VoMM: Taking browser exploits to the next level



Exploits for browser vulnerabilities are here to stay.
Most security products today are using reactive methods (signatures)
to detect the specific exploit, instead of trying to detect the
general case of the vulnerability exploitation. I already demonstrated
that evading those signatures is very easy.

H.D. Moore, LMH, and I have decided to generalize the evasion methods
and package them all into one project.

Introducing: VoMM (eVade-o-Matic Module for metasploit) - Taking
browser exploits to the next level.
The purpose of this project is to create a module for Metasploit that
will take any given browser exploit and make it as undetectable as
possible.

Currently, most Anti-Viruses signatures relies on "variants". Meaning,
any little change in the malicious code is considered by the AV as a
new variant.
The VoMM project shows that this procedure cannot be applied to
browser exploits, as each exploit can have endless number of
"variants" with no change to the server side code.

http://aviv.raffon.net/2006/10/15/VoMMTakingBrowserExploitsToTheNextLevel.aspx

-- Aviv.



Relevant Pages

  • Re: McAfee IDS signature writing
    ... There are also many BOHS (Browser ... Hijack Sessions) implementations infact open source ... signatures for McAfee IPS systems? ... Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more. ...
    (Focus-IDS)
  • Re: [Full-disclosure] Western Union Certificate Error
    ... by my browser can issue and sign a cert for any domain and the browser ... signing party, I'll claim that key B4D3D7B0 is mine - and more importantly, I ... Then there's the third problem - currently, I have *6* keys on my PGP keyring ... there's only about a dozen valid signatures on ...
    (Full-Disclosure)
  • [Full-disclosure] VoMM: Taking browser exploits to the next level
    ... Exploits for browser vulnerabilities are here to stay. ... Most security products today are using reactive methods (signatures) ...
    (Full-Disclosure)
  • Re: VB.NET to c# convert
    ... > browser, but I guess not all have the option of viewing signatures? ... It's not in what ends up being posted to Usenet. ... indenting existing text and not removing signatures, ...
    (microsoft.public.dotnet.general)
  • Re: Seamonkey (was Re: Is VAX decoding really that bad.)
    ... Seamonkey and Firefox/Thunderbird share the same code base, ... Seamonkey "shares" 99% of the browser vulnerabilities of Firefox, ...
    (comp.arch)