SHELLCODE DETECTION: AN ADDITIONAL LAYER FOR FILE-FORMAT EXPLOIT PREVENTION
The business of malware has made several leaps and bounds in the last 5 years in the area of malware authors and anti-virus vendors. Malware design is no longer lead by eclectic programmers and curious young adults; instead it’s a multi-million dollar venture being conducted by increasingly skilled teams of programmers who are being funded by even larger entities for profit and espionage purposes.
Furthermore, since the introduction of malware’s ability to generate a substantial income, the amount of newly developed malware has grown exponentially in the last 2 years alone to staggering new highs. This new wave ‘pyramid scheme’ of malware related profits has forced Anti-Virus vendors and other computer security companies to constantly evolve their products and technologies in order to combat malware on such a large scale. In response to the advancements in Anti-Virus products, attackers have turned to more advanced methods in order to bypass signatures and heuristic detection engines. An example of these new attack strategies is File-Based Exploit Malware, where a typically harmless file is maliciously generated so that once opened by a vulnerable application, it will corrupt the application in such a way, that it will execute and install malware silently.
The actual concept of this attack is nothing new; attackers have trojanized files since the dawn of malware. The traditional route attackers used in the past have been through file containers; such as Office Macros, OLE embedded files, Alternative File Streams, and even merged or joined files. However, these methods are exceedingly primitive and were trivial for anti-virus products to detect and protect against. Since this method required the attackers to store an actual malware file inside the trojanized file, Anti-virus products could easily scan specific container sections of these files for malware, effectively treating each of them as a separate file. Unfortunately, file-based exploit malware does not follow these rules and does not use sub-container sections of the file and they actually do not embed a file in the traditional sense. Instead, attackers are embedding malicious ‘shellcode’ into these files in order to distribute their malware.
There are two requirements in order for a file based exploit to successful work: a vulnerability or exploitable condition in the file type’s associated application, and working shellcode. An exploitable condition is a programming error contained in the application responsible for opening the file (such as Microsoft Office Word for .doc files, Adobe Reader for .pdf files, or iTunes for .mp3 files), that when one of these applications opens a malformed associated file, the programming error corrupts the computer’s memory in such a way that it will load content from that malformed file into memory and execute it. Normally this would lead to just the application crashing and displaying a typical crash report dialog box to the user, unless the attacker embeds shellcode into the malformed file. Shellcode is a payload of raw machine byte code that when loaded into memory through an exploit, allows the attacker to effectively control the computer. So instead of crashing the application, the shellcode will conduct a malicious act such as downloading and installing malware from the internet, creating a remote access port, or even adding a user account to the computer.
File-based exploit malware makes traditional virus scanning obsolete; normally AV software will open the file, scan its content and not detect any embedded malware files and will mark the file as clean. This leaves the user exposed to a gaping hole in computer security that modern malware authors are actively using in order to compromise systems and install malware onto computers. In order to counter this threat, eEye’s Blink Endpoint Security utilizes a unique technology that stops file-based exploit malware dead in its tracks before it is executed. This technique is a new state-of-the-art generic exploit detection technology that allows any file to be scanned and not only detect traditional malware threats, but also malicious shellcode embedded anywhere within the file. Furthermore to ensure the safety of the system, the shellcode detection system scans the file prior to its execution, thus preventing exploits and malware from attempting to hide their presence or performing other evasive actions to bypass the technology.
A perfect demonstration of the effectiveness of this new technology can be seen with the latest 0-day threats in Microsoft PowerPoint and Excel . At the beginning of April 2009, malware authors had discovered a new unpatched vulnerability within Microsoft Office PowerPoint 2000, XP, 2003, and 2004 for Mac. This was similar to the Excel vulnerability that was discovered by malware authors in mid February which affected all versions of Excel. By combining either of these vulnerabilities with malicious shellcode, they were able to create a very effective file-based exploit malware. In order to spread this malware, attackers began sending emails with embedded links to the malicious presentations or spreadsheet files. Upon clicking on the link to the trojanized office file, the file-based exploit malware executes a large amount of shellcode that not only downloads and installs a brand new Windows rootkit in the background, but it also executes a normal Microsoft PowerPoint presentation or Excel spreadsheet in order to cover up the attack. This attack represented a true nightmare for AV vendors, a brand new flaw in a popular suite of software that installs a never before seen piece of malware; effectively bypassing any signature based detection that would be normally used in this scenario. By implementing this new shellcode detection technology into its AV scanning software, eEye Digital Security and Norman were the only AV vendors among 33 other vendors to detect this exploit and the only AV vendor to prevent this exploit from executing any malicious shellcode on a user’s system. Users with Blink installed on their system were not only protected against the new PowerPoint and Excel vulnerabilities with the newly developed shellcode detection engine but also by eEye’s patented system protection and zero-day attack protection engines. This layered defense system allows Blink to effectively block zero day vulnerabilities and attacks without the need of updates or signatures to its software.
包子猜您可能还喜欢下列文章:
最近评论