For years, the Metasploit project has churned up more than a handful of exploit codes. These exploit codes are based from vulnerability researches from the open-source community. Initially, the software vendors are the most affected by the outputs of these exploit codes – forcing Microsoft, Apple or Mozilla to issue urgent patches to address discovered vulnerabilities.
On the other side of the coin, malware authors are quick to abuse these vulnerabilities. They (malware authors), make use of exploit codes to gain access to an unpatched software. This is where security vendors come into play. Through pattern updates and heuristic detection, anti-virus companies race to detect known exploit codes to protect its consumer base.
In order to make exploits generated by VoMM undetectable, VoMM employs the following techniques:
- White-space randomization
- String obfuscation and encoding
- Random comments; placement and manipulation of existing ones
- Block randomization
- Variables and function names randomization
- Integer and miscellaneous variables obfuscation
- Function pointer reassignment
In general, the techniques mentioned above are already being implemented by malware authors. What VoMM does is to make it easier for script-kiddies to employ these techniques. This scenario will definitely raise the bar for the anti-virus community for stronger scan engines, since the demand for filtering out white-strings and comments, and the ability to obfuscate and trace randomized variables will be commoditized.
I’ve always believed that adversity is needed for something to evolve. The cheetah became the fastest land animal chasing the gazelle, the second fastest. It is through challenges posed by the environment that we become better at what we do. VoMM is one such challenge.