Security firms dismiss English shellcode threat

IT security experts have dismissed a research paper warning about malware that can be hidden within what appears to be plain English prose, noting that this threat is nothing new.
In a recent report titled "English Shellcode", the four authors wrote that their ability to automatically generate such code debunked "the common belief that components of polymorphic shellcode cannot reliably be hidden".
Shellcode, which refers to a set of machine instructions that acts as the payload of an exploit, is typically different from non-executable data such as plain text.
The researchers, the majority of whom hail from academic backgrounds, said shellcode, on the contrary, can be disguised as pseudo English language spam as some ASCII character strings and native machine instructions "have identical byte representations".
Security experts, however, told ZDNet Asia that the threat is not new and unlikely to make much of an impact on the security landscape.
Paul Ducklin, Asia-Pacific head of technology at Sophos, pointed out that "producing printable-yet-executable machine code isn't something new" and is similar to the Eicar (European Institute for Computer Antivirus Research) test file, which was created 20 years ago to validate the operation of antivirus software.
According to Ducklin, all shellcode can be hard to detect "not so much because of how it's encoded--whether as unobfuscated Intel instructions, Java bytecode or broken English--but because it can crop up at unexpected locations in malicious files".
"Shellcode is almost always in a part of a file that shouldn't need to be scanned at all," he explained. "So the complexity of detecting shellcode is almost always in how you take potentially dangerous files apart in the first place, rather than how you scan the taken-apart file for threats."
Effective antivirus tools are able to locate malicious or unwanted machine code embedded in a "possibly enormous" program consisting almost entirely of machine code, said Ducklin. "This, in my opinion, is a much trickier problem than detecting 'English' shellcode," he noted.
"Since we are already facing up to and dealing with a problem tougher than that of detecting 'English' shellcode, I don't think anyone needs to be worried by this new report.
"In short, I am afraid to have to say to the U.S. academics who wrote this paper, 'Guys, you've got too much time on your hands'," mused Ducklin.
Vitaly Kamluk, director of research at Kaspersky Lab, concurred that the report is unlikely to have an impact on the security landscape. "It is not a new type of threat, just a variation of an existing one," he pointed out.
Kamluk added that churning out such code is an extremely laborious task, and therefore, will not attract much attention from cybercriminals. "The complexity of this type of code is tremendous and the probable return is small," he said.
Ronnie Ng, Symantec's systems engineering manager for Singapore, added that issues associated with the technique made it "very unlikely to be practical and used in the wild".
Ng explained: "First, even if the sentence represents some machine code on a byte level, it will not be executed unless it is loaded and processed by the CPU as actual executable code. Otherwise, if the CPU understands the bytes simply as a representation of characters, it will just attempt to display the code as characters and no damage is actually executed.
"The other challenge is trying to find the words or word sequences that would execute what the attacker wants it to do… It would take a fair amount of computing power to find such strings."
Cybercriminals, he noted, generally target low-hanging fruit and more popular technologies so they are more likely to focus on methods that can produce maximum results with minimum effort.
Evolving security landscape
Danny Siew, Trend Micro's Asia-Pacific senior director for technical support, said the latest research is a reminder that users need to be adequately protected as the security landscape is constantly evolving and threats increasingly sophisticated.
"The major issue [here] is, at a single glance, it is hard to tell if a 'package' is malicious or not," he pointed out. "The creation and subsequent delivery of these threats underscore the need for users to employ a holistic, multilayered solution that protects them from the cloud to the endpoint."
Symantec's Ng added: "One thing is resoundingly clear: basic security protection is not good enough. An inflection point has been reached where new malicious programs are being created at a higher rate than good programs."
The variety and sophistication of threats are rendering traditional approaches to antivirus ineffective, he said. Instead of focusing solely on analyzing malware, security software scan software files using methods such as whitelisting and reputation-based security.
A co-author of the paper did not respond to e-mail queries from ZDNet Asia.