Aug 5, 2011 18:16 GMT  ·  By

Security researchers from Zscaler have detected web attacks in which links to drive-by exploits are obfuscated by converting IP addresses to DWORD.

DWORD is 32-bit integer representation of a string, but technical explanations aside, what is important to know is that browsers can automatically parse DWORD values if encountered in an URL and that an IP address of, say, 91.193.72.70 would look as 1539393606 in DWORD.

"In our research, we have identified that attackers have started using malicious domains in DWORD format to fool or confuse victims," says Zscaler researcher Umesh Wanve.

An URL of this form would look like hxxp://1539393606/GoogleSearch.class (hxxp is intentional). If that URL is opened in Firefox, it will be displayed as http://91.193.72.70/GoogleSearch.class.

This is apparently a new trend with attackers. "We have been seeing many malicious URL’s using the DWORD format to hide their actual IP address," Wanve adds.

The malicious URLs usually lead to a malicious class that tries to exploit a vulnerability (CVE-2010-4452) in outdated Java installations. If the attack is successful, a piece of malware is downloaded and installed on the victim's machine.

This kind of obfuscation might also trick inexperienced researchers and rudimentary firewalls. Attackers can quickly re-encode exploits to avoid antivirus detection, so not having the URLs blocked in the first place is important to them.

Users are advised to keep all of the software on their computers up to date, including the operating system itself and their antivirus program. Drive-by download attacks usually target popular applications that can be accessed through the browser, such as Java, Adobe Reader, Flash Player, etc.

Running an antivirus solution that offers advanced layers of protection like behavioral detection is also important to fend off attacks, especially those that use zero-day exploits.