Majority of Web Attacks Disguised says Researcher

By Dave Nixon

Nearly all web exploits are now veiled, making it extremely complicated to trace hackers, said a senior researcher at IBM.

By the end of last year, according to Kris Lamb, director of IBM Internet Security Systems’ X-Force, almost 100 percent of all web exploits were either self-encrypted or relied on obfuscation techniques to make it hard for normal intrusion detection and intrusion avoidance technologies to recognize the attack code.

“In 2006, we saw about 50 percent of web exploits obfuscated or encoded,” said Lamb, adding that, on average, 80 percent were camouflaged throughout 2007. “But that jumped to almost 100 percent by the end of the year.”

The motivation for the cover-up boost is simple, said Lamb. “They’re not dumb. They only do what they’re forced to do,” he explained. “For them to continue to get a high rate of return, they had to understand the protection technologies that were being used. And security vendors were doing a pretty good job. “

“A lot of network security technologies were doing a good job in 2006, when they shifted from email to Web browser as an [exploit] entry point. Vendors have been keeping up with that trend and building new types of security technologies to keep up with technologies extending the browser, like Flash and JavaScript,” Lamb continued.

That forced attackers into concealing more of their browser exploits, and doing a improved job of masking their work, mainly by centering around JavaScript. “More than any other technology, JavaScript is used to obfuscate and self-encrypt,” Lamb said.

JavaScript is omnipresent.Iit is cross-platform and cross-browser and its intrinsic convolution is perfectly suited to hacker use, argued Lamb. “Attackers can do very advantageous things, like encode it so when it goes over the wire, all the recipient sees is a data blob,” he noted.

And divesting JavaScript is not an option for the majority of users. “Even I’d be hard-pressed to disable JavaScript entirely,” acknowledged Lamb. “So much of my experience and my productivity experience depends on JavaScript, or another scripting language, like VBScript or Adobescript.”

This year, he forecast, the concealment will persist, with hackers progressively adding secondary scripting languages to their obfuscation and encryption collections. “They’ll start using other browsing scripting frameworks more - more vendor-tied scripts, like Adobescript,” Lamb said. Also known as JavaScript for Acrobat, Adobescript allows customising of PDF files using scripting.

Hackers have already utilised Adobescript. On Monday, McAfee’s Vinoo Thomas said that attacks had begun that employed as a minimum one of the still-unnumbered vulnerabilities in Adobe Reader disclosed last week. Thomas, however, pegged the exploit to Adobe JavaScript.

“The current vulnerability can be embedded in a PDF file and manipulated through Adobe JavaScript,” he said in a warning posted to the Avert Labs’ blog on Monday.

The disguise and encryption, nonetheless, is presently one feature of the current tendency toward attacks intended primarily at browsers, said Lamb. “Whether through drive-by downloads or compromising legitimate sites, or a combination of advanced, targeted phishing, the browser is involved in some way,” he said. “It’s the main frontier of exploit right now.

“We used to call the operating system the ‘keys of the castle,’ but as exploits moved up the application stack and as the browser became the new OS, it’s now the keys to castle,” he added