VANCOUVER, B.C.--Cybercrooks who rig Web sites to break into PCs are getting better at hiding their malicious code, a security expert said Wednesday.
"Their obfuscation tools are primitive but effective," Nazario said. "They use obfuscation to avoid simple signatures," he said, referring to security techniques based on signatures to detect malicious Web sites. Signatures are fingerprints of known attacks.
Web attacks have become commonplace. Tens of thousands of Web sites attempt to install malicious code, according to StopBadware.org. The sites, the bulk of which are compromised sites, often drop a Trojan horse or other pest onto a PC through a security hole in the Web browser.
Attackers also are trying to outsmart security pros by programming malicious sites to load their malicious code only once on the same PC, Nazario said. Furthermore, a new toolkit called NeoSploit identifies the browser and is packed with security exploits to launch the proper attack, he said.
The scrambled code can be made legible since it typically uses simple Base64 encoding for obfuscation and not actual encryption, Nazario said. He suggested NJS, SpiderMonkey and Rhino as tools to investigate script code. Flash files can be analyzed using a program called Flasm, he said.
Another alternative is Exploit Prevention Labs' LinkScanner, which monitors traffic going into a PC and blocks known exploits.