Web attackers start borrowing domain generation tricks from botnet-type malware

Hackers have started using domain-name generation techniques to prolong the life of Web-based attacks, Symantec researchers say

Hackers have started to adopt domain-generation techniques normally used by botnet-type malware in order to prolong the life of Web-based attacks, according to security researchers from antivirus firm Symantec.

Such domain-generation techniques were recently observed in a series of drive-by download attacks that used the Black Hole exploit toolkit to infect Web users with malware when visiting compromised websites, Symantec security researcher Nick Johnston said in a blog post on Tuesday.

Drive-by download attacks rely on rogue code injected into compromised websites to silently redirect their visitors to external domains that host exploit toolkits such as Black Hole. This is usually done through hidden iframe HTML tags.

Those toolkits then check if the visitors' browsers contain vulnerable plug-ins and if any are found, they load the corresponding exploits to install malware.

Web attacks usually have a short life span because security researchers work with hosting providers and domain registrars to shut down attack websites and suspend abusive domain names.

Because of similar takedown efforts targeting botnet command-and-control (C&C) servers, some malware creators have implemented backup methods that allow them to regain control of infected computers.

One of those methods involves the malware contacting new domain names generated daily according to a special algorithm in case the primary C&C servers become inaccessible.

This allows the attackers to know which domain names their botnets will attempt to contact on a certain date, so they can register them in advance and use them to issue updates.

A similar technique was used in the recent Black Hole attacks. The domain names in the URLs loaded by the hidden iframes changed on a daily basis and were generated by a date-dependent algorithm.

The attackers registered all domains that this algorithm will generate until Aug. 7 in order to ensure that their attacks will work until that date without requiring any changes to the code inserted in compromised websites.

"So far we have seen a small but steady stream of compromised domains using this technique," the Symantec researchers said. "This suggests that this is perhaps some kind of trial or test that could be expanded in future."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?