Nazario was referring to NeoSploit, a new malware tool he's seen in the wild that carries at least seven distinct exploits to infect a PC with, from which it can choose based on what that PC's weak points are.
On the simple end, for example, a string split would render a word like this:
This resulting malicious code, of which the above is a small portion, would be easily detected by a human, but, as Nazario pointed out, it presents an effective stumbling block for automated detection.
Attackers also use double obfuscation, Nazario said. On top of simple joins or splits or single encoding, they use double encoding, often with a custom decoder. While several people like to use the browser to decode such exploits, Nazario said it's a bad idea, as the technique is too slow to get full information from a browser under zero-day conditions.
As Nazario described it, reverse-engineering double-decode malware essentially entails cleaning up the HTML and decoding on the command line. This results in code that still requires decoding, so the process is to repeat until the code is no longer encoded.
For example, because NJS doesn't know about "arguments," attackers have used "arguments.callee" to make their code tamper-proof. Callee is a property of arguments as a local variable available within all function objects that allows anonymous functions to refer to themselves. That's necessary for writing recursive strings, which, when executed, cause an endless loop and throw a monkey wrench into reverse engineering.
Enter SpiderMonkey, Nazario said. Because SpiderMonkey will choke on certain functions such as alert() or print(), it's impervious to attackers' use of those functions to mess with decoding efforts. Once it chokes, a researcher doing reverse engineering can use another language, such as Python.
Copyright 2007 by Ziff Davis Media, Distributed by United Press International