Saturday, November 22, 2008

New proof of concept script attack in all browsers bypasses AV detection


Stephan Chenette of Websense describes a new Internet attack vector that could allow hackers to bypass anti-virus protection at both the gateway and the desktop. The technique, called script fragmentation, involves breaking down malware into smaller pieces in order to beat malware analysis engines.

The attack works like this: Malware authors write benign client code and embed it in a Web page. The only content contained on the initial page will be a small JavaScript routine utilizing XHR or XDR. This code contains no actual malicious content, and the same type of code is found on all of the major legitimate Web 2.0 sites.

When a user visits the Web page, the JavaScript and the XDR or XHR will slowly request more code from other Web servers a few bytes at a time, thereby only allowing a user's gateway anti-virus engine to analyze a few seemingly innocuous bytes as it tries to determine whether or not the Web site is malicious.

Once received by the client, the bytes are stored in an internal JavaScript variable. The client will request more and more information until all the information has been transferred. Once it has been transferred JavaScript will be used to create a Script element within the DOM (Document Object Model) of the browser and add the information as text to the node. This in turn will cause a change to the DOM and execute the code in the script element.

According to Chenette, the entire process—from data being transferred over the network to triggering JavaScript within the DOM—can slip under the radar because no malicious content touches the file system. It's done completely in memory, and any content that is transferred over the network is done in such tiny fragments that anti-virus engines parsing the information don't have enough context or information to match any signatures.

The attack, which has not been seen in the wild by Websense, works on all the major browsers. Technically, however, it is not a browser vulnerability—it merely takes advantage of the way browsers work.

My initial thoughts: If this gets out into the wild, the only protection is to either turn off scripting entirely in Internet Explorer (which will cripple most legitimate websites), or use the excellent NoScript plugin for Firefox (and use it correctly.)