Yet another evolutionary path that malicious code has taken recently has been what has been dubbed “Late Binding Malcode”. While this is an apt name it doesn’t truly describe what these evolved malicious payloads are doing. So, without further adieu here is my explanation 🙂

Typically when a malicious software or payload gets executed on a victim’s system it comes in thru one of a few (but widely available) avenues:
Trojanized legitimate software
Web/Email borne content like malicious websites, ads, emails, etc…
Direct attacks against a systems software, for instance running a teamspeak/skype/twitter client.

Most modern defenses built into your firewalls/routers/wifi, operating systems, and even security software like Anti-Virus software are built on the premise that the code has a signature of some sort, whether that signature is a common string of data/text in the attack or a common behavioral pattern that it can detect and block.

Late Binding Malcode, also called “Just-in-time malware” is a development to prevent detection by the above mentioned defenses. The most simple example is a piece of trojaned software downloading small pieces of the actual malicious payload and compiling (building) the payload locally on the victim system, this “after-the-fact” building causes issues with detection since each piece can be downloaded at randomized times, using randomized download locations, randomized filenames, randomized encryption, etc… and after it is built and executed it looks like normal behavior to most AV systems since the JIT malware didn’t come directly from the internet (randomly pulled down) and is built by the user of the system which automagically makes it OK!

The example of the salami/omelet attack above doesn’t do justice to how evasive this can get, for instance it can bring in pieces and store them anywhere on the victim system and keep whole libraries of evasive code laying around as benign files (encrypted to prevent AV) and JIT build specific attacks based on what you use. For instance if you use a windows 8/10 system, and typically open say FireFox for accessing your banking information the malcode can JIT build a specific hook into FireFox built to evade detection by your installed security software and specifically built to not crash or cause events to be logged on windows all the building blocks will either be removed or re-encrypted to prevent later detection. This new “extension” to FireFox will present you a perfect copy of your bank’s login screen but will sit in-between you and the bank collecting your login. That same extension can later open a hidden FireFox window and login to your bank again using your login credentials and give the bad guys direct access to your bank from your computer and your browser.

Another interesting piece of this is that advanced sandboxing of malicious code used by enterprises and large security services, have a very hard time detecting the malicious parts since they are very random and use evasion techniques like only downloading one small piece of the payload every 24 hrs or so. These sandboxes are not equipped to handle week or month long collections of the bad code. And even if they do happen to catch the code getting compiled it still will have a hard time seeing if it is malicious because the code being seen is setup to “work with” the victim, not execute on its own.

The sky isn’t falling though, this JIT building has been partially broken by the newer versions of endpoint security (network controls are for now ineffective at blocking this). The newer versions of endpoint security suites do follow real-time compilations, even by users and OS processes, and have built signatures for activities that look suspicious. So if you don’t click OK for everything when opening your browsers/email clients and run a new version of your favorite flavor of endpoint security you will likely block many of the JIT attacks.

Stay vigilent!

-PseudoSudo