Script Fragmentation Attack Could Allow Hackers to Dodge Anti-virus Detection

Stephan Chenette of Websense describes a new Internet attack vector that could allow hackers to bypass anti-virus protection at both the gateway and the desktop. The technique, called script fragmentation, involves breaking down malware into smaller pieces in order to beat malware analysis engines. Web 2.0 requires new ways of thinking about browser security.

Security researcher Stephan Chenette opened up to eWEEK about a new Web attack vector that could potentially render desktop and gateway anti-virus products useless.

Chenette, manager of security research at Websense, calls the attack script fragmentation. Similar to TCP fragmentation attacks, it involves breaking down Web exploits into smaller pieces and distributing them in a synchronous manner to evade anti-malware signature detection.

"What this attack enables you to do is really get exploit code from the server into the browser memory and trigger the exploit," Chenette said. "Once you actually are able to trigger that exploit, you own that machine, so that means you can disable anti-virus, you can disable any protection mechanism after the fact."

How will botnets change tactics to stay active? Click here to read more.

The attack works like this: Malware authors write benign client code and embed it in a Web page. The only content contained on the initial page will be a small JavaScript routine utilizing XHR or XDR. This code contains no actual malicious content, and the same type of code is found on all of the major legitimate Web 2.0 sites.

When a user visits the Web page, the JavaScript and the XDR or XHR will slowly request more code from other Web servers a few bytes at a time, thereby only allowing a user's gateway anti-virus engine to analyze a few seemingly innocuous bytes as it tries to determine whether or not the Web site is malicious.

Once received by the client, the bytes are stored in an internal JavaScript variable. The client will request more and more information until all the information has been transferred. Once it has been transferred JavaScript will be used to create a Script element within the DOM (Document Object Model) of the browser and add the information as text to the node. This in turn will cause a change to the DOM and execute the code in the script element.

According to Chenette, the entire process-from data being transferred over the network to triggering JavaScript within the DOM-can slip under the radar because no malicious content touches the file system. It's done completely in memory, and any content that is transferred over the network is done in such tiny fragments that anti-virus engines parsing the information don't have enough context or information to match any signatures.

The attack, which has not been seen in the wild by Websense, works on all the major browsers. Technically, however, it is not a browser vulnerability-it merely takes advantage of the way browsers work.

Given that much of Web-based malware is distributed through compromised sites as opposed to rogue sites created by attackers, the method poses a significant threat in today's non-static, Web 2.0 environment, Chenette said. While disabling JavaScript, for example, would prevent the attack, that's not a realistic answer for most Web users.

"The problem with not allowing scripting is you break the functionality of almost all the top 50 Web sites that require JavaScript to be enabled," Chenette said. "One of the things that security vendors have to do is start understanding that we live now in a Web 2.0 world, not a Web 1.0 world, where active content is something we need to deal with everyday. That is the content that needs to be scanned ... it is very important not only to look at the static content that has been put on disk but be able to detect changes inside of the browser."