While malicious servers hosting “drive-by-install” scripts are continuously evolving, their goal remain the same: to silently drop and run malicious files on the victim’s computer. The flaws exploited by those Web Attacks Toolkits have been quite the same for a while, so what’s new in “malscripts” world?
How does this method impact detection at IPS or/and AV levels? As a matter of fact, a classic file-based detection is usually based on logical patterns that can be seen in the file (sometimes through a certain number of obfuscation layers). Thus, if for a given malicious file a required logical pattern actually sits in another file, the detection engine may fail to mark the file as malicious. See the code snippet below:
Here, the variable “SbSbSbSbSb” is declared in an external script named wokaono.js. This last script alone is not malicious, and neither is the quoted code above. It’s the combination of the two that gives birth to a malicious behaviour.
But who needs drive-by-install scripts detection anyways, when one can simply detect the Trojan it aims at installing? ;)