Nazario was referring to NeoSploit, a new malware tool hes seen in the wild that carries at least seven distinct exploits to infect a PC with, from which it can choose based on what that PCs weak points are.
On the simple end, for example, a string split would render a word like this:
This resulting malicious code, of which the above is a small portion, would be easily detected by a human, but, as Nazario pointed out, it presents an effective stumbling block for automated detection.
Attackers also use double obfuscation, Nazario said. On top of simple joins or splits or single encoding, they use double encoding, often with a custom decoder. While several people like to use the browser to decode such exploits, Nazario said its a bad idea, as the technique is too slow to get full information from a browser under zero-day conditions.
As Nazario described it, reverse-engineering double-decode malware essentially entails cleaning up the HTML and decoding on the command line. This results in code that still requires decoding, so the process is to repeat until the code is no longer encoded.
For example, because NJS doesnt know about “arguments,” attackers have used “arguments.callee” to make their code tamper-proof. Callee is a property of arguments as a local variable available within all function objects that allows anonymous functions to refer to themselves. Thats necessary for writing recursive strings, which, when executed, cause an endless loop and throw a monkey wrench into reverse engineering.
Enter SpiderMonkey, Nazario said. Because SpiderMonkey will choke on certain functions such as alert() or print(), its impervious to attackers use of those functions to mess with decoding efforts. Once it chokes, a researcher doing reverse engineering can use another language, such as Python.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.