VoMM – a New Disguise of Browser Exploits

'Metasploit' is famous for publishing 'exploit code' for testing attacks by its flagship. On 7th October 2006, Symantec warned about release of new module by 'Metasploit' that could disguise any browser exploit and hide from detection by signature-based defenses. The module is called "eVade O' Matic Module" (VoMM) and its creators are H.D. Moore, Aviv Raff and someone who calls himself only as "LMH". When this module is set to any browser exploit code, it conceals the exploit from signature-based security systems.

The VoMM software mixes different techniques with a known exploit code that turns it unrecognizable to certain types of anti-virus solutions. As said by Aviv Raff, one of the developers, VoMM can create an unlimited number of variants of any exploit.

Today, since most anti-virus signatures work on 'variants', AV considers even a slight change in a particular malicious code as a new variant. As per a blog posting by LMH, the module facilitates several techniques to render browser exploits undetectable.

Signature-based anti-virus software works by assessing known malicious code to create a 'digital fingerprint' that enables the anti-virus product to identify the malware. To this, VoMM adds components like tab, space, and random comments and names (not included in the signatures) to make the software/ malware, which can escape detection.

By using a 'server-side scripting technology', the software creates new versions of the exploit code. These are delivered on the user's browser when he visits the hacker's website. VoMM customizes a number of changes to the code without affecting its functionality, to create new version of the malware that is undetectable by 'signature-based' solutions.

Raff said that the VoMM code would be included in the upcoming 3.0 version of the 'Metasploit' hacking tool.

H.D. Moore successfully applied several techniques to design an exploit to the VML vulnerability in Internet Explorer. All 26 virus scanning engines including Grisoft, McAfees, Microsoft, Symantec, Kaspersky and others were unable to detect the exploit.

In an alert notice Symantec said that the new module will make identification of new attacks much harder. This means malware detection programs will have to innovate techniques to enable control of the changing attacks.

» SPAMfighter News - 10/23/2006