NOW READ THIS
("Security Advisory")

Go Back

---

Submitted by: Bill Hickey
NCVA Listmaster
Distributed via NCVA REFLECTOR: 2007-01-11 0119z

NRT-0006 Computer Security -- Malicious Code:

One sign that digital miscreants are growing in their level of sophistication is their method of hiding malicious code to evade detection, according to new research from San Jose, Calif.-based Finjan Inc. (A computer security company.) Security vendors that post security updates to their customers will need to theoretically create millions of signatures for their customers.

Called dynamic code obfuscation, the method is being used by attackers to place encrypted virus code onto victims' computers, creating the potential to wreak havoc for ALL antivirus vendors. Example: two people visit a malicious Web site at the same time; each will get a different encrypted or obfuscated code, generated on the fly with a different set of function and parameter names. The dynamic obfuscation method will make virus signatures virtually useless since different encryption keys change the way malicious code will look on a victim's machine.

ALL security vendors posting periodic security updates to their customers will theoretically need to create millions of individual signatures for their customers." (Bill's note: Think of the code distribution problems we had with RPS/CMS back in the 60's-80's.)

To further complicate matters, each time you visit a malicious site, the encryption result is different using the dynamic obfuscation method because the key is changed. Thus, even if the AV program picked it up once does not guarantee that it will pick it up again.

Code obfuscation is not new. Programmers have used the technique to hide redirect functions in pop-up, ad-driven Websites to avoid being penalized by search engines.

Last Modified: Saturday, 20-Jan-2007 18:02:55 EST