Researcher demonstrate new hacking techniques

DEVELOPMENT : Researcher demonstrate new hacking techniques

By Dennis Fisher, Executive Editor

SearchSecurity.com

31 Jul 2008

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1323408,00.html

Analysts planning to take apart a piece of malware to get a look at its inner workings have any number of techniques at their disposal. But these tactics are well-known in the hacker community as well, and they have become less effective over time as attackers have learned to evade them.

At the Black Hat conference next week, Billy Hoffman, a researcher who has done work on application security and JavaScript security, will demonstrate several new techniques that malware authors can use to shield their programs from analysis. The techniques take advantage of some of the special capabilities of JavaScript, a language that has become a favorite of malware authors of late.

"None of the existing sandboxes are sophisticated enough to circumvent these techniques. That's exactly why I want to talk about it publicly," Hoffman said. "If I figured this out, you better believe other people have. The fact that it's not public means they just haven't told anyone."

Hoffman, manager of the Web Security Research Group at HP Software Inc., plans to discuss five new tactics he's developed, most of which enable JavaScript malware to detect whether it's actually running in a full browser, or just an emulated browser inside a sandbox. For example, JavaScript gives authors the ability to define a block of code to act as an error handler. When a sandbox comes across code with syntax or runtime errors, it typically will stop running. A browser, however, will run the code and run the error handler. So, if malware can discover that the environment it's running in can't handle the error, it can identify the environment as not being a full-on browser and simply shut down.

"Some malware could have deliberate syntax errors that force the error handler to run and clean things up," Hoffman said. "If that doesn't run, the malware knows it's in a sandbox."

Another of Hoffman's techniques revolve around the ways in which browsers and sandboxes handle events and timers. The technique is designed to determine whether user events are being run in the correct order. Hoffman said sandboxes tend to run events and timers either too quickly or even out of order at times, which can be detected by the JavaScript malware.

JavaScript has come into favor with malware authors recently as they look for new and better ways to get their creations past perimeter defenses and into the hands of unsuspecting users. Some attackers have begun using JavaScript as a kind of wrapper to protect their programs, Hoffman said.

"It's the versatility they like and the vector they can deliver it through. More and more we see people exploited by drive-by downloads," he said. "Still, attackers have to use JavaScript because defenses are good at monitoring straight traffic. This allows them to wrap malware in JavaScript, get it past the defenses, unpack it through the browser and compromise the system without anything knowing it went by.

"You can do really nasty things like keylog, steal history and steal passwords. We see all the iFrame and Google hijacking attacks, Hoffman said. "People are injecting JavaScript into malware to package traditional desktop vulnerabilities. We've seen the mass SQL attacks. It's becoming the vector of choice for an attacker. The next step is how do we analyze that?"

Hoffman said that at least one of the techniques he'll be discussing at Black Hat has been used in the wild. And while he said none of the techniques are a giant technological leap forward, Hoffman said they're all perfectly capable of defeating the current state of the art in sandboxing and analysis.

"These were really just the next logical step forward," Hoffman said. "But they can get around pretty much every sandbox that exists."