In a new technique hackers are using AJAX (Asynchronous JavaScript and XML) to serve malware to users computers in small chunks and then reassemble the payload on the users machine after it’s bypassed the antivirus filter.

Security researchers from Web filtering vendor M86 Security have detected Web exploitation attacks that use AJAX (Asynchronous JavaScript and XML) to fragment the payload into small pieces of code that are harder to detect by antivirus programs and intrusion prevention systems.

“The attack was observed on a currently running server located in China, which is serving malware,” said Moshe Basanchig, an M86 Security researcher, in a blog post on Tuesday.

The attack starts on a page that contains an unsuspicious piece of JavaScript code that is similar to that commonly found on legitimate AJAX-using websites.

This code is responsible for fetching the payload in multiple chunks and assembling it back together on the client before executing it. Different pages found by M86 on the attack server exploited vulnerabilities in unpatched versions of Flash Player and Internet Explorer.

This payload fragmentation technique makes it harder for signature-based security programs to detect the attacks. Many Web filtering mechanisms are implemented as network filter drivers and monitor traffic as it passes through the network interface.


Tagged with: