back to article Redmond boffins build coffins for exploit kits

Microsoft boffins have crafted what they say is the world's first platform specifically designed to kill exploit kits. The tool goes by the name "Kizzle" and is a fast signature compiler that targeted the common practise of code-reuse by malware authors, and could generate identifying signatures weeks ahead of current anti- …

  1. Anonymous Coward
    Anonymous Coward

    This:

    "Kizzle will fizzle if exploit kits become polymorphic and change its unpacked forms, a feat that other research indicates is feasible."

    Feasible?? Polymorphic routines have been used in viruses since the eighties!!!

    So, at a stroke, their tool has been rendered useless even before it's been used....

    Cyber crooks 1: MS 0

    1. Kristian Walsh Silver badge

      Re: This:

      "So, at a stroke, their tool has been rendered useless even before it's been used...."

      It's feasible to build a space elevator. It doesn't mean we've got one, or that it'll be cheap or easy or likely to get one.

      As it says in the article, the tool works precisely because current malware authors do not extensively use polymorphic code. Modern malware is far more complex than the kind of 1980s viruses that used this technique, and unlike back then, virtually all malware is written in high-level languages, with little visibility of where the machine instructions lie in memory.

      What this technique does is make the job of making malware unidentifiable an order of magnitude more difficult: re-packagers can no longer rely on a simple change of their delivery script's obfuscation technique. Making malicious acts very hard to perform is the essence of computer security.

      1. Anonymous Coward
        Anonymous Coward

        Re: This:

        "It's feasible to build a space elevator. It doesn't mean we've got one, or that it'll be cheap or easy or likely to get one."

        Absolutely ridiculous comparison. We don't have space elevators because of physical and monetary constraints. We don't have the tech or materials to build one. We DO have computer code that can change itself to avoid detection and that's been around for 30 years and will only get better as the VX'ers improve their anti detection routines.

        We can now expect to see nearly all malware use polymorphism, in fact I will bet that an underground cybercrime forum starts to offer one (a kit to morph code) for sale.

        The reason modern malware is complex is because it has to be complex as computers and their languages are more complex, that's all... It doesn't matter whether its written in fortran, algol, assembler, java or bloody Sinclair BASIC... Look at ASLR, defeated within weeks and now an unnecessary complication. Yes it took some clever workaround programming but it was done. Stalemate again....

        Don't get me wrong, I'm not slagging MS, I love my Windows OS but it still seems that this is a little too late....It will provide 6 months respite while the cybercrims up the ante....

    2. Voland's right hand Silver badge

      Re: This:

      They were.

      The current generation of viruses and exploits is a major technological step backwards compared to some of the 90-es nasties. During the 90-es virus polymorphism was a given and the early rootkits were geared towards Linux and Unix systems and designed to hide from people with sysadmin skills. I remember having to fend-off attacks with rootkits for Linux using in-place kernel patching, invisible modules, knock-to-open, etc in 1996. Similarly, I remember dealing with polymorphic beasties 4 years prior when 1G or RAM with 384 used for a RAMDISK was a top-end machine.

      Both were light years ahead of what is the state of the art now.

      BackOrifice and the discovery that you can nail a population of unpatched Windows systems with significantly less effort undid the technological advances in both viruses and rootkits. Polymorphism is gone, advanced hiding techniques were dropped as unnecessary and show up only in the most advanced RATs and targeted attacks, etc.

  2. jake Silver badge

    Perhaps Redmond might look into ...

    ... learning to design an OS that isn't inherently insecure, instead? Would have saved a lot of people a lot of trouble, had they started on that track a couple of decades ago.

  3. Mark 85

    The key is the last line, maybe....

    The authors say the detection would best occur in the browser, adding that Kizzle fits “seamlessly” into existing anti-virus systems

    Detection in the browser seems like a logical place and detect it before the nasty can kick off and be installed. But, there's one more factor and that's the implantation. If it asks the user "stop this or go-ahead and run/install", we all know how that will turn out.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like