Blackhole and RedKit have been seen to posses such functionality

Jun 28, 2012 09:08 GMT  ·  By

Security researchers have found that the infamous Blackhole and other exploit kits have been fitted by malware authors with a mechanism that dynamically generates pseudo-random domains.

Symantec experts have analyzed a variant of Blackhole which uses this technique in order to ensure that in case the location or the URL of the iframe injected into compromised websites is changed, they won’t have to manually update the domains.

It all starts with a piece of obfuscated JavaScript on a compromised website. When the code is executed, a function generates a new .ru domain that’s based on an initial seed value represented by the current day and month.

By knowing what algorithm the cybercriminals use to generate the domains, experts have been able to determine what names will be used in the future. They found that all the domains to be utilized until August 7 have already been registered and they all point to the same IP address.

Researchers explain that this technique was used in the past for botnet software, but not in exploit kits. These latest findings indicate that the pseudo-random domain generation may become more widely implemented in the upcoming period.

Stop Malwertising reports that they have also identified the same mechanism in other exploit kits, such as RedKit. They've discovered functions that generate a new domain every 12 hours.

“If a domain is taken down, the script will automatically point to a different location within the next 12 hours. This makes it a bit harder to block malicious links and take down the websites,” experts said.

Unmask Parasites has published an interesting post on the topic, in which they detail not only the way the new random domain generator works, but also how webmasters can secure their websites to prevent them from being hijacked.