Not all malware detection is created equal

Not all malware detection is created equal
The internet is now the number-one conduit for infecting users with malware. Sophos detects a new infected web page every few seconds. This white paper outlines the terms you need to know and the steps you should take to stay safe.

Not all malware detection is created equal
The internet is now the number-one conduit for infecting users with malware. SophosLabs reports that in 2009, 23,500 new infected web pages are discovered every day. That's one every four seconds or so, four times worse than what it was in the same period in 2008 [1]. Malware authors are very successful with a popular method: compromising popular, high-traffic, legitimate sites in order to kick-start the infection process .

Users visiting a hijacked site have no way of knowing the site has been compromised because the malicious code is invisible but executed as soon as the page loads in the user's browser. The code typically will utilize cross-site scripting to fetch an even more malicious payload from a third-party site that will then attempt to leverage one of dozens of known exploits in the browser or operating system to infect it, steal data or subvert it into a botnet.
The scope of these attacks cannot be underestimated, since all types of sites-from government websites to educational establishments to popular news portals, blogs and social networking sites-have been targeted.
As security vendors add detection for this kind of malicious web code, the attackers constantly evolve it in order to evade being caught. As this game of cat and mouse intensifies, the attackers have turned to using JavaScript for delivering their attacks. Why?:
»»JavaScript is very powerful and universal with rich capabilities supported in all browsers and operating systems.
»»JavaScript provides great flexibility for them to hide (or obfuscate) the malicious code.
A simple illustration of this is shown in Figure 1. In A, the page has been injected with a simple HTML iframe, which would cause the browser to load malicious content from the specific remote site when that page is viewed. In B, the page is injected with a short JavaScript. The payload is not immediately visible to the eye-it is using very simple obfuscation. In fact, the payload is exactly the same as for A. The JavaScript simply writes the exact same iframe object to the page when it is viewed in the browser.

The flexibility of JavaScript allows almost an unlimited number of ways for this payload to be obfuscated in B. This presents a problem for content scanners because the payload is effectively hidden when the page content is scanned.
Consequently, proactive generic detection becomes harder to achieve. We have seen numerous mass-defacement attacks during 2009 in which tens of thousands of legitimate sites have been compromised (their pages injected with malicious JavaScript code). These attacks invariably use heavily obfuscated JavaScript as a means of evading detection for as long as possible.
A good example of this attack is known as Gumblar, in which many sites were injected with a malicious script that used simple character substitution to hide its payload. As you can see, the payload is not visible in the injected script. But after manual deobfuscation, the payload is obvious -loading of a malicious script from a remote site.
The reach of mass-defacement attacks like such as Gumblar can be huge. Very quickly after adding detection (as Troj/JSRedir-R), that threat quickly rose to the top position in SophosLabs' web threat stats, dwarfing other threats at that time.

Commercial script packers
There is nothing malicious in obfuscating JavaScript code. In fact, there are commercial tools available that individuals can use in order to obfuscate their code. Why?:
»»Protection of intellectual property: Users may choose to use such tools to obfuscate their code in an attempt to prevent others from copying it.
»»Efficiency: Some tools can produce smaller scripts that are quicker to download, resulting in more responsive sites.
This creates yet another problem for analysts and content scanners. When attackers use commercial tools to obfuscate their malicious scripts, anti-malware analysts have to be careful not to generate a false positive on legitimate scripts that are obfuscated with the same tool [4].
Server-side polymorphism (SSP)
Many of today's threats also use advanced scripting techniques on the server in order to create polymorphic malicious code. For example, during 2009, SophosLabs identified several attacks aiming to infect users with Zbot [5,6] that were aggressively using SSP. In these attacks, the malicious scripts being used to exploit vulnerabilities on user machines were dynamically created on the server, resulting in a slightly different script on each request.
SSP is essentially a special case of obfuscation, which again poses a challenge to anti-malware analysts and content scanners.
Malicious PDF documents
SophosLabs has reported on the widespread use of PDF documents in attacks in 2009 [7 ]. The reason is that attackers have aggressively targeted vulnerabilities in common PDF reader applications as a means of infecting users. What is less known is that JavaScript is typically used in such attacks.

»»Increased proactive (zero-day) protection against new attacks
In November 2009, Sophos Web Security and Control will include this functionality in the core anti-malware engine. This update will be rolled out to all customer appliances as part of the monthly update package (no additional work will be necessary).
From early 2010, the technology will be included in the Browser Helper Object (BHO) component of Sophos Endpoint Security and Data Protection, which runs and protects Internet Explorer from processing any malware in requests.
To learn more about Sophos please visit: http://www.sophos.com
Adobe Acrobat includes support for embedded JavaScript within PDF documents [ ] in order for users to create complex and dynamic documents. However, this provides a mechanism for attackers to construct malicious PDF files that use embedded JavaScript in order to exploit application vulnerabilities.
The script obfuscation and SSP techniques discussed above are equally applicable to JavaScripts embedded in PDF files.

This article was provided by Sophos and is reproduced here with their full permission. Sophos provides full data protection services including: security software, encryption software, antivirus, and malware.