New script fragmentation attack bypasses antivirus

November 28, 2008

Stephan Chenette of Websense describes a new Internet attack vector that could allow hackers to bypass anti-virus protection at both the gateway and the desktop. The technique which he calls script fragmentation, involves breaking down malware into smaller pieces in order to beat malware analysis engines.1

The attack method is reminiscent of TCP fragmentation attacks and involves breaking down Web exploits into smaller pieces and distributing them in a synchronous manner to evade signature detection.2 The Teardrop Attack was a famous fragmentation attack in which which fragmented packets are forged so that they overlap each other when the receiving host tries to reassemble them. This usually causes a kernel panic in the target host, leading to denial of service.4

Chenette names it a script fragmentation attack because it makes use of the common technologies that are completely available today: JavaScript, VBScript, and the other readily available technologies that allows us just to conduct traffic back and forth.2

The attack works like this: Malware authors write benign client code and embed it in a Web page. The only content contained on the initial page will be a small JavaScript routine utilizing XHR or XDR1 (a method that allows data to be wrapped in an architecture independent manner so that data can be transferred between heterogeneous computer systems).4

This code contains no actual malicious content, and the same type of code is found on all of the major legitimate Web 2.0 sites. When a user visits the Web page, the JavaScript and the XDR or XHR will slowly request more code from other Web servers a few bytes at a time, thereby only allowing a user's gateway anti-virus engine to analyze a few seemingly innocuous bytes as it tries to determine whether or not the Web site is malicious. Once received by the client, the bytes are stored in an internal JavaScript variable. The client will request more and more information until all the information has been transferred. Once it has been transferred JavaScript will be used to create a Script element within the DOM (Document Object Model) of the browser and add the information as text to the node. This in turn will cause a change to the DOM and execute the code in the script element.1

This type of attack can slip under the radar of antivirus systems because no malicious content touches the file system. It's done completely in memory, and any content that is transferred over the network is done in such tiny fragments that anti-virus engines parsing the information don't have enough context or information to match any signatures. The attack, which has not been seen in the wild by Websense, works on all the major browsers. However it is not considered a browser vulnerability, it merely takes advantage of the way browsers work.1

Disabling scripting would mitigate this attack, but the non-static nature of today's web sites, this is not a practical solution for most users.2

1. "Script Fragmentation Attack Could Allow Hackers to Dodge Anti-virus Detection", eWeek, November 21, 2008

2. "Security Researcher to Reveal New Web Attack Vector", eWeek, November 7, 2008

3. "Script fragmentation attack", My Antivirus Software, November 24, 2008

4. "Teardrop attack definition", PC Magazine, November 28, 2008