For years, the Metasploit project has churned up more than a handful of exploit codes. These exploit codes are based from vulnerability researches from the open-source community. Initially, the software vendors are the most affected by the outputs of these exploit codes – forcing Microsoft, Apple or Mozilla to issue urgent patches to address discovered vulnerabilities.
On the other side of the coin, malware authors are quick to abuse these vulnerabilities. They (malware authors), make use of exploit codes to gain access to an unpatched software. This is where security vendors come into play. Through pattern updates and heuristic detection, anti-virus companies race to detect known exploit codes to protect its consumer base.
However, with the release of the VoMM (eVade-o-Matic Module), the challenge is now shifting from the software vendor to the security company. VoMM is an automated module developed in part by Metasploit (with LMH from Info-pull.com and Aviv Raff), that aims to make exploit codes undetectable by anti-virus vendors. VoMM is initially designed for Javascript based exploits in general, but I think it will be only a matter of time for Metasploit to extend VoMM to other non-binary exploits.
In order to make exploits generated by VoMM undetectable, VoMM employs the following techniques:
- White-space randomization
- String obfuscation and encoding
- Random comments; placement and manipulation of existing ones
- Block randomization
- Variables and function names randomization
- Integer and miscellaneous variables obfuscation
- Function pointer reassignment
In general, the techniques mentioned above are already being implemented by malware authors. What VoMM does is to make it easier for script-kiddies to employ these techniques. This scenario will definitely raise the bar for the anti-virus community for stronger scan engines, since the demand for filtering out white-strings and comments, and the ability to obfuscate and trace randomized variables will be commoditized.
I’ve always believed that adversity is needed for something to evolve. The cheetah became the fastest land animal chasing the gazelle, the second fastest. It is through challenges posed by the environment that we become better at what we do. VoMM is one such challenge.