Malicious Code Hidden in Rich Content Files Tough To Detect, According to Finjan Report

• By Dian Schaffhauser
• 09/26/08

Finjan, a company that sells security products, said it has uncovered examples of obfuscated code embedded in rich-content files, and not just in HTML-based Web pages on legitimate Web sites. According to the vendor, code obfuscation remains the preferred technique for cybercriminals for their attacks.

Since JavaScript is the most-used scripting language for communication with Web browsers, third-party applications such as Flash player, PDF readers and other multimedia applications add support for JavaScript writing as part of their application, the company reported in its September 2008 "Malicious Page of the Month." This offers "crimeware" authors the opportunity to inject malicious code into rich-content files used by ads and user-generated content on Web 2.0 Web sites.

According to the report, only three of 36 virus-scanning products tested were able to detect the presence of that type of malicious code, which is dynamically embedded in the JavaScript.

Online ads and user-generated content on Web 2.0 Web sites are becoming more popular in directing users unwittingly to malware-infected content files. A recent survey by the company found that 46 percent of respondents stated that their organization didn't have a Web 2.0 security policy in place.

The company said real-time content inspection is the optimal way to detect and block dynamically obfuscated code, since it analyzes and understands the code embedded within Web content or files in real time--before it reaches users, who may unintentionally execute the Trojan on their machines.