Recent findings by Finjan reveal that hackers have created a new class of highly evasive attacks to potentially bypass signature-based and database-reliant security technology.

The release of the security company’s Web Security Trends Report for the second quarter of 2007 this week has prompted it to observe these more evasive attacks represent a “quantum leap” in terms of their technological sophistication, going far beyond drive-by downloads and code obfuscation.

The work carried out at Finjan’s Malicious Code Research Centre (MCRC) found that, in order to minimise the malicious code’s window of exposure, evasive attacks keep track of the actual internet protocol (IP) addresses of visitors to a particular website or web page. Using this information, the attackers restrict exposure to the malicious code to a single view from each unique IP address. This means that the second time a given IP address tries to access the malicious page, a benign page will be automatically displayed in its place. All traces of the initial malicious page completely disappear, the report said.

“Evasive attack techniques where malicious code is controlled per IP address, country of origin or number of visits provide hackers with the ability to minimise the malicious code’s exposure, thereby reducing the likelihood of detection.

Finjan offers the following advice for corporate users:

  • Make sure that real-time inspection and protection is added to your web security solution. Chasing the attack vectors after the event is always “too little, too late,” particularly if you get hit by a zero day attack that your security solution does not recognise.
  • Make sure that your security solution is updated to handle new technologies and trends. Security products should protect you from the vulnerabilities rather than just attacks and exploits.
  • Check your vendor’s research capabilities and their ability to provide up-to-date information, which is immediately translated into actionable security measures.
  • Examine your egress data policy to make sure that you cover all known and suspicious sites.

"Moreover, evasive attacks can identify the IP addresses of crawlers used by URL filtering, reputation services and search engines, replying to these engines with legitimate content and increasing the chances of mistakenly being classified by them as a legitimate category,” said Yuval Ben-Itzhak, Finjan chief technology officer. “The combination of these evasive attacks with code obfuscation techniques significantly enhances the capability of sophisticated hackers to go undetected.”

The report also describes the proliferation of affiliation networks based on a “hosted model” for malicious code, which use off-the-shelf malicious code packages to compromise highly popular websites and even government domains. It also gives more examples of the trend identified in its first-quarter report of the year towards hiding malicious code in online advertising on legitimate websites.

“There are no second chances when it comes to safeguarding users’ personal details and securing confidential corporate information. The way to detect modern malicious code is to be able to understand in real-time what the code intends to do, before it does it,” said Ben-Itzhak.