For decades, hackers have sought ways to install malicious programs (“malware”) on computers or other networked devices. Often, malware operates to damage or otherwise hamper the functionality of the computer on which it is installed (the “host”). Malware can also provide the hacker with access to sensitive information that is present on the host computer and the network to which the host is attached. Malware can also use the host computer to distribute additional malware by hijacking the email and other network communication facilities of the host.
The conventional method of installing malicious programs is to secret them onto a host computer in an otherwise benign-appearing program or document. For example, malware can be included in an email message, and can run automatically upon opening the email message or viewing images within the message. Malware can also be associated with a program that the user of the host computer intentionally downloaded and/or installed.
Conventionally, the primary method of detecting these threats is to, identify signatures associated with various malware. Signatures are conventionally a sequence of executable characters that are identified after an attack has occurred and been reported to specially trained analysts. The analysts identify the malware and a signature associated therewith. Analysts then design software to identify the signature in executable code or in network traffic. This is the typical mode of operation for most conventional anti-virus, anti-spyware, and intrusion detection systems.
Hackers are well aware of this conventional defense, and have developed new attacks designed to use new technologies to circumvent signature-based detection. One such attack employs executable internet code, such as JavaScript. JavaScript is a programming language designed to be embedded in hypertext markup language (HTML) pages. JavaScript provides access to executable objects outside of the web browser. For example, JavaScript allows a web page to open a document stored on the host's hard drive and modify the document. JavaScript also allows for the creation of data structures in the host computer's memory. Because JavaScript is a scripting language, it is not compiled, but rather, is transmitted to the end user's web browser as text, where it is then executed.
These features provide hackers with access to exploits. For example, it may be known that, in a given operating system or web browser, creating an array of a certain size may allow a hacker to access particularly sensitive areas of a computer's memory. JavaScript allows for the creation of such an array. Creating data structures requires certain known syntax, so signature-based detection may still be possible. Because, however, programmers have wide latitude in the names given to variables and the data placed in the array, signature-based detection becomes much more difficult, if not possible, as the attack may not become apparent until the malicious code is already running on the host's computer.
To the extent that signature-based detection would be possible in this hypothetical example, however, languages such as JavaScript offer additional avenues for hackers to hide from signature-based detection schemes. Specifically, JavaScript offers run-time evaluation of strings that can then be executed. For example, assume that the function call document.write (“hack”) is a known exploit. A hacker can use JavaScript's run-time evaluation features to obfuscate the exploit as follows:
var X=“ha”;
var Y=“k”;
var Z=“doc”;
var A=“ument.wr”;
var B=“ite(”;
var C=“)”;
var D=“c”;
eval(Z+A+B+X+D+Y+C);
The code above would evaluate the strings as document.write(“hack”) and execute the malicious code. Compounding the problem is that JavaScript provides few limits as to the names of the variables or the order in which they appear. Thus, hackers are limited only by their imagination as to ways to obfuscate their malicious code. Further, because JavaScript can be automatically generated at the moment a web page is requested, obfuscation mechanisms such as that described above can be randomly created in response to a request in such a way that ensures that each attack will have a different signature from the last. Accordingly, conventional signature-based detection is difficult, if not impossible, for this new breed of internet attacks.
A further problem with such attacks is that they can be hidden in code received from otherwise trusted sources. For example, a widely-used website may sell banner space on its website to advertisers. The advertisement that appears in that space is typically loaded from the advertiser or a third-party advertisement server when an end user browses to the web page. The advertisement can also be loaded onto servers associated with the website before the end user browses to the web page, in which case the advertisement can be served to the user without connecting to an external server when the end user browses to the website. Other than contractual controls, the company running the website may have little control over the content of the advertisement. If malicious code is placed in the advertisement, the website may not know until it has already served out millions of infected pages. Accordingly, conventional methods of blocking internet traffic from untrustworthy sources or only allowing traffic from trustworthy sources may be insufficient to prevent attacks.
The conventional method of preventing such attacks is to disable the execution of internet-based executable code including, but not limited to, JavaScript, Adobe Flash, and Microsoft Silverlight. Preventing the execution of such code, however, may cause certain web pages not to function correctly, and detracts from the rich internet content that this code makes available.
Accordingly, a need exists for a system that can identify and prevent attacks delivered in executable code. A further need exists for a system that can identify and prevent such attacks even when obfuscated such that the presence of the attack cannot be detected until run time. An additional need exists for reputable web site operators to protect visitors to their sites from attacks that may be secreted into content published via their sites, such as banner advertisements controlled by third party advertisers.