AJAX-based Web exploitation attacks detected in the wild

Web attackers are using AJAX to fragment malicious payload and make it harder to detect

Security researchers from Web filtering vendor M86 Security have detected Web exploitation attacks that use AJAX (Asynchronous JavaScript and XML) to fragment the payload into small pieces of code that are harder to detect by antivirus programs and intrusion prevention systems.

"The attack was observed on a currently running server located in China, which is serving malware," said Moshe Basanchig, an M86 Security researcher, in a blog post on Tuesday.

[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]

The attack starts on a page that contains an unsuspicious piece of JavaScript code that is similar to that commonly found on legitimate AJAX-using websites.

This code is responsible for fetching the payload in multiple chunks and assembling it back together on the client before executing it. Different pages found by M86 on the attack server exploited vulnerabilities in unpatched versions of Flash Player and Internet Explorer.

This payload fragmentation technique makes it harder for signature-based security programs to detect the attacks. Many Web filtering mechanisms are implemented as network filter drivers and monitor traffic as it passes through the network interface.

However, when there are chunks of legitimate-looking code that only become malicious when combined in the browser's memory, it's much harder to build a signature and detect the attack at network interface level.

"The main reason that malware authors use AJAX is the ability to write generic attack pages which look benign and become malicious only once the dynamic content is loaded," Basanchig said.

"This attack scenario definitely has its advantages: by passing the payload in several distinct chunks, the offending packets would likely avoid interception as they pass through the firewall," said Bogdan Botezatu, an e-threats analyst at antivirus vendor BitDefender.

However, according to Botezatu, other protection layers found in antivirus programs might detect and block the code when it gets re-assembled in memory or when it's executed. In order to avoid becoming a victim when automated detection methods fail, though, users should keep their browsers and plug-ins like Flash Player, Adobe Reader or Java, up to date.

"Last, but not least, it is essential for the user to stay away from Web resources they are not familiar with, such as URLs included in spam mail," Botezatu said.

Copyright © 2012 IDG Communications, Inc.