Researchers from SecureWorks have created two new tools to address security issues. They will be presenting the tools at the Black Hat convention, which runs July 28-Aug. 2 in Las Vegas.
The first tool, known as CaffeineMonkey, was developed by SecureWorks Ben Feinstein and Daniel Peck. CaffeineMonkey helps IT pros detect Web sites hosting malicious JavaScript and uncover the ways hackers are trying to hide the malicious code.
Building on the work of several existing honey pots—Internet-attached servers meant to lure attackers in order to study how they hack into systems—the duo described the goal of their project as an attempt to further automate the collection of malicious software, with a particular focus on attacks using JavaScript for exploitation or obfuscation.
“Our results involve statistical analysis of the behavior of samples of JavaScripts,” said Feinstein, a researcher at Atlanta-based SecureWorks. “By observing the behavior of JavaScript at the interpreter level, we easily defeat many common obfuscation techniques. By being down in the JavaScript interpreter, we have the ability to observe the actions taken by a script without any need to analyze the scripts syntax and semantics.”
A second tool, developed by SecureWorks Senior Security Researcher Joe Stewart, helps in automating tasks involved in debugging the Windows kernel. Stewart developed the tool, called Windpill, to give researchers the ability to debug the Windows kernel code, read and write virtual and physical memory addresses, and parse undocumented structures in an easier way, SecureWorks officials said.
For example, one job that could be made easier with this tool is pulling userland-injected code out of kernel-level malware, SecureWorks officials said. With this tool, a null modem cable, and some Perl and Windows kernel knowledge, users could script it in just a few hours, officials said, adding that automating the process with traditional kernel debugging tools under Windows would take much longer.
“The speed-up in automation/development time is due to the fact that Perl is a scripting language as opposed to a compiled language like C,” Stewart said. “With the currently available Windows kernel debugging tools, you must compile a DLL to load into the debugger—with each change you have to recompile it. Plus, working in lower-level languages is always more time-consuming, as you have to deal with memory management issues or objects. Perl doesnt require any of that, so you can concentrate purely on the functional aspects of the code.”
Both tools will be available Aug. 3 at no cost on the SecureWorks Web site.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
