Author Topic: Time-released malcode a new threat model....  (Read 1590 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33064
  • malware fighter
Time-released malcode a new threat model....
« on: November 17, 2009, 10:10:09 PM »
Hi malware fighters,

Re: http://www.sophos.com/blogs/sophoslabs/?p=7407

Malcreants go into extremes to hide the true intentions of their malcode creations,
in such a way that  humans and computers cannot detect its content.
For the major part these tricks can be easily circumvented,
especially where JavaScript obfuscation is meant.
De-obfuscation can be obtained.
To protect their malcode better, that has been encrypted one way or another,
malcreants need a script emulator.

Sophos'Security researchers now recently found a new obfuscation method,
that looks like the one-time-pad concept.
One-time encryptors generate and encrypt the content,
in which the key is a function of the 'download environment',
like the referrer or the last adopted time.

When the script is rendered, it contains all the info to fully decode.
if an av-vendor wants to analyze the script, the download environment already is long gone,
making decoding the script an almost impossible job to perform, according to Sophos's Pete.
The recently found script decodes itself only and uniquely on the 47the second
of the seventh day of each month.
"Next to brute-force methods, the only real solution to tackle this problem is
'Just in Time detection, also known as on-access scanning.
We know that avast has spear-head technology in this field.
If that should fail your only effective solution lies in using the Firefox or Flock browser
with NoScript and RequestPolicy add-ons installed."

polonus
« Last Edit: November 17, 2009, 10:11:58 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!