script fragmentation - um novo ataque?

A descoberta de novos ataques ou vulnerabilidades é sempre um marco importante em segurança. Este parece uma variante de uma ideia antiga, mas aparece num contexto novo (tanto quanto sei): scripts em aplicações web.

Artigo na Script Fragmentation Attack Could Allow Hackers to Dodge Anti-virus Detection


Security researcher Stephan Chenette opened up to eWEEK about a new Web attack vector that could potentially render desktop and gateway anti-virus products useless. (...) Similar to TCP fragmentation attacks, it involves breaking down Web exploits into smaller pieces and distributing them in a synchronous manner to evade anti-malware signature detection.

"What this attack enables you to do is really get exploit code from the server into the browser memory and trigger the exploit (...) Once you actually are able to trigger that exploit, you own that machine, so that means you can disable anti-virus, you can disable any protection mechanism after the fact."

The attack works like this: Malware authors write benign client code and embed it in a Web page. The only content contained on the initial page will be a small JavaScript routine utilizing XHR or XDR. This code contains no actual malicious content, and the same type of code is found on all of the major legitimate Web 2.0 sites.

When a user visits the Web page, the JavaScript and the XDR or XHR will slowly request more code from other Web servers a few bytes at a time, thereby only allowing a user's gateway anti-virus engine to analyze a few seemingly innocuous bytes as it tries to determine whether or not the Web site is malicious.

Once received by the client, the bytes are stored in an internal JavaScript variable. The client will request more and more information until all the information has been transferred. Once it has been transferred JavaScript will be used to create a Script element within the DOM (Document Object Model) of the browser and add the information as text to the node. This in turn will cause a change to the DOM and execute the code in the script element.

According to Chenette, the entire process—from data being transferred over the network to triggering JavaScript within the DOM—can slip under the radar because no malicious content touches the file system. It's done completely in memory, and any content that is transferred over the network is done in such tiny fragments that anti-virus engines parsing the information don't have enough context or information to match any signatures.

The attack (...) has not been seen in the wild (...) works on all the major browsers (...) however, it is not a browser vulnerability—it merely takes advantage of the way browsers work.