Nazario says he and fellow researchers can also detect IRC bots, and shut them down, too. "If we didn't have visibility into what the obfuscated exploits were doing, we wouldn't get any of that."
It comes down to attackers shifting their focus toward clients, namely Web browsers. "They used to wait for you to come to them as clients." But now more attackers are targeting the browser itself, he says. "We are seeing a lot of attacker interest recently in this."
There are around 10 major endcoder/decoder tools available today, according to Nazario, including HTML Protector, Advanced HTML Protector, and ScriptAsylum.
Being able to reverse-engineer malware lets an analyst determine if the attacker is going after banking site passwords, gaming license keys, or just to install bot software or spamkits, Nazario says. "There's some attacker profiling we do."
If an attacker only recycles existing malware tools or does a minor edit to them, that indicates a low level of skill. But the danger here is that it can spread more quickly, although it's easier to detect and mitigate in the end, he says.
Attackers who write their own code are typically more sophisticated and determined. "We see a very small number of people who write their own private exploit code. You know then that you've got an adversary who studies the technology, is highly motivated, and making a bunch of money off of this."
And every attacker has his or her own "voice," with certain techniques or clues in their coding that can identify it's the same attacker doing the dirty deed. "There's a behavioral marker for that person. We all have a set of skills we fall back on. We all have a unique voice."
Kelly Jackson Higgins, Senior Editor, Dark Reading