Security researcher Stephan Chenette of Websense says he has found a new way to slip Web exploits by client or gateway defenses. He calls the technique script fragmentation and says the attack vector is similar to the TCP fragmentation attacks that gained notoriety years ago. Chenette will make a presentation of his findings next week at the PacSec security conference in Tokyo.
Security researcher Stephan Chenette has reincarnated an old attack vector, giving it a new twist and a new name.
Chenette, manager of security research at Websense, has dubbed the
new attack vector "script fragmentation" and will be making a
presentation on it next week at the PacSec Applied Security Conference
in Japan. Though he was mum on the specific details of his research, he
provided eWEEK with a general outline of his findings.
His attack method is reminiscent of TCP fragmentation attacks and
involves breaking down Web exploits into smaller pieces and
distributing them in a synchronous manner to evade signature detection.
According to Chenette, the attack can be performed without any special
tools or add-ons.
"There's no big chunk of maliciousness to it [where] there's enough
information there that anybody who's looking at it, either signature or
[with behavioral analysis], will really make any sense of it to say,
-this is malicious,'" he explained.
Chenette said he tested the technique on all the major browsers,
including Internet Explorer, Firefox and Safari, and found all were
susceptible. Strictly speaking, however, it is not a browser
vulnerability - it only takes advantage of the way Web browsers and
"I'm calling this a script fragmentation attack because it makes use
of the common technologies that are completely available today -
readily available technologies that allows us just to conduct traffic
back and forth. We can do it in smaller pieces, and at one end
concatenating all the information and then triggering the attack."
The attack scenario could be a one-to-one relationship where a
client contacts a Web server and gets the malicious content in little
bits and pieces, or a situation where an attacker uses a botnet to have
a few thousand machines serve the client pieces of the malware from
various locations, Chenette explained.
Disabling scripting would affect it, but the non-static nature of today's Web makes that unpractical.
use it in the way that it's meant to be used," he said. "You couldn't
go to Facebook...hi5, all these are top 50 Web sites that are used by all
scripting languages in general and the mechanisms that the script
fragmentation attack relies on are all mechanisms that everyday, benign
applications use - and that's actually why it's so successful. All the
components that script fragmentation relies on are components that are
used in everyday Web sites and they are used in the exact same way that
everyday Web sites use them."
So far, the attack method has not been seen by Websense in the wild.
However, with security vendors starting to get over the hump in regards
to detecting malware obfuscation, this type of attack are on the
horizon, Chenette said.
"This is really in my eyes an attack that we're going to be seeing a
lot more of in the future," he said. "This is something that currently
we're not seeing, but is completely right now as it stands in the hands
of any attacker that wants to make use of it."