Thread-topic: Attackers Using Dynamic Code Obfuscation
*************************************************************************
SANS NewsBites January 16, 2006 Vol. 9, Num. 5
--Finjan Report: Attackers Using Dynamic Code Obfuscation
(12 & 8 January 2007)
Malware purveyors are turning to dynamic code obfuscation to evade
signature-based anti-virus systems, according to Finjan's quarterly web
security trends report. Attackers are using utilities that allow them
to give different code to each visitor to a malicious web site,
rendering virus signatures useless. The report also noted recent
attacks that exploit "Web 2.0 technologies to embed malicious code in
.. web sites."
[Editor's Note (Liston): I've been predicting this privately for a
couple of years now, and I've even played around with some code to
actually create random executable images on the fly. This is too
effective and too easy for the bad guys to pass up.]
MISCELLANEOUS
--Google Malware Warning Page Generates Complaints from Web Site Operators
(11 January 2007)
Organizations whose web sites have been identified by Google as possibly
containing malware have expressed frustration with the process for
appeal. If Google believes malware resides on a given web site, an
"interstitial" page will pop up, warning the user that visiting the site
could potentially harm the computer. Users are not blocked from
visiting the labeled sites, but they must type in the address if they
wish to continue. The warning page provides a link to Stopbadware.org,
which will examine sites if users submit queries; Google will remove the
warning page if it is determined that the site is free of malware. Web
site operators have expressed frustration that the process can take up
to 10 business days. According to Stopbadware.org, some site owners may
be unaware that their sites have been infected with malware.
[Editor's Note (Pescatore): With the new IE7 and Firefox 2 browsers
including malicious web site warnings, as well as Google and other
search engines doing the same, users are going to get a lot of pop-ups
warning them that the site they are about to visit might be dangerous.
When smoke detectors first became required in buildings, industry,
insurance agencies and government agencies learned they needed to do
campaigns to tell people what to do if the detector went off and to
remind them to change the batteries periodically. The IT industry needs
to do something similar around malware sites - Microsoft, Mozilla,
Google et al need to invest in a public service campaign around
increasing online consumer safety.
(Liston): At the Internet Storm Center, we're constantly faced with the
challenge of trying to contact the owners of compromised sites that are
hosting malware. Google's warning page is a great stop-gap measure when
it is difficult or impossible to get site owners to wake up and do
something. If their site is so important that a 10 business day wait
is unacceptable, then perhaps they should be paying a bit more attention
to securing it.
(Kreitner) This is the sort of inconvenience we need to get used to; it
is part of the price we pay for better protection. A metaphor is a
police roadblock in a neighborhood where a criminal suspect is on the
loose -- an inconvenience for those stopped, but better protection for
the neighborhood by increasing the chances the suspect will be caught.
However, this sort of mechanism should be executed efficiently to
minimize inconvenience. I hope Google's process for determining that a
suspected site is free of malicious software, and removal of the
warning, are expeditious and accurate.
(Grefer): Similar heads-up warnings are available for free with McAfee
SiteAdvisor, which is available for Internet Explorer and Firefox
]
