Internet Security Systems - AlertCon(TM)

x-Morphic Attack Engines

Posted by Gunter Ollmann
 on May 23, 2007 at 9:43 AM EDT.

Browsing the Internet has become an increasingly risky business in recent years. The massive increase in vulnerabilities that can be exploited via the ubiquitous Web browser has meant that attackers have steadily adopted this vector as a primary infection route for malware payloads.

Traditionally, Web browser attacks have relied on fairly simple exploit code, typically written as scripts within HTML documents. Consequently, Web browser exploits are easy to block. Using standard regular-expression and heuristic-based signature engines, exploit patterns are easily identified, and the attack can be thwarted over the network or at the host.

To overcome such protection mechanisms, attackers adopted numerous obfuscation techniques to disguise their raw exploit code. Their methods worked well, and newer, more sophisticated obfuscation methods were developed, almost guaranteeing that signature-based engines would not be able to protect against newer threats. In a world dominated by copy-paste exploit cloning, vendors of signature-based protection systems then focused on detecting the obfuscated exploit variant and were therefore able to provide protection to their customers. Although not zero-day protection, it was sufficient for many enterprise customers to mitigate widespread infection.

The obvious attacker response is to dynamically alter the obfuscated exploit each time a potential victim visits the malicious page, effectively creating a unique exploit with each request and making it impossible for signature-based protection engines to uniquely detect each attack instance. In the malware world, the technique of altering a malicious payload with each iteration to defeat detection systems is commonly referred to as oligomorphic, polymorphic or metamorphic manipulation.

Unlike self-replicating malware, which must carry with it the means of altering itself, Web exploit developers can host their morphing algorithms and code on the Web server itself and do not need to make that code visible to the victim. Consequently, unlike morphing malware, morphed Web browser exploits do not contain superfluous morphing code, which makes these attacks considerably more difficult to detect.

Welcome to the world of personalized, one-of-a-kind Web browser exploits and the dawn of x-morphic exploitation.

For more information on the world of x-morphic attack engines, read my new whitepaper at http://www.iss.net/documents/whitepapers/IBM_ISS_x-morphic_exploitation.pdf


Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.