Researchers create automated signature compiler for exploit detection
A trio of researchers from Microsoft and University of Erlangen-Nuremberg have created Kizzle, a compiler for generating signatures for detecting exploit kits delivering JavaScript to browsers.
The problem of creating accurate malware and exploit signatures fast is an old one, and this new tool is apparently able to it within hours of their discovery. What’s more, these automatically created signatures are even better that hand-written ones, the researchers found.
“Our approach will reduce the imbalance between the attacker who often only needs to make cosmetic changes to their malware to thwart detection, and the defender, whose role requires much manual effort,” they noted in their paper.
By analyzing code found in exploit kits, the researchers noted that while the actual JavaScript delivered by kits varies greatly, the code – after being sufficiently unpacked and deobfuscated – shows much less variety.
The fact that exploit kit authors often reuse much of the code from old kit versions in newer versions allows Kizzle to quickly respond to superficial but frequent changes in exploit kits.
“At the heart of Kizzle is a malware clustering approach that matches new malware clusters with previously-recognized malicious clusters by understanding the process of malware unpacking,” they explained. These clusters are the basis on which Kizzle creates AV signatures.
The tool is designed to run in the cloud, and is capable of analyzing large volumes of streaming data. Also, to be clear, Kizzle focuses on making signatures for exploit kits only.
However promising their results seem to be, the researchers added that their work and additional testing has just begun, that their current results are limited, and that there are a number of issues to be solved and parameter values to be adjusted.