Drive By Download Sites Using New Tricks To Avoid Detection

Discussion in 'malware problems & news' started by MrBrian, Oct 21, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From http://threatpost.com/en_us/blogs/hackers-use-php-scripts-compromise-sites-102011:
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    thanks MrBrian. Another interesting read.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,982
    Location:
    California
    Fascinating!

    These are really sophisticated techniques.

    But the basic idea of evasion is at least four years old. Finjan had a quite detailed article in 2007. A few of the points:

    Evasive Attacks Hit Once and Disappear to Minimize Visibility to Security Products
    2007
    http://www.finjan.com/Pressrelease.aspx?id=1527&PressLan=1230&lan=3
    One clever technique was appending a suffix to the URL/filename of the malware.
    Note the random letters following the ?trk= in the filename:

    cnte_code.gif

    If you wanted to test the site again with that URL, you got a 404 error because that set of letters would not serve up the exploit a second time:

    gifFileNotFound.gif

    And so it goes... sometimes I think we just go 'round and 'round in one big circle and nothing really changes!
    Just one big cat and mouse game: as one set of evasive techniques are solved by the good guys, another set evolves from the bad guys.

    regards,

    -rich
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.