrying.

The javascript part of the exploit may work on any system, but the return location and payload are the important parts that need to be customized. Exploits would likely still be coded just to affect windows boxes just due to the number of them.
Click to expand...


Exactly. This method doesn't make a virus any more. . . dangerous to your system in and of itself; it simply allows the virus to actually get to your system. Just like one of the current methods, which involved changing enough non-essential code and then adding data to a script so that an AV won't detect it. It doesn't make the virus more deadly, it just allows it to go undetected because none of the script matches what the AV has in its database. This newer attack could prove far more effective though. . . The way the attack is implemented, it would be far more difficult to simply add a new "variation" to an AV's database.
 
My best guess is this security researcher is with one of the large anti-virus companies and just wants to insure PC Technicians can maintain their jobs longer thanks to a virus that can by-pass all AV software :p
 
Evil said:
My best guess is this security researcher is with one of the large anti-virus companies and just wants to insure PC Technicians can maintain their jobs longer thanks to a virus that can by-pass all AV software :p
Click to expand...
Its a conspiracy! Antivirus programmers pays programmers to create viruses so that they can make money selling those software. And computer techs gets cut because they fix people's computers trying to remove those threats.
 
adri1456 said:
Its a conspiracy! Antivirus programmers pays programmers to create viruses so that they can make money selling those software. And computer techs gets cut because they fix people's computers trying to remove those threats.
Click to expand...

Meh, don't forget the script kiddies. . .
 
meh, i havent had a virus since windows 95, and i dont use anti-virus.. but the more virii these guys make the better, its a significant portion of my income cleaning up with these click on anything morons ;)
 
I was about to say, didn't this used to be a popular way to get around firewalls? It seems to me that this should be able to be overcome by porting some of the logic found in firewalls over. I say it is a short time before this is taken out as a methodology. Plus, once this is reassembled (which it has to do at some point I assume), if it is done in the memory the AV should be able to detect it (though then what use is it so maybe it does run in sections).
 
"The problem with not allowing scripting is you break the functionality of almost all the top 50 Web sites that require JavaScript to be enabled," Chenette said.
Click to expand...

NoScript anyone? Problem solved. And no, I'm not saying everyone should use Firefox+NoScript but browser developers should integrate similar functionality. The first time a site tries to execute some JS or when they first try an XHR the user is asked if they'd like to allow this site to do so with the option to remember their answer for this site (and to never bug them again, for power users or lazy people who don't care, etc.).
 
samsonJS said:
NoScript anyone? Problem solved. And no, I'm not saying everyone should use Firefox+NoScript but browser developers should integrate similar functionality. The first time a site tries to execute some JS or when they first try an XHR the user is asked if they'd like to allow this site to do so with the option to remember their answer for this site (and to never bug them again, for power users or lazy people who don't care, etc.).
Click to expand...

it's a great tool, but I suspect the vast majority of users wouldn't know whether to allow, temporarily allow or refuse any given script.

Many are easy...you let the site your on execute and all is well, but I often find that I have to let all kinds of scripts run to log into sites that I know are reputable.

Nevertheless, much like using the cookie safe plug-in, once you get it set up, you don't have to mess with it too much.
 
meh, this sort of virus would just get around the download blockage, but once it assembles itself in your computer, the antivirus software would still try to prevent it from executing anyways. The only difference is the virus wasn't blocked BEFORE reaching your computer.

Just hope you're not using bloatware virus scanner that runs so sluggishly that the virus have time to work before the antivirus finally do something about it lol
 
nilepez said:
it's a great tool, but I suspect the vast majority of users wouldn't know whether to allow, temporarily allow or refuse any given script.

Many are easy...you let the site your on execute and all is well, but I often find that I have to let all kinds of scripts run to log into sites that I know are reputable.

Nevertheless, much like using the cookie safe plug-in, once you get it set up, you don't have to mess with it too much.
Click to expand...

True there are always going to be the ones who allow everything or plain get confused. It should be optional, perhaps the first time it alerts you it could have a prominent "fuck right off and never bug me again" button.

A lot of people would quickly allow sites they frequent and it would be relatively smooth from there, but JS for tracking services or ads is common enough that it can be pretty annoying at times. There's no magic bullet though. At what point do we draw the line and say that users have to have some basic knowledge to use an advanced machine like a computer?
 
samsonJS said:
True there are always going to be the ones who allow everything or plain get confused. It should be optional, perhaps the first time it alerts you it could have a prominent "fuck right off and never bug me again" button.

A lot of people would quickly allow sites they frequent and it would be relatively smooth from there, but JS for tracking services or ads is common enough that it can be pretty annoying at times. There's no magic bullet though. At what point do we draw the line and say that users have to have some basic knowledge to use an advanced machine like a computer?
Click to expand...

It already has that with the permanently allow. My point is simply that the masses won't understand what is safe to allow and what is not, beyond, perhaps, trusting scripts from the site they're actually on. Once it goes beyond that, it can get confusing. I find it expecially confusing when sites that I often associate with ads (e.g. atdmt and/or mediaplex, I think) are sometimes required to get things working on a site.

Sure, you could probably allow those sites all the time, but I tend to prefer to keep all add servers blocked, just in case.

For the average person, they're just not going to understand when they can trust and when they can't.

I agree that users need to be more computer literate, but I don't think that this is basic knowledge. I don't need to know these types of details to drive my car.

This problem needs to be solved by the browser makers and the websites themselves. Unfortunately, many sites don't keep their RSA certs up to date (assuming they ever had a valid one), so the idea certifying a script from site B to be used on site C seems unlikely.

Again, I understand where you're coming from. I operate exactly how you think everyone should operate....but it's just not realistic. You can't sign up billions of people for basic computer security classes. Training would be costly and it'd require very good courses/instructors to train non techies.

I can't get my brother to set up his router wires (and he's a smart guy). Training him to use noscript is a most unpleasant idea.
 
nilepez said:
I agree that users need to be more computer literate, but I don't think that this is basic knowledge. I don't need to know these types of details to drive my car.
Click to expand...

I'm not fond of computer <=> car analogies. However, you did take lessons even if they were informal and from a parent or friend. You learned basic safety of the road: mirror & shoulder checks, seat belts, chains in deep snow & ice, small kids in the back, who has the right of way, and so on. Most of us also learned when to have the oil changed, when to fill it with various liquids it needs to work properly and be safe.

We do not, and should not, need licenses to "drive" computers but having some basic knowledge about a complex machine is not unheard of or even out of the ordinary. The idea that we shouldn't have to know or learn anything about computers to effectively use them is nice but not grounded in reality in any way whatsoever. We simply are not that effective at programming the beasts yet, and I know because I'm a programmer.

nilepez said:
Again, I understand where you're coming from. I operate exactly how you think everyone should operate....but it's just not realistic. You can't sign up billions of people for basic computer security classes. Training would be costly and it'd require very good courses/instructors to train non techies.
Click to expand...

You're right, it's impossible to train everyone properly and even then some won't pay attention or remember so it would be futile anyway. Until we can create flawless, secure software we must realize that operating a computer effectively and safely requires some knowledge. So while mandatory training is infeasible we still have to fend in the current situation where software and computers need knowledge to be wielded effectively.

I don't know any solutions, just musing on our predicament.

nilepez said:
I can't get my brother to set up his router wires (and he's a smart guy). Training him to use noscript is a most unpleasant idea.
Click to expand...

I feel you! There will be smart folks who just don't care enough, know that they shouldn't have to care that much in an ideal world, or simply aren't computer smart. I can't think of any of my friends or family who would be keen to learn NoScript.

However, if this attack method becomes widespread then we will need a stop-gap solution until HTTP and/or browsers are fixed. With the IE team's track record that could be a very long wait too. To me NoScript-type functionality seems like an effective short-term solution, even if it is a bit obtuse.
 
I think if sites would start putting their scripts under their domain, it'd make things easier. I've seem some sites that have scripts that must be executed to see a picture and those scripts are from sites that I typically associate with advertising.

I trust dell....i'm not so trusting of atdm (or whatever the site is).

No advertising script should be required. But I also try not to block ads with adblocker, except for flash. Sorry [H] but flash ads are evil little bastards that steel CPU cycles.
 
Martyr said:
google lives on those scrips.

which is why i block them.
Click to expand...

I'm pretty sure I block all google scripts and cookies.....other than youtube....but i should probably make those temporary permissions too.
 
You must log in or register to reply here.
Back
Top