Security researchers have found that the infamous Blackhole and other exploit kits have been fitted by malware authors with a mechanism that dynamically generates pseudo-random domains.
Symantec experts have
analyzed a variant of Blackhole which uses this technique in order to ensure that in case the location or the URL of the
iframe injected into compromised websites is changed, they won’t have to manually update the domains.
It all starts with a piece of obfuscated JavaScript on a compromised website. When the code is executed, a function generates a new .ru domain that’s based on an initial seed value represented by the current day and month.
By knowing what algorithm the cybercriminals use to generate the domains, experts have been able to determine what names will be used in the future. They found that all the domains to be utilized until August 7 have already been registered and they all point to the same IP address.
Researchers explain that this technique was used in the past for botnet software, but not in exploit kits. These latest findings indicate that the pseudo-random domain generation may become more widely implemented in the upcoming period.
Stop Malwertising
reports that they have also identified the same mechanism in other exploit kits, such as RedKit. They've discovered functions that generate a new domain every 12 hours.
“If a domain is taken down, the script will automatically point to a different location within the next 12 hours. This makes it a bit harder to block malicious links and take down the websites,” experts said.
Unmask Parasites has published an interesting
post on the topic, in which they detail not only the way the new random domain generator works, but also how webmasters can secure their websites to prevent them from being hijacked.
Find us on Google+
No user comments yet.
Be the first to express your opinion!
