|
|
|
Script Fragmentation Attack Could Allow Hackers to Dodge Anti-virus Detection
By: Brian Prince
2008-11-21
Article Rating:  / 15
There are 9 user comments on this Network Security & Hardware story.
Stephan Chenette of Websense describes a new Internet attack vector that could allow hackers to bypass anti-virus protection at both the gateway and the desktop. The technique, called script fragmentation, involves breaking down malware into smaller pieces in order to beat malware analysis engines. Web 2.0 requires new ways of thinking about browser security.Security researcher Stephan Chenette opened up to eWEEK about a new Web
attack vector that could potentially render desktop and gateway anti-virus
products useless.
Chenette, manager of security research at Websense, calls the attack script
fragmentation. Similar to TCP fragmentation
attacks, it involves breaking down Web exploits into smaller pieces and
distributing them in a synchronous manner to evade anti-malware signature
detection.
"What this attack enables you to do is really get exploit code from the
server into the browser memory and trigger the exploit," Chenette said. "Once
you actually are able to trigger that exploit, you own that machine, so that
means you can disable anti-virus, you can disable any protection mechanism
after the fact."
How will botnets change tactics to stay active? Click here to read more.
The attack works like this: Malware authors write benign client code and
embed it in a Web page. The only content contained on the initial page will be
a small JavaScript routine utilizing XHR or XDR. This code contains no
actual malicious content, and the same type of code is found on all
of the major legitimate Web 2.0 sites.
When a user visits the Web page, the JavaScript and the XDR or XHR will
slowly request more code from other Web servers a few bytes at a time, thereby
only allowing a user's gateway anti-virus engine to analyze a few seemingly
innocuous bytes as it tries to determine whether or not the Web site is
malicious.
Once received by the client, the bytes are stored in an internal JavaScript
variable. The client will request more and more information until all the
information has been transferred. Once it has been transferred JavaScript will
be used to create a Script element within the DOM
(Document Object Model) of the browser and add the information as text to the
node. This in turn will cause a change to the DOM
and execute the code in the script element.
According to Chenette, the entire processfrom data being transferred over
the network to triggering JavaScript within the DOMcan
slip under the radar because no malicious content touches the file system. It's
done completely in memory, and any content that is transferred over the network
is done in such tiny fragments that anti-virus engines parsing the information
don't have enough context or information to match any signatures.
The attack, which has not been seen in the wild by Websense, works on all
the major browsers. Technically, however, it is not a browser vulnerabilityit
merely takes advantage of the way browsers work.
Given that much of Web-based malware is distributed through compromised
sites as opposed to rogue sites created by attackers, the method poses a
significant threat in today's non-static, Web 2.0 environment, Chenette said.
While disabling JavaScript, for example, would prevent the attack, that's not a
realistic answer for most Web users.
"The problem with not allowing scripting is you
break the functionality of almost all the top 50 Web sites that require
JavaScript to be enabled," Chenette said. "One of the things that security
vendors have to do is start understanding that we live now in a Web 2.0 world,
not a Web 1.0 world, where active content is something we need to deal with
everyday. That is the content that needs to be scanned it is very important
not only to look at the static content that has been put on disk but be able to
detect changes inside of the browser."
| | Reader Comments: Script Fragmentation Attack Could Allow Hackers to Dodge Anti-Virus Detection | | >>> Post your comment now!
| | Protect and clean your PC.When searching for an antispyware scanner that will protect and clean your PC it can get a little confusing. There are so many available its hard to... Posted At: 04-29-09
By: Shantel | | | | | | Google safe browsingI wonder if this could be a way to bypass the pre-processing phase of the google safe browsing system ?
Here is the technical document provided by... Posted At: 11-23-08
By: Anonymous | | | | | | | | | | | | A user comment on this articleCommodo has a nice program for this type of attack.
Comodo Memory Firewall
Constantly monitors the memory space and activity of your installed... Posted At: 11-23-08
By: Koma3504 | | | | | | Re:NoScript is definitely an answer. But what happens when a site you trust is compromised and you have it enabled? Posted At: 11-23-08
By: Brian Prince, eWEEK | | | | | | NoScript is the AnswerWe keep hearing, about almost every single web-related security threat, that disabling JavaScript is an effective but impractical protection, thus... Posted At: 11-23-08
By: Giorgio Maone | | | | | | Re:Hi. The method was introduced earlier this month at the PacSec security conference in Tokyo. At this time, I don't know of any real protection... Posted At: 11-22-08
By: Brian Prince, eWEEK | | | | | | >>> Post your comment now! | | | | | |
|
 |
|
|
�������xr80�VӮc�]mT![rYӶT婎PP$$M�8NK3n&�t$_ϖ˖�0Ld&�D��?{{~$rȥklJ'{>D{{?.�P`S�o92p=z#�m��)>M3ȩ�����Gl&J~x'AT�{��#�x5��5Κ�}ٚ#7Gp2 X�-$0�kzZC'A�jZ�6�(CJ��ex,Z�wzD~V�hGe�Ma�oA
�w"�Ntod9�Q��)*X^P~��D;ǎq��{a�_��;�U'iS[��w@Sա*v�25v+!6^�;�r9ȹ�׳�z$aRvGn(Gd`jI:@*"4����6S!p�55\`p�)jPX6tG,> H>!P;u�IV@��daS��/*! lpa+j)yp
Olˇ�;)O�E[�Uֶg5�]�q7ܙc�g��tZENX*�o�~�cn�1Lj�X�E��rؗ#Yͼ`F3l˸;4
XSKC(DžJ|��╇o[©̝
wΨn{UMSU:G��lݹ��жD^v�Cq>t;g=rԺx'�근��;Aڼ�7@o&3�`J�LTRBxd"���Pc@GG,/BK.oVs7-ÂhZAAv��Ina�Գ|�3�+i3*,'I)?[ZWM"MuYf0Zh�C�A+tW?C{ˠjq{ּ}m_5;]rֹ!֧iٝyN�4p'3
Z_Zr�`Kk']ljMXCy�C�0-ߕҡ#3>_8?\OIN©,7{M��0omYn]H.)ލT|Y|ěy30si���2)�߆I&@w[��@k+U���ykQ
4�+@_x0N�D=kSf�M�r,e��g{0@�M)��61p9k
�3!RBʼ��ĿI�K
_VPJB�-)\Dh+�ԌTwIQ��Q#�=^f/\��RRG��2�Al8{ØWҽTwsQ��iغ�\08O>]7+De.,
s5-wnz�aZTp�x3�7&^w�tv��Z0*>cq4Y`A�-. :oo:jal:�7Rq�^T�U���G&-d`q86ayʔI�?}|?�&}���aO>� 5٤6�'4�}t>�$>hƋC�r[n-�r�Ӈ{�u4@����ݣn]=&tfiXŞ�+LPZi`�I��E�6]�LR}>t�q�HhS0<�zw0[[�衟�#j{t
t�,/��{@`\@�8)Hp�yY?����g>�o ��ߣ5�#z[-[�X6x�G͙A }R�P|'sZ(�w^`��z"�"D%� T
h��4�A'�E�ENNAw�w$]I+TbD8�JnO�u$]#J"ڹLX*QY,p[/ �͙JRd0U Q="`&�Qea*0pRx5Vn/Zb٦By^�I${.\Y��U�!=j�3K6ŝ|ˁ)�3#O�̠�Gx�}lj7˄���8ǷC˰`�x�h�yAu!c�@3~�~6ۇ�-|��Ц�5>�BB11
�=w :�'��_
�.ç;N/=�\҃1 4f�כ�'�d5�0�K%gYA�3�'|(@]4>+WUPÃ"`"+42[�m�̞�w(Vf;NrB@S*,�H@fmd{�Oq)��f�$� ,4�tOݡ~�P;�24$֒f�{ց$l�J�Ұ.�Z*����![r5}a6�F]��RZRKHDl�Pc/X�+e�zdy�M2�&IoZ],-*g5eGjH�7k8&ME8`
;�fk���xF3�F�ԡeSPݷ: �R�Dw~3�KJAUcϓ�as@M$ kn�V2�&GmܡkC6euE��s�Ʊ4St%ri9�h���&
gրziDe�,Za'�
#�ؚðyN~SmF3�;�䆻��!`P#f:q�V*w[O�;$!WTͶwAQ xH1�kM8v�هE1G{E;�
��:�7�a/�)epIl�_��\�À�>�B�
SL@ΧrE\
�~1��~1UŠP=I
]�gw`u0$߰��VT!rB�3�]?w�2_!�挮~��t!VB�L�qQT*8+
:?CUQ@HSj�}w8�8>x�}ˬ5?�g>k�{]w+\s~g^l^��cv"O`��V$O-p2HU>X�}`/�cҧ8@�zU0�UESUG�+;+]>�F����]h���!.��~1�X@�P A6+8SӞ-jXX�RO�-x[zGc�M!��,rm?QeW᧘TVQqiϹ�u2|[\[S
Q�|7Z0dƏQ�abX[�T��}gfW�c7g)h�"QkF:�Fd@�t=Έ+6RКj*4kqvϷ�
h#�քX[ў#WX�
tV ЛiQdSEt�jC<ϤMpR|=��N�^7M=/"JL7Ϧ�<�sƃ~�w"�Y@*V_MϺ��!p<7L�M}G�TQW5@�dLfaNg1µ� ek&�w530Uf�fyr;W�KU05u
2
\�z�Otn6@d�C-s�C�dK&�SsK��]7�a Za51r�Y�i&!lئOl�Do&�1E˯�n:�RO50�osV�(; J@��#䆷$bw}\ɾ3z^^7�醿ð
]za��孀�tzΥsٸо�_>\tn!crѾjI^zk � E�KBV�<�Mx6i)q�ڎ7�M
,#L=\=ֈd�S㥑a�+"A�Kٺ̂!�Qל$�"j�\N3dn,ʆq�јW!9�²V�XȬE`&|S7$��T0�r,�`�$X�)��XAU:^_4>G:KE�9P���^S�(+RJ)"4FYO |F�ϚM3��_f|�Rt8|UrwۿHעo1Mr!}J_cNf4��~ ɮP=8Y,rh%縵vRt.��0?x�Ծhw����z?&i^�3_�����"TS�8-ӤN)fT��Seo�y�0;p�8쀒N1�{TlOء
F]�nĖG�9^)ŔN yr4
GAGJ脊fye5))eH5NR�MLC]�OC/�$$�;�kB:z{ �gaM�.m2�j/?6D20�O&8v�\f0G`�q�k6.@P� V��_�|oIM2G�z1�7n q;�f='s9��X16q=w�v`ϓ{~�\[܍S2G4a�ϝ*h55fX%��gNtA�?!W�i\Z7qw�j`~%XDRo�BGH|5|ÿ|§G�� �r{k�קO�ƭto/zMY�FЧ
okI}i^w�7-U�Z�xB�J}~l/t2�D(jySa[{�Ȫ̅Sۋ�G#S~`q8-<��c�tHߴ.lځ;�-�3(��m3{F�2{K7Kx=*~�O�O4��]f+wB%-JKz%nQ�h�r;D҂%E(qQ�#{�"F%�t`��o�14��l*z3=}r9[fvÏ5$i
��NZ6;x2oor:߇L?G OF�x�f79; 9��6@��Id3p�l|n�wkJljl�� 4�Qbh-rj9٦h��r["�a'�ZYOC,'�?/!IVܱ�S,*ߞ�1;o+N{kE�|;̔-u�\ kM_U_s
w1� |kM%�%&p$~��M{fr+��(?8��ܻ'VD�e�[b[0| ttb9J{~|ːu9JgM9nL���j}x/K/j-�9�ߵ
>#^' �o>B+�x9�2;.ֻшb;9z'Cq�$ea0X,
R�c.?F9ҷqT9k��-DE�tu�teP
�b�# mC�w[1�䌶`8Mymi겎$F9p$cx;
̊أw�ZL=suUndAň~�wti
wR�JY,lKɒ+v>oW�HJCym�"5[PC"�p�EjA-f/iM6F6.&�"�YDN(OL�;�2;wX*i@65�x<>�̳' >���0q~℉�CDDC���UQ4,6o{�� HmFL}�%$v'��~[�ZӝZEQ6Nbo'
[�mCEŴ�R0%�r^Ҋ7XSv<~J/�6?`b�x�u$~]*jX\g�A��,,�'"�˿_HbyR")"��q�VՖ>_�Y_$&�e|��nTR�mzs0T$q�WHa}d6BxX`�(@I��G|+R�~[L��y
�Ox Vޖ
O7�(`<#ݍm�k� �0Da)u}"|c�N�f�|ޕ}TI�8Dz8� �Sݖ7ؤ/O�\/"0u84&x1sh�3=� ןN�VIL0SP�^��*¨zqMwwwwWJ�xDc}Qj}6}h��)u;
2l$ ՇԞ�D0y\:CϢ,|1n]na�mi1spl75�GBplR
Cxg;�Q#}eP+m}�O~uK~{1�k+Ҟ�K/22-#<��v`A@G3X��Jxag!3`^߲Pxq[W�Qd-���s�#NX [.-p��}8"$|ד�+z��(���=n9WgiZ;0+5�n͘.�.^��ǯ3["?±U-�܀e).uˎ}�|I#^ - ߈om�Yy�=W7�%4�C2ĚDa+I�錃qlrI�X��'L4s+x&
(0D7{ RTrpDT�+פ��|:͂Ϡ 8eQ?k~~i//m~aXG}��i˼
�~
^N�ړ-iİO:Z^4bd=�-T�?^<@�&�!�<0&kb�\]�^h=T60�8�7�~��k�ʁV=P�,�A�Y+
Z?�EG-�:\gȟ�DŢW\�gz@R(kj��
''��>d7e �t���9P^ TmSO^t
g��D
�`�%�0mg�cW�F�%5z�J�0�y~CX�^qEN>0&Z~6�CuX]QS[�b��Z�gT�[+W#r�d! `,%7��vy `8(ĒI
�t$h#8iLʃz�^B=c�sj4�1�!�^x�r>&ƘKjxVQ�Ւ|��Rӊ,w)]�dDo=0�:էBZcċV��Wes[��ɣS#DDWta�HU)
&
0Z`wnh1� 3r�3#66j=!v 1MZk]�s3Oi<1E�7�Zzڝ�;��BfnVu&�[wVD܀�c�mQ�NamDXJӑ&>�Dz��A�Э%^��3B{s�^�?�bu{ι0�yaeY
ƋxfVؖTm}qV.�NS�)q:�ɹ莥����e���;4��?�~m�z�9`V>1�miaBnΒ�L��m571儔��JzN[;áeŧOӘPD4�ǘ�x�a*1aV
eզٝ$7�xg�Ff�ٿ[!VU�'ru�Y�
>_E�_�dq�mm�@+> /f&=&`�Cq
��r�t�F7�\9P[��8'�6/�|�T�1/b-3-ᰐ#�^>xI��1K= o~{@mr
8�q,��-D||z['AU}�H?Km1.�+62s��jD�l��/�uToݶZ"?4�u۽hz.zxX�2`1swB&8 x�wMtq+,И��3�f>^SNc� 'l�I<�R+�/��-� [zqe]�adաu/ـ
O>)B|1[GB(W��9Ĝ#M>�QQkzsU��1"W�'p�`�\pr@K$K*2&�B�s�8���or~�vtV�n�O�KZ�&9a� k(E�$�0}(�-Ō��CZQJФ*�!dW`ǪZJWtG^ߧx5/nկX��z+i+����j9Iˑ!;�^i`��u0 }a3bru?<�sC�"ݏ'ӛuݹ"'-¶V-�r5�utO;ןWU/W?<1(kyl2/*�˙ΒQ�9j\28�ѦΈksYx�9%�E�*w�8l��z$ڽ
�Uj�Uzu7L�&6鏙BFyvljŵ�v��N|vuI5%uԦF h5zQ`1D�k
'M&7�b�QۺhH窕&5+۸�v(�(
(
<�QށNF9rzo}y�hleB3Y�}>@?dG(חzQ�kg�3r;vs_�埡���fe\��_�,@�^�}.3s+Q2ʁ?/3�2?QF2�2ϡ<�PK((�+����N~dk�3�.�w3�2/(_�3�*�>e )~P~U�{mF�$)c�F5qvJEsQ^O2T�}~�)�PWg�P0U�J2,c3\.�f{�9;[?[O;BX\jzr+�^&e5�v+iA�-��{} yW��/"yeoR 5��AQq.�
3l?V\[[,Oн�ۺ{�g�%Iy�=0?%Mu{�1پWߕ\~SnE�+tVq&R2#s�"q6G#i@�A�'S��ys"X�5½p'��eybn�AR-c�#}~�L(����(7].�wqSݮ'/x?5`
K}�E��xvY^]Y���7�m�ϋ>YپGh����O��WY�-J�cġ�$Л�W�;usո_7>Cg6�'[�5}�NoM:S�����?|Y&@Y8'}R�دhع�jzrt5pÅ6@$~�۷7l��Hj$7
rQӊj�~JR�' a،�b`2[j�UUEVr�o�VV�K
D`q9#�T�x|D��emګ.�91C=b��hǬ[ɖP���=��^?&GG�5}^ŗ1 {7�/��^"_�v3:mc�(2��)�R1��1@e^*u1*z6`%Q<�Dqg~�fLX6>&m\ʠaCo^Ėٵv"n�,4Nw�z:}i��@4ǝaƹr�0A���z4}�z<8�JN)g,#�[�o�tO�@R&�`"�9�oє^\C.�΅G*˗ X֭2~$�|3˸ [2FlX jXJr�
h;9�_½\$ǖ�~=�I�\=u{Ȫ�\D�}GQ!rE>2^x6�,0�'.��җm �H730���4F�Q60�
spa3 Ӯ�c_+7p' ��U/N �틷��'�YL�AŊv3���Fdu#�aq�1ld@(we6Lm (~%.,wj3j2�\�ؓJq}�l8=;d؆"0��]ݸ3EzK5 D 9b6-�k&*0x��z_L& �\v�i�}�2#0' MĮ+fAj3�rf*��e
�6{Ns�̄08B8Lŝ>KGJL~Mph/I'��WW��~rh`=E('ݬ|\��k,##1苌Y MЦ �
B8̈́dX.N`'�=ס eg9a��M�H�aC4�uezԦӱEm_kτ�x{p"y>�``a?�>N@3n�f�K�,h��:X-5,&L��ALH\=oz^Dl��t��Ζb'/x-�)KPRJ��Vr.Q�?�2FwU�cT��x��/ē_| 3�Obx`#Yұ�ߚP
TDO��"vy9m�$Ki[zQڗ�E@1agG�ێf*io� K�? oX�)u�n'|oW|B�,;�k�l`v��B�`{�9`,�s��v3�C@�_vܥeN�UhJl;��:�ƍd2- �����~U
)�yc<��z�n�ްF}��4֦Ju!A]�=_�v{[>/'R`�4.v>Ͻn̯]2�xDh\N"�X=<,�N~LʹkcPֽk�x�ٚջHR#SL�味"�:xqea�#�Vt*N�ﺽ�V/PuzY}TO3uG?��?;��otۿˌ�hT*.㉋o[�罣�ŧM���nғ�n:�RXFYS$DM� $Rzf}!Y�/���~} Wha<�[Wy�&F�{kj5U+kD;ydMn+:cSEᘸe=9TVs0v*b(1lS2�4K�_hj*Jl�xTȉY3z[q;�f[hh
/b�;f�1Բ�И>�(��
|
Network Security & Hardware 
