VoMM - eVade o' Matic Module

Today I will tell a story about some goings on which occurred around the recent VML vulnerability in Internet Explorer.

So, eventually a Metasploit module was released for this vulnerability, however, if you look at that particular link, it looks just like any other exploit. There is no indication that it is using some anti-signature randomization, but it turns out it is. Previously, Aviv Raff had posted an article about how it turned out that by using a combination of 4 methods, he was able to make the Virus Total count successively drop to only 1 vendor detecting a problem. When the Metasploit module eventually came out, it used 2 of the 4 techniques he had mentioned + randomizing javascript variables. The Metasploit module was subsequently completely undetected by all vendors on Virus Total.

Flash forward to the future. HD Moore, Aviv, and LMH (of current Month of Kernel Bugs fame) decide to get together to make a generic Metasploit module which will incorporate all these obfuscation techniques and allow any browser exploit to be wrapped in it. LMH has the best description of the various techniques which are currently being used. Some of the techniques may seem quite familiar to people with knowledge of polymorphic shellcode or viruses, or other traditional means of defeating signature-based systems. However, I believe that this is the first time such techniques have all been pulled together and discussed in the context of JavaScript. Just to be clear, people have been using obfuscated or encoded Javascript extensively before this. See this ISC post for a detailed description of some JavaScript deobfuscation, or here too see some of the nastiness for yourself. Now imagine that it's more skillfully obfuscated, because that's what VoMM is trying to do, and they have smart people thinking up ways to do it.

The eminent demise of signature-based systems has long been predicted by those who have seen how easy they are to defeat. But signature-based systems are still here, so what's the deal? Well that's a rather complex hypothetical, sufficed to say, I believe that AV will basically just work around this problem as they have been for the last however many years. While they're working on it though, that is leaving the potential for some nasty browser exploits.