Security researcher Stephan Chenette has reincarnated an old attack vector, giving it a new twist and a new name.
Chenette, manager of security research at Websense, has dubbed the new attack vector “script fragmentation” and will be making a presentation on it next week at the PacSec Applied Security Conference in Japan. Though he was mum on the specific details of his research, he provided eWEEK with a general outline of his findings.
His attack method is reminiscent of TCP fragmentation attacks and involves breaking down Web exploits into smaller pieces and distributing them in a synchronous manner to evade signature detection. According to Chenette, the attack can be performed without any special tools or add-ons.
“There’s no big chunk of maliciousness to it [where] there’s enough information there that anybody who’s looking at it, either signature or [with behavioral analysis], will really make any sense of it to say, -this is malicious,'” he explained.
Chenette said he tested the technique on all the major browsers, including Internet Explorer, Firefox and Safari, and found all were susceptible. Strictly speaking, however, it is not a browser vulnerability – it only takes advantage of the way Web browsers and applications operate.
The attack scenario could be a one-to-one relationship where a client contacts a Web server and gets the malicious content in little bits and pieces, or a situation where an attacker uses a botnet to have a few thousand machines serve the client pieces of the malware from various locations, Chenette explained.
Disabling scripting would affect it, but the non-static nature of today’s Web makes that unpractical.
So far, the attack method has not been seen by Websense in the wild. However, with security vendors starting to get over the hump in regards to detecting malware obfuscation, this type of attack are on the horizon, Chenette said.
“This is really in my eyes an attack that we’re going to be seeing a lot more of in the future,” he said. “This is something that currently we’re not seeing, but is completely right now as it stands in the hands of any attacker that wants to make use of it.”