Stephan Chenette of Websense describes a new Internet attack vector that could allow hackers to bypass anti-virus protection at both the gateway and the desktop. The technique, called script fragmentation, involves breaking down malware into smaller pieces in order to beat malware analysis engines. Web 2.0 requires new ways of thinking about browser security.
Security researcher Stephan Chenette opened up to eWEEK about a new Web
attack vector that could potentially render desktop and gateway anti-virus
Chenette, manager of security research at Websense,
calls the attack script
fragmentation. Similar to TCP fragmentation
attacks, it involves breaking down Web exploits into smaller pieces and
distributing them in a synchronous manner to evade anti-malware signature
"What this attack enables you to do is really get exploit code from the
server into the browser memory and trigger the exploit," Chenette said. "Once
you actually are able to trigger that exploit, you own that machine, so that
means you can disable anti-virus, you can disable any protection mechanism
after the fact."
How will botnets change tactics to stay active? Click here to read more.
The attack works like this: Malware authors write benign client code and
embed it in a Web page. The only content contained on the initial page will be
actual malicious content, and the same type of code is found on all
of the major legitimate Web 2.0 sites.
slowly request more code from other Web servers a few bytes at a time, thereby
only allowing a user's gateway anti-virus engine to analyze a few seemingly
innocuous bytes as it tries to determine whether or not the Web site is
variable. The client will request more and more information until all the
be used to create a Script element within the DOM
(Document Object Model) of the browser and add the information as text to the
node. This in turn will cause a change to the DOM
and execute the code in the script element.
According to Chenette, the entire process-from data being transferred over
slip under the radar because no malicious content touches the file system. It's
done completely in memory, and any content that is transferred over the network
is done in such tiny fragments that anti-virus engines parsing the information
don't have enough context or information to match any signatures.
The attack, which has not been seen in the wild by Websense, works on all
the major browsers. Technically, however, it is not a browser vulnerability-it
merely takes advantage of the way browsers work.
Given that much of Web-based malware is distributed through compromised
sites as opposed to rogue sites created by attackers, the method poses a
significant threat in today's non-static, Web 2.0 environment, Chenette said.
realistic answer for most Web users.
"The problem with not allowing scripting is you
break the functionality of almost all the top 50 Web sites that require
vendors have to do is start understanding that we live now in a Web 2.0 world,
not a Web 1.0 world, where active content is something we need to deal with
everyday. That is the content that needs to be scanned ... it is very important
not only to look at the static content that has been put on disk but be able to
detect changes inside of the browser."