Anti-Forensic Techniques used in Newly Discovered Trojan
Finjan has reported an exploit called "random js toolkit" which dynamically generates random versions of its malware to avoid signature base detection. Unlike polymorphic viruses that mutate and spread from infected host to uninfected host, this malware is served from Web sites. The attackers can make use of trusted sites to avoid reputation-based blocking as well. So how do we detect this type of malware?
“What’s needed to counter this exploit is dynamic code inspection technology that can detect and block an attack in real time,” Ben-Itzhak [Finjan CTO] said. “This technology doesn’t depend on the origin URL, signature or the site’s reputation, but inspects the Web content in real-time, as served. It analyzes the code’s intentions before enabling it be executed on the end-user browser.”
This malware is some biological viruses that mutate so rapidly they are difficult to combat. The HIV/AIDS virus is on example. A recent advance in that field identified a large number of proteins needed by the AIDS virus to infect the human body. In a similar way, if we can find common dependencies or patterns in the randomly generated code, they can be blocked. Behavior based detection is one way to identify polymorphic viruses which looks for common patterns in virus execution, the same technique should be a promising start for countering this new form of Web site delivered Trojan.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
