14 DAY TRIAL // Reputation systems are often used to detect and catalog locations that might present a threat to internauts, but now, hackers devise advanced techniques that allow them to evade or to go around the security measures that rely on such structures.
Present in Barcelona at the Virus Bulletin conference, Threat Post representatives inform us on the latest discoveries security researchers made on the subject.
Because the IPv4 addresses have almost reached their limit, large IP blocks are hard to find. This poses a problem not only for businesses but also for hackers who need a large number of them to launch large scale attacks.
To avoid reputation systems shutting down their operations, cybercriminals will often get their hands on IP blocks that already have good credit.
"The bad guys can buy or rent these as well, getting inside known good IP blocks so that the reputation systems don't blacklist them as quickly," revealed Gunter Ollmann, VP of research at Damballa.
Attackers prefer this method as they no longer have to constantly evade detection systems, but on the other hand, the owners of the legitimate firm will suffer a great deal because once the addresses are blacklisted it's a very hard and long process to get them cleaned again.
Another technique deployed, that's based on the same concept, is the one where the crooks hack a lot of legitimate websites at once, which can then be used to launch drive-by attacks or as C&C servers.
"They'll hack servers, mainly Web servers, in order to use their good reputations. They'll use them as C&C servers or just host configuration files on them," he further said.
Other methods, that are not as new, rely on domain generating algorithms that register thousands of domains each day, which the cybercriminal utilizes to evade the reputation system.
It seems as from now on things will get only worse. As the IPv6 addresses cover more ground, it will be even harder for web-scanning engines to quickly detect and blacklist foul locations.