Cyber-crooks switch to code obfuscation

Dynamic code obfuscation techniques are the latest salvo from hackers

Security firm Finjan has reported that dynamic code obfuscation was increasingly used as a method to bypass traditional signature-based security systems and propagate malware during the fourth quarter of 2006. 

The technique works by providing each visitor to a malicious site with a different instance of obfuscated malicious code, based on random functions and parameter name changes.

A conventional signature-based security solution would theoretically need millions of signatures to detect and block this particular piece of malicious code.

"Dynamic code obfuscation techniques are the latest salvo from hackers in the ongoing battle of wits between security vendors and their hacker opponents," said Yuval Ben-Itzhak, chief technology officer at Finjan.

"Over the years, each time a new type of attack appears in the wild, security companies scramble to create a solution. Then, as soon as the hackers become familiar with the newest defence, they devise a method to circumvent it."

Ben-Itzhak explained that this endless game of "cat and mouse" dates back to the early 1990s when virus writers created 'stealth' and polymorphic viruses to elude antivirus programs.

"Hackers have begun to take advantage of new web technologies to create complex and blended attacks," he added.

"With the creation of dynamic obfuscation utilities, which enable virtually anyone to obfuscate code in an automated manner, they have dramatically escalated the threat to web security."

The Finjan report also details two recently publicised incidents in which hackers used the Wikipedia encyclopaedia and MySpace social networking sites to infect users.

These incidents provided real-world examples of the use of Web 2.0 technologies to propagate malicious attacks.

Finjan said that 2006 saw the arrival of a diverse range of web-based infection techniques, including rogue anti-spyware, ransomware and rootkits, that elude traditional security solutions geared to protect against email viruses and spam.

Another development was the commercialisation of malicious code, as financial motivations played an increasing role in the evolution of malware.

Motivated by financial gain, hackers are trading vulnerabilities in online auctions, commercialising products such as malicious website creation toolkits, and developing new distribution techniques, including spam, for the propagation of malicious code.

Finjan predicts that as Windows Vista and Internet Explorer 7.0 begin to achieve critical mass during 2007, this development will trigger a new wave of exploits from professional hackers who have had time to prepare in advance.

• Hackers use Wikipedia to spread malware
• Phishing worm rips through MySpace
• Vista contest offers cash for exploits