With Yuval Ben-Itzhak, chief technology officer of Finjan. The company's latest Web Security Trends Report, which covers the fourth quarter of 2006, says that dynamic code obfuscation is a dangerous emerging trend.
Question: What is dynamic code obfuscation?
Ben-Itzhak: There is always a cat-and-mouse game between hackers and vendors. In this report, we describe one step [hackers are using to] avoid detection by antivirus software. The basic approach of AV software is to look at a large database of signatures of known viruses. The AV company has a virus, analyzes it, and creates a unique stream that identifies the virus and pushes signatures to the customers. Each time there is a match between the signature and code in the [customer's] machine, the AV software blocks it. The hackers [have tried to beat this by] hiding the viruses by encrypting them. They are encrypting the malicious part of the code. This is not new. What the hackers [have done that is new] is the "dynamic" part. If you and I visit the same site, we will get a different malicious code. [Hackers] can modify the function name, have different encryption keys. Once one of the parameters is changed dynamically, the signature is broken and there is no match.
Question: Is this new?
Ben-Itzhak: We report this is a trend. It's not the first time [we've seen it] but the number has reached a certain level that we believe is a new trend that will continue to develop. We saw a dozen examples in the recent quarter. In order to fight it … you need a technology that can understand the code and analyze what it's going to execute without any signature. You need to be able to see if the code is about to delete the file or change settings in the browser and, based on that, decide if you want to block it or not. [Traditional AV software] is here to stay. Given the new attack techniques, you need additional tools. This technology that can understand the code and determine if it is malicious is called behavior code analysis technology.
Question: It seems clear that this requires a lot more horsepower than comparing signatures and zapping the matches. Is this a problem?
Ben-Itzhak: It is more advanced and requires more resources, more work to be done and needs more power to do it [than traditional AV software]. But you have no choice. The threats require these kinds of measures. Today on Finjan's appliance, the delay is 20 milliseconds. The users don't feel it. Yes, it adds more latency to the traffic. If it added two seconds, you would say it is too high and the application is broken. Having the number I mentioned, we don't see a problem. The benefit is that using an application allows us to arm it with resources needed. Running this as another agent on the desktop might impact productivity. Finjan is one of the leaders, with 18 patents. Microsoft licenses our technology; other vendors are starting to look at it. In 2007, we see a few of them shipping product. We're not familiar with anyone doing [precisely] what we do. But others [in the same generic sector] include Aladdin and Secure Computing.
This 3 Questions originally appeared in a weekly report from IT Business Edge.
This was first published in January 2007