Antivirus software
Virus protection blog

Security researcher of Websense Stephan Chenette found new web attack vector that could potentially render desktop and gateway antivirus products useless. Like TCP fragmentation attacks, this technique involves breaking down web exploits into smaller chunks and sending them out in a synchronous manner to bypass anti-malware signature detection.

Let's discover how this attack works on a simple example. Malware author writes benign client code and embed it in a Web page. The only content contained on the initial page will be a small JavaScript routine utilizing XHR or XDR (XDR/XHR allows data to be wrapped in an architecture independent manner so data can be transferred between heterogeneous computer systems and it's widely used in various applications that interchange data between such systems). This code contains no actual malicious content, and the same type of code can be found on many of the major legitimate Web 2 sites. When a user visits the web page, the JavaScript  will slowly request more code from other web server, only few bytes of data at a time, thereby only allowing a user's anti-virus engine to analyze a few seemingly innocuous bytes as it tries to determine whether or not the Web site contain malware.

Once received, the data are stored in an internal JavaScript variable. The client will request more and more information until all the information has been transferred. Once it has been transferred JavaScript will be used to create a <script > element within the DOM (Document Object Model) of the browser. This in turn will cause a change to the DOM and execute the code in the script element. 

Why anti-malware engine wont detect such malicious code? The answer is simple. In this manner no actual code hit the file system, because all manipulation occur completely within memory. Furthermore any content that is transferred over the network is done in such small fragments that AV parsing engine wont have enough context or information to match any signatures.

Security experts say that it's not actually a browsers vulnerability. It merely takes advantage of the way browsers work. Disabling java script will definitely protect you from this type of attack, but it's not suitable solution for most web users.