Nozzle to Zozzle: Microsoft's Expanding Security Arsenal
Essentially, attackers had learned to circumvent the randomly generated base-addresses in the heap (data structure) on a PC by allocating, or "spraying," large quantities of exploit code into the PC’s memory base. Although an element of luck is involved, if done on a massive scale this tack eventually finds the right vulnerability. Thus the massive rise of drive-by-downloads launched on unsuspecting users through Web-based executable code exploits.
If it is a Web page, a PDF, or a Flash file, any form of data can be used for exploitation. Through steganographic techniques (hiding messages within other files) malware has been even found embedded in image file comment fields, documents, and dynamic-link libraries. From the attackers’ point of view, it actually only takes 10 lines of code to launch an onslaught, and, as an exploit, it is a dream to most hackers.
Zozzle’s test results from Microsoft’s research show a 59 percent improvement over current detection rates from Google's SafeBrowsing. According to Microsoft: “SafeBrowsing detects less than half of the URLs found by ZOZZLE,” and “ZOZZLE finds many more malware pages than NOZZLE.”
The advantage of Zozzle appears to be its detection of malicious code, as opposed to attack detection. Zozzle achieves de-obfuscation by using contextual information available in the program’s Abstract Syntax Tree (AST).
If we look at Microsoft overall, Zozzle would be the latest addition to a growing list of security products that are now all free. We have the Microsoft Windows Malicious Software Removal Tool, which checks computers running Windows 7, Windows Vista, Windows XP, Windows 2000, and Windows Server 2003 for infections of malicious software and helps remove any infection found. Microsoft estimates that its package has cleaned 46.5 million PCs, or 7.76 percent of 600 million PCs running Windows in 11 countries -- US, Brazil, China, France, Spain, UK, South Korea, Germany, Italy, Russia, and Mexico -- just in the first half of 2010.
Microsoft also provides a free download of Microsoft Security Essentials for real-time protection against viruses, spyware, and other malicious software. Also, the “Smart Screen Filter” in Internet Explorer 8 currently provides for a dynamically updated list of reported phishing and malware sites.
Presumably, Zozzle will be part of that whole Internet Explorer suite. However, the Zozzle technical paper provides a fairly extensive array of algorithms, so this may be a major change from Microsoft, potentially ushering in a new era of open-source Microsoft security technology.
With this, let us hope Microsoft allows Zozzle’s code to be used by other developers so it could eventually be available as a plug-in for other browsers, not just Microsoft’s.