The web browser is one of the most used and most exploited applications. Its frequent use has made it risky and vulnerable in past few years. It made attackers to adopt it as their basic path to fulfill their malicious wishes.

Usually there are different exploit codes used as scripts for every browser. However these exploits are easy to detect through exploit patterns using different regular expression and heuristic based signature engines. Consequently there also exist numerous techniques that have been adopted by attackers to bypass these detective methods. Vendors of signature-based protection systems then focused on detecting the obfuscated exploit variants in this never ending cat and mouse game.

As a response attackers have resorted to creating a unique exploit that morphs uniquely in every instance, making it impossible for signature-based protection engines to identify these Holy Grail of all obfuscated attacks. Techniques to alter this load in iterations of request are commonly referred to as oligomorphic, polymorphic or metamorphic manipulation.

Code Morphing

Code morphing is one of the techniques to protect software applications from reverse engineering, analysis, modifications, and cracking. Code morphing breaks up the protected code into several processor commands and replaces them by others, while maintaining the same result. Thus the protector obfuscates the code at the intermediate level.

i) Malware Morphing

The concept of malware morphing is in use from many years. Malware authors and anti-virus researchers have identified the methods used to obfuscate and hide malware code with each infection. These techniques have been a source of innovation for web browser exploit developers. They were ineffective in early stages against traditional signature-based protection engines for the following reasons:

• There was no organizational structure or financial backing to develop obfuscation techniques that would be effective against modern security solutions.
• Patches were generally available when an exploit appeared.
• The methods used for attracting victims to malicious websites were relatively unsophisticated and static in nature.

The most common morphing classes found in malware development include the following:

a) Oligomorphic

The malware author used multiple decrypt engines instead of just one. It randomly builds an engine from several predefined alternatives with malware iteration. The very first technique was called WHALE (Aug 1990).

b) Polymorphic

Polymorphic malware uses a dynamic build process to incorporate noise instructions or an instruction to load an unused register with a value and random keys to encrypt the constant part.

c) Metamorphic

Metamorphic malware carries a copy of the source code whenever it finds a compiler recompiling itself after adding or removing junk code to its source.

ii) Exploit Morphing

Usually in web browsers, the more widely deployed and consistent the exploit code, the earlier protection is developed and deployed. Morphing exploit code bypasses the limiting factors of web browser exploitations.

In recent years there is a dramatic rise in web browser attacks. Attackers are dynamically altering the obfuscated exploit each time a potential user visits the insecure page, creating a unique exploit with each request. This is called x-morphic exploitation.

These unique principals are being applied to commercial exploit development incorporating within web browser attacks due to their susceptibility to content-level manipulation. With x-morphic exploitation, the code that morphs the exploit is never passed through to the victim host. Therefore there is no chance to identify exploitation by singling out the x-morphic engine, rendering useless signature-based protection engines, designed to detect polymorphic and metamorphic generating code, that make up the antivirus market.

Ideal Conditions

An ideal condition for x-morphic exploitation would contain:

a)      Possibly different exploit code for every user’s browser.

b)                                                                                                                                                                                                                                Services that exploit subscription based management.

c)      Exploits those are invulnerable to signature-based anti-virus software.

Web-Server Delivery

A web server is said to be harmful if it responds an HTTP GET or HTTP POST request with an HTTP exploit code to the victim’s request. A single exploited HTTP page is responded. If a signature that detects this exploited material is present, potential users are secured. The longer the harmful web server responds the exploited material the higher will be the security. This way attacker loses the ability to control and disguise himself.

X-morphic Engine

Attackers are developing a solution; behold the “x-morphic engine” that is designed to serve highly obfuscated and one-of-a-kind web browser exploits with each page uniquely rendered to a potential victim. The concept behind an x-morphic engine is simple, with the individual techniques and technologies.

There are two core elements to the x-morphic engine:

• Exploit Morpher

It focuses on manipulating a stock Web browser exploit by reordering, padding, swapping shell code, changing script components and altering the exploit code using oligomorphic and polymorphic principles.

• Obfuscators

It consists of engines at the network layer, content delivery layer or application content layer that take the morphed exploit code and wrap it in one or more layers of obfuscation. Each layer has its own influence and provides a metamorphic aspect. The x-morphic engine may also include additional exploits stored on the Web server

Techniques

There are number of obfuscation techniques which are used when integrated with automation system. It can be classified as:

i) Network Layer

The intent of obfuscating at the network layer is to bypass network-centric protection systems, intrusion detection systems (IDSs), intrusion protection systems (IPSs) and filtering proxies. It provides packet fragmentation as a primary tool. It breaks the original packets into smaller packets and alters the fragmented data. Some common techniques include:

Simple fragmentation:

‘AT’ ‘TAC’ ‘K’ à ATTACK

Out Of sequence packets:

‘C’ ‘T’ ‘K’ ‘A’ ‘A’ ‘T’ àATTACK

Overlapping packets:

‘AT’ ‘TAC’ ‘ACK’ ‘K’ à ATTACK

Overwriting redundant packets:

‘AT’ ‘QWE’ ‘TAC’ ‘RTY’ ‘ACK’ ‘K’ à ATTACK

Packet Timeout:

ATT—-long pause——ACK à ATTACK

ii) Content Delivery Layer

HTTP is used as a primary delivery protocol which might be obfuscated by the attacker. It is important to properly reassemble and parse encoding techniques, in order to identify the exploit material. It makes an attacker to adopt these techniques.

1)      HTTPS encryption over Secure Sockets Layer (SSL) and Transport Layer Security (TLS).

2)      HTTP-supported compression.

3)      Multiple character set encoding.

4)      Transfer encoding, such as “chunked” and “token-extension”.

5)      Chaffing content with characters.

iii) Application Content Layer

It focuses the way the application rebuilds, compiles or executes HTML content. Some of the most popular application content layer obfuscation techniques are:

1)      Splitting up the source files and dynamically rebuilding the exploit page.

2)      Execution of embedded scripts to “unpack” and execute the exploit.

3)      Using file formats which have their own scripting languages and can be rendered inside the Web browser.

How to Deliver Malicious Content?

An attacker must obligate multiple users to request a page from the affected web server to increase the possibility of exploitation and malware. Some common methods used by the attackers are:

1)      Spam

2)      Phishing

3)      Hacking

4)      Banner advertising

5)      Search page-rank

6)      Expired domains

7)      Domain Name Server (DNS) hijacking

8)      Forum posting

9)      Tickers and counters

10)  404 page errors

11)  Server-side user-agent checks

Personalizing the Attack

X-morphic engines further obfuscate their attacks by taking advantage of advanced personalization techniques. Personalized attacks deceive visitors by creating a more dynamic “user experience” on the site, while bypassing many security systems.

Strategies that the x-morphic engine developers will likely adopt as part of their personalized attack delivery platform include the following

1)      Using the source IP address information of the request, the attacker ensures that only one exploit is being served. It prevents subsequent replay-based analysis.

2)      Implement a time-based approach to prevent their engine from exposure.

3)      Depending upon the browser type information, the attacker would ensure that only exploits relevant to that browser are being served. It prevents search engines and web crawlers from malicious content.

4)      Leveraging the IP address, the attacker can prevent IP addresses from any malicious content.

5)      One-time URLs will likely be used to ensure that exploit code is served just once.

Conclusion

Web browser exploit platforms will be vital for the infection success for organizations that rely on malware installation. Fortunately, legitimate security researchers and organizations have been developing more preventative means of fighting these sophisticated attacks. Recent advances in anomaly detection and intrusion prevention systems combined with more behavioral-based techniques are helping organizations identify suspicious activity earlier. With the arrival of x-morphic exploitation, the exploit and security world has entered into a different phase that has rendered trustworthy signature-based antivirus system obsolete