A group of Italian researchers have come up with new obfuscation techniques that can be used to dupe malware detection systems and allow malicious actors to execute successful drive-by download attacks.
“The explosive growth of malware is continuously fueled by the release of new technologies for the web,” they researchers noted. “On a side, standardizing committees, web browser developers and large companies operating on the Internet are pushing for the adoption of technologies allowing the development of rich web-based client applications. On the other side, the flourishing of these technologies is multiplying the possibilities of developing malware that are more effective and harder to detect than in the past.”
“All the techniques are based on the original drive-by-download malware schema: as a preliminary phase, the original malware is obfuscated and stored server-side; once the victim visits the malicious page, the malware is downloaded, reassembled and launched,” they explained.
But while the first phase is the same as before (malicious code is split in chunks), the delivery and the deobfuscation phases use the APIs to avoid typical and well-known deobfuscation and malware assembly patterns.
The three techniques they came up with let the user trigger the execution of the preparation code; distribute the preparation code over several concurrent and independent processes running within the browser; or delegate the preparation of a malware to the system APIs.
The researchers tested these implementation against existing malware detection system and, in almost all of the cases, the web malware that was detected without obfuscation went undetected when “processed” with their obfuscation techniques.
The ultimate aim of their research was to motivate the developers of malware detection systems to add effective countermeasures for these attacks before these techniques are widely used by attackers. To that end, they also proposed a set of countermeasures for each technique.