Web attackers start borrowing domain generation tricks from botnet-type malware

Hackers have started using domain-name generation techniques to prolong the life of Web-based attacks, Symantec researchers say

Hackers have started to adopt domain-generation techniques normally used by botnet-type malware in order to prolong the life of Web-based attacks, according to security researchers from antivirus firm Symantec.

Such domain-generation techniques were recently observed in a series of drive-by download attacks that used the Black Hole exploit toolkit to infect Web users with malware when visiting compromised websites, Symantec security researcher Nick Johnston said in a blog post on Tuesday.

Drive-by download attacks rely on rogue code injected into compromised websites to silently redirect their visitors to external domains that host exploit toolkits such as Black Hole. This is usually done through hidden iframe HTML tags.

Those toolkits then check if the visitors' browsers contain vulnerable plug-ins and if any are found, they load the corresponding exploits to install malware.

Web attacks usually have a short life span because security researchers work with hosting providers and domain registrars to shut down attack websites and suspend abusive domain names.

Because of similar takedown efforts targeting botnet command-and-control (C&C) servers, some malware creators have implemented backup methods that allow them to regain control of infected computers.

One of those methods involves the malware contacting new domain names generated daily according to a special algorithm in case the primary C&C servers become inaccessible.

This allows the attackers to know which domain names their botnets will attempt to contact on a certain date, so they can register them in advance and use them to issue updates.

A similar technique was used in the recent Black Hole attacks. The domain names in the URLs loaded by the hidden iframes changed on a daily basis and were generated by a date-dependent algorithm.

The attackers registered all domains that this algorithm will generate until Aug. 7 in order to ensure that their attacks will work until that date without requiring any changes to the code inserted in compromised websites.

"So far we have seen a small but steady stream of compromised domains using this technique," the Symantec researchers said. "This suggests that this is perhaps some kind of trial or test that could be expanded in future."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?