Masked drive-by attacks hide malware

News by Max Cooter

The recently-standardised HTML5 could be used to mask drive-by attacks resulting in antivirus products being unable to pick out the malware attacks.

Cyber-criminals who instigate drive-by attacks have a new weapon at their disposal according to a team of Italian researchers.

Drive-by download attacks work by persuading victims to download  web pages  containing malicious JavaScript code.  The recently-standardised HTML5 could be used to mask such threats revealed the scientists, resulting in antivirus products being unable to pick out the malware attacks – even though the products could pick out unmasked attempts.

According to the report's authors, Alfredo De Santis, Giancarlo De Maio and Umberto Ferraro Petrillo, there are three methods that can be used to obfuscate these threats.

·                     Delegated preparation: Delegates the preparation of malware to the system APIs.

·                     Distributed preparation: Distributes the preparation code over several concurrent and independent processes running within the browser.

                      User-driven preparation:  Lets the user trigger the execution of the preparation code during the time he spends interacting with the page.

The report's authors pointed out that there were counter-measures that could be taken to mitigate these threats.   One way  forward  is to completely prevent the ability “to run code that has been dynamically assembled using the output of a query to the local storage engine,” they wrote in the report – this is an approach that could be taken against all three techniques, although there are alternative methods.

According to Fraser Kyne, principal systems engineer with Bromium, the researchers' findings reveal some of the inadequacies of antivirus products.  “This report provides yet more evidence of the futility of detection. The only meaningful way to protect against malware is via hardware-enforced isolation. You cannot protect Windows in Windows.”

He said that attackers would be eager to exploit the possibilities thrown up by the use of HTML5. “Attackers will be agile to respond to any new tools that makes their work possible. As the paper points out: new capabilities come with new vulnerabilities,” he added.  Although, exploitation of the possibilities thrown up by HTML5 is not going to be an easy task, Kyne said, they'd be happy to master the techniques if it were worth their while. “It just depends on how badly they want your data.”

He said that users should get accustomed to exploits like this. “They will become more common over time, and people are woefully prepared to fight them if they continue to rely on detection,” he said.

However, not everyone is agreed that this is a significant exploit.  Gavin Reid, VP of threat intelligence at Lancope said the research was valuable but it was important not to get too concerned.  “It's not a show stopper. The same was said about VPN, with the traffic obscured you can't do the normal DPI and other security monitoring/analysis.  In general people agree that the balance between monitoring and privacy gains is worth the lack of visibility. Combined with decent security in depth the monitoring and analysis can be completed elsewhere.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews