Drive By Download Sites Using New Tricks To Avoid Detection

Discussion in 'malware problems & news' started by MrBrian, Oct 21, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From http://threatpost.com/en_us/blogs/hackers-use-php-scripts-compromise-sites-102011:
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    thanks MrBrian. Another interesting read.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Fascinating!

    These are really sophisticated techniques.

    But the basic idea of evasion is at least four years old. Finjan had a quite detailed article in 2007. A few of the points:

    Evasive Attacks Hit Once and Disappear to Minimize Visibility to Security Products
    2007
    http://www.finjan.com/Pressrelease.aspx?id=1527&PressLan=1230&lan=3
    One clever technique was appending a suffix to the URL/filename of the malware.
    Note the random letters following the ?trk= in the filename:

    cnte_code.gif

    If you wanted to test the site again with that URL, you got a 404 error because that set of letters would not serve up the exploit a second time:

    gifFileNotFound.gif

    And so it goes... sometimes I think we just go 'round and 'round in one big circle and nothing really changes!
    Just one big cat and mouse game: as one set of evasive techniques are solved by the good guys, another set evolves from the bad guys.

    regards,

    -rich
     
Loading...
Thread Status:
Not open for further replies.