If at first you don't succeed; call it version 1.0
Sunday, October 15, 2006

Exploits for browser vulnerabilities are here to stay.
Most security products today are using reactive methods (signatures) to detect the specific exploit, instead of trying to detect the general case of the vulnerability exploitation. Evading those signatures is very easy, as I already showed.

The methods I presented were simple and very specific to the VML vulnerability. H.D. Moore have implemented some of these methods in his Metasploit's VML exploit module. Others were implemented in old browser exploit modules, like the createTextRange exploit module.

H.D. Moore, LMH, and I have decided to generalize the evasion methods and package them all into one project.

Introducing: VoMM (eVade-o-Matic Module for metasploit) - Taking browser exploits to the next level.

The purpose of this project is to create a module for Metasploit that will take any given browser exploit and make it as undetectable as possible.

Currently, most Anti-Viruses signatures relies on "variants". Meaning, any little change in the malicious code is considered by the AV as a new variant.
The VoMM project shows that this procedure cannot be applied to browser exploits, as each exploit can have endless number of "variants" with no change to the server side code.

More detailed information about the VoMM project, and the evasion techniques that were implemented, can be found in LMH's info-pull blog.   


Sunday, October 15, 2006 3:14:51 PM UTC | Comments [5] | Security#
Wednesday, October 18, 2006 3:47:24 PM UTC
Wtf hax!
Thursday, October 26, 2006 3:53:40 PM UTC
I think it is a little innacurate to state that 'currently most Anti-Viruses signatures relies on "variants"'. In fact most vendors currently put most emphasis on generic detection, as this has the advantage of detecting previously-unseen malware as well as that already seen.

The reason vendors detect some (although certainly not all) changes as new variants is because they have to! If a change did not break detection as a given variant, this would be fine. Unfortunately these changes may be enough to stop a signature detecting the sample at all, which is not acceptable, hence a new signature with a different variant name must be written.

The argument about VoMM producing an endless number of variants is no different to the historical example of polymorphic viruses, which despite having a potentially infinite number of forms, could still all be detected as a single virus.

There is nothing yet to say that with advanced decryption techniques that the string obfuscation to be employed by VoMM will not be easily dealt with by security vendors.
Thursday, October 26, 2006 8:53:01 PM UTC
Well, if most vendors rely on generic detection (or do their best to implement it), I can't understand why most need to provide updated signatures for each 'variant' (note quotes) of a single case. For example Mydoom.

I've seen signatures that use strings like the title of a message box or an author note within the executable (ala: greetz to...). It's not just about the signature engines, but also the laziness and rather funny stupidity of whoever writes them.

Even seen signatures that just try to detect a large stream of A characters, and even worst, hoping to catch some kind of nonsensical 'exploit'.

I have yet to see a catch-all signature around that is really effective.

Also, VoMM isn't about 'polymorphism' (as you describe it). You are delivering a totally different stream each time, the whole thing. It has nothing to do with memory, registers and other wizardry. It's much more simple (after all, it's Javascript...), that's why it works.

I would encourage reading the documentation about it, it's all fairly well explained.

A similar approach applied to executables could be the randomization of the image base, and so on. This would defeat signatures that rely on fixed offsets (and sandboxes/VMs that check for known code locations).

Can it be defeated with a good VM? Quite probably.

Also, 'advanced decryption techniques' is pure buzz wording (no offense, really). While you can try to fingerprint a single encoding method and sandbox it to catch the key (ex. in XOR encoding), this isn't straight forward and no single product out there does that right now. Plus the fact that it would have to defeat the other obfuscation layers (hint: layer here means we are using techniques on top of each other).

Cheers.
Friday, October 27, 2006 6:29:00 PM UTC
Is this a hacker :)
Friday, October 27, 2006 11:10:28 PM UTC
@Kevin:
My last research with the VML exploit (http://aviv.raffon.net/2006/09/25/VMLExploitVsAVIPSIDSSignatures.aspx) shows that the vendors' work is probably not good enough.

As I understand, if a malicious code does the same thing in a way it is not detected by the signature, it's a new variant. Hence, if the attacker has a server side scripting capability which breaks the browser exploits signature, he can create endless number of "variants" for browser exploits.
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.