The Finjan report provides several examples of dynamic code obfuscation techniques identified by Finjan's MCRC as an especially insidious threat that undermines the ability of security vendors to detect and counter encrypted malicious code. These strategies entail providing each visitor to a malicious site with a different instance of obfuscated malicious code, based on random functions, parameter name changes, etc. To counter this threat, a conventional signature-based security solution theoretically would need millions of signatures to detect the existence of this particular piece of malicious code and to block it.
"Dynamic code obfuscation techniques are the latest salvo from hackers in the ongoing battle of wits between security vendors and their hacker opponents," said Yuval Ben-Itzhak, Finjan's Chief Technology Officer. "Over the years, each time a new type of attack appears in the wild, security companies scramble to create a solution. Then, as soon as the hackers become familiar with the newest defense, they devise a new method to circumvent it. This endless game of 'cat and mouse' dates back to the early 1990s when virus writers created 'stealth' and polymorphic viruses to elude anti-virus programs. Currently, hackers have begun to take advantage of new web technologies to create complex and blended attacks. With their creation of dynamic obfuscation utilities, which enable virtually anyone to obfuscate code in an automated manner, they have dramatically escalated the threat to web security."
According to Ben-Itzhak, the new dynamic code obfuscation techniques are not only more sophisticated, but they are also growing in magnitude as a means of propagating malicious code. "This type of attack vector can easily bypass signature-based solutions like Anti-Virus and URL Filtering, which were not built to detect these types of dynamic web scenarios," he says. "Businesses that rely solely on reactive security technologies are most likely exposed to such a risk."
