SpyProxy takes Web apps security fight to 'virtual sandbox'

Faced with volumes of browser vulnerabilities and Web-based exploits designed to take advantage of the flaws, security researchers presented a new process for protecting users with execution-based malware detection at the ongoing Usenix Security Symposium in Boston on Wednesday.

In a demonstration led by Alexander Moshchuk, a University of Washington graduate student who is part of a research team that has developed a tool that uses the technique for filtering out malicious programs, the expert pitched the use of "virtual sandboxing" as an effective means for testing Web applications for suspicious behavior before they reach end-users' browsers.

With the threat of drive-by attacks and zero day exploits expanding on a daily basis as malware authors advance their sophistication, security experts have increasingly downplayed the efficacy of traditional signature-based anti-virus technologies for stopping many online attacks.

As a result, several new techniques have emerged for protecting end-users before vulnerabilities can be identified and patched. Virtualization is one of the technological means being adopted by many researchers attempting to address the problem, and Moshchuk highlighted the use of the technique in a tool created at UW and named SpyProxy.

Injected as a virtual machine that sits between an end-users' browser and a Web site, SpyProxy promises to download and test any application that the browser is directed toward in order to weed-out potential attacks.

In a matter of seconds, the security program can effectively run and analyze any type of Web page or application to determine whether it contains the hallmarks of many threats, the researcher said.

"SpyProxy has limitations, but nonetheless we feel that it can be an effective new weapon in the Internet security arsenal, as a low-cost way to block real zero days that is complimentary to existing techniques and actively makes the Web browsing experience more secure," Moshchuk said.

If you add up the number of days that Microsoft's Internet Explorer was vulnerable to published attacks during 2006, the total equates to roughly nine months of opportunities for malware authors to deliver their threats to end-users, said Moshchuk, who observed that business users in particular can ill afford to remain exposed to viruses and other threats on such a regular basis.

Execution-based malware detection cannot identify some advanced forms of threat such as so-called cross-site scripting (XSS) scams based on their latent nature, but most active attacks can be unearthed with relative ease, Moshchuk said.

SpyProxy works by creating a virtual machine that mirrors the same browser as that being used by someone running the tool and fully renders any page or application that is accessed to determine whether the URL contains an attack.

While the process does lead to delays in Web page delivery, on the order of roughly three seconds per URL in an unmodified state, the tradeoff of eliminating many zero days and drive-bys will make the technology acceptable to some end-users, the researcher maintains.

In a test of roughly 2,000 Web site requests carried out by the UW team over 124 individual URLs, the researchers found some 27 active browser exploits and 73 spontaneous downloads that could represent malware, adware, or other unwanted programs. The group maintains that SpyProxy identified and blocked all of the threats.