A new report released this month by the Finjan Malicious Code Research Centre show code obfuscation is becoming one of the most popular techniques by cyber criminals.
Hackers are increasingly evading anti-virus programs by hiding code in safe HTML web pages or injecting malware into PDF or Flash files.
The research centre has been tracking malicious code since 2005 when hackers began obfuscating code by simple techniques, such as scrambling.
By 2007, hackers were creating dynamic, one-time, key hiding techniques, and evading anti-virus programs by creating unique signatures that could not be logged and blocked.
Ophir Shalitin, Director of Marketing for Finjan, said 80 per cent of all malicious coding cases reported today use obfuscated code.
“Malware authors are becoming tech-savvy and are always innovating,” he said.
The easiest way for criminals to use obfuscated code is on Web 2.0 programs, Shalitin said. These are websites where users can load their own code and allow programs to run off their servers or network.
By using legitimate, certified websites and multimedia files for malicious codes, signature and database-reliant security systems do not catch the malware.
Seventy-five to 90 per cent of obfuscating code is from legitimate web sources, Shalitin said, making obfuscating code problematic for enterprises that rely on anti-virus software alone.
The main advantage for cyber criminals is financial gain. Companies with valuable assets such as financial companies, banks, health care companies and airlines, are all at risk of being hacked.
“We found a malicious crime server with more than half a gigabyte of data from different companies,” Shalitin said.
“We only hear about the major breaches, but the small breaches that go unnoticed add up to a lot of data.”
Finjan found email correspondence, outlook information, SIN card information, credit card numbers, health care data and airline information all being logged to be sold.
Logs of Citrix (Nasdaq: CTXS) credentials at a popular airline carrier could have allowed hackers to sign into the company’s network and get the passenger list, cargo list and other financial data, Shalitin said.
Tom Slodichak, CSO of Burlington-based security group, White Hat Inc, agrees that code obfuscation is making it harder and harder for anti-virus software to filter websites, with his company finding it on many legitimate pages.
“An associate from a major firm told me their biggest headache is sanitizing against obfuscated code because it gets through the regular offences.”
It’s becoming harder and harder to filter these websites, Slodichak said. There have been cases of it on legitimate websites – so that’s where the technical solutions take over.
There are a variety of solutions available commercially, Slodichak said.
Finjan’s active real-time content inspection engine is one new commercial program, suggested in the report. The program detects and blocks malicious code in real-time.
Another solution, expected to re-emerge, is network behaviour analysis which tracks a user’s normal behaviour and flags actions that deviate from this pattern, Slodichak said.
But the solution is only half technical, Slodichak said. The most common location for malware is found on websites ending in .cm. Hackers are scooping URLs where people intend to type .com.
“It’s becoming a popular technique, the latest twist on malware,” Soldichak said, “so the other half of the solution is human function – aiding typos and avoiding clicking on links.”