The concept of malware morphing is not new. For years, malware authors and anti-virus researchers have documented and classified the methods used to obfuscate and hide malware code with each infection.
And while these techniques have been a source of innovation for web browser exploit developers, in their first generation they were relatively ineffective against traditional signature-based protection engines for the following reasons:
· Malware authors did not have the organizational structure or financial backing to develop obfuscation techniques that would be effective against modern security solutions.
· Patches were generally available when an exploit appeared.
· The methods used for attracting victims to malicious websites were relatively unsophisticated and static in nature.
Today, however, times have changed. Malware is morphing at an unprecedented rate, to the point where signature-based systems are no longer effective against them. We have entered a new era where “zero hour” exploitation is the rule, not the exception, thus the latency inherent in signature engines means systems are constantly exposed to potential compromise.
The dawn of x-morphic exploitation
The last year has shown a dramatic rise in web browser attacks that are far more difficult to detect, personalized in nature and, therefore, much more dangerous to even the most Internet-savvy user.
Attackers are now dynamically altering the obfuscated exploit each time a potential victim visits the malicious page, effectively creating a unique exploit with each request. This is called x-morphic exploitation – delivering highly obfuscated and one-of-a-kind web browser exploits.
The main reason for this change has been the commercialization of internet-based crime. As new revenue opportunities have appeared and matured, organized criminals have begun to invest in exploit delivery systems that can operate for longer periods of time before protection can be developed and deployed.
The uniqueness principals of malware development are now being applied to commercial exploit development, and are easily incorporated within web browser attacks due to their susceptibility to content-level manipulation.
With x-morphic exploitation, the code that morphs the exploit is never passed through to the victim host. Therefore no opportunity exists for the protection vendors to shortcut exploitation identification by singling out the x-morphic engine – rendering useless signature-based protection engines, designed to detect polymorphic and metamorphic generating code, that make up the antivirus market.
The rise of the x-morphic engine
The new breed of “x-morphic engine” is designed to serve highly obfuscated and one-of-a-kind web browser exploits with each page rendered to a potential victim. The sophistication may range from a malicious server-side script posted to a legitimate web site, to a custom web server engine incorporating multiple obfuscation and morphing technologies and built into a standalone service that could be deployed as part of a standard botnet agent.
The concepts and mechanics behind an x-morphic engine are relatively simple, with the individual techniques and technologies having been deployed in the wild for many years. The difference today is that organized criminals are harnessing this knowledge to develop simpler, more reliable delivery platforms.
There are two core elements to the x-morphic engine:
· Exploit morpher: this element focuses on manipulating a stock web browser exploit by reordering, padding, swapping shellcode, changing script components or otherwise altering the exploit code.
· Obfuscators : this element consists of engines working at the network layer, the content delivery layer or application content layer, which takes the morphed exploit code and wraps it in one or more layers of obfuscation. Each obfuscation layer can add its own randomness, thereby providing a metamorphic aspect to the final exploit.
The developer of an x-morphic engine has a multitude of obfuscation techniques available to him that when combined together and incorporated into an automatic attack delivery platform become a very complex threat.
Personalizing the attack
X-morphic engines further obfuscate their attacks by taking advantage of advanced personalization techniques.
Personalized attacks deceive visitors by creating a more dynamic “user experience” on the site, while bypassing many security systems (such as antivirus and traditional signature-based intrusion detection/prevention) that are “trained” to block known exploits rather than new ones.
According to the X-Force 2006 annual report on security trends, 30 percent of malicious web sites were using personalization techniques by the end of 2006, and that number is rapidly growing. Furthermore, these sites have the intelligence to avoid serving up malicious pages when they are being probed by tools used by many security research organizations to identify malicious sites. This means most of them are flying under the radar of many security companies.
At first glance the outlook is bleak. X-morphic exploitation is expected to become the default method of web-based delivery, and will replace the more ad hoc exploit delivery channels (i.e. largely uncoordinated manual efforts) currently used by criminal organizations. They will become more extensible, with third-party developers eventually providing specialized content that can be dropped in, likely following a subscription model.
The first generation of commercial services, exemplified by the new “managed exploit providers” such as Inet-Lux, has already appeared. They are catering to criminal and grey-legal organizations, and have been widely adopted by spyware and adware vendors.
Fortunately, simultaneous to the development of x-morphic threats, legitimate security researchers and organizations have been developing more preventative means of fighting these sophisticated attacks. Recent advances in anomaly detection and intrusion prevention systems combined with more behavioral-based techniques are helping organizations spot suspicious activity earlier. They do this by building profiles against classes of attacks, rather than relying on signature-based protection engines to find individual instances of attacks.
There will continue to be a cat-and-mouse game between exploit producers and security companies. It is important for people to understand that with the arrival of x-morphic exploitation, the game has entered a new phase – a phase that has just rendered your trusty signature-based antivirus system obsolete.
Gunter Ollmann is director of security strategy at IBM Internet Security Systems