Yuval Ben-Itzhak, CTO, Finjan says that malicious code has become a business, and can remain undetected

Malicious code has become a business and its evolution is being driven by commercial and financial interests. Criminals are willing to pay large sums of money for the bank account details, credit card numbers and social security IDs collected by Trojans, keyloggers and other types of malicious code. Accordingly, commercially-motivated hackers continue to raise the technological bar to find new ways to mask, disguise and obfuscate malware attacks. The rationale is simple – the longer their malicious code remains undetected, the greater the number of users that can be infected. And now that malicious code has commercialized, large numbers of infected users means higher revenues for the attackers.

Security research by Finjan’s Malicious Code Research Center uncovered a new genre of highly sophisticated attacks designed to evade signature-based and database-reliant security methods. These attacks represent a quantum leap in terms of their technological sophistication, going far beyond drive-by downloads and code obfuscation. Using advanced techniques, these evasive attacks significantly reduce the malicious code’s exposure, hence lowering the likelihood of detection and maximizing opportunities for infection. By keeping track of the actual IP addresses for visitors to a particular website or web page, these attacks expose malicious code to innocent website visitors only once. The second time a visitor tries to access the same page, benign content is displayed while all traces of the malicious code vanish completely.

Moreover, evasive attacks can identify the IP addresses of crawlers used by URL filtering, reputation services and search engines, replying to these engines with legitimate content and increasing the probability of mistakenly being classified by them as a legitimate category. The combination of evasive attacks with code obfuscation techniques significantly enhances the capability of sophisticated malicious code to go undetected for longer.

Since the attacks are designed to deliver a high rate of infection, there is no need to deliver the same code twice to a potential victim. Equally important, this minimizes the exposure of the malicious code to forensic analysis or security research, as there is just one opportunity for a visitor to actually see the code.

In addition to avoiding being “seen” twice in the same place, evasive attacks utilize country filtering – which means that the operator of the malicious code package can selectively decide which countries (according to IP address) will be served with the malicious code. This technique allows the malicious code operator to target and focus attacks on specific venues, while avoiding countries in which, for example, security vendors are known to operate their labs. Examples of such attacks are presented in Finjan’s Q2/2007 Web Security Trends Report.

As attacks become more evasive and obfuscated, security companies find it more difficult to put their hands on malicious code, analyze it in their labs and create a signature for it. Anti-virus, reputation-based services and URL filtering solutions are potentially limited in their ability to cope with evasive attacks, which appear once and then vanish. Solutions that are able to analyze web content in real-time, understand the intent and make a decision on the fly are required to protect users from malicious code the first time it is seen. There are often no second chances when it comes to securing users’ personal details and confidential corporate information.

Real-time code inspection technology detects such malicious code without using signature updates or databases of classified URLs. Since it analyses each piece of content regardless of its original source, this technology assures that malicious content will not enter the network even if its origin is a highly trusted site.