14 DAY TRIAL // Analysts from Web security vendor Finjan have come across an interesting list of IP blocks used by a crimeware kit to block security researchers from detecting and analyzing it. The file contained a few thousand entries identifying most of the vendors in the industry.
Cybercriminals and malware authors are constantly coming up with new techniques to avoid detection from antivirus software, spam filters, etc. While these usually involve obfuscation, encryption, or polymorphism, in the end, there is little that escapes a well trained human eye. Most malware analysts are able to tell if an application is malicious or not just by quickly glancing at a memory dump file.
When it comes to Web malware, the security researchers and vendors use crawlers that pick up suspicious code or manually check reported links for malicious behaviors inside virtual machines. Once a threat is discovered, researched and publicly disclosed, the countdown until it becomes ineffective officially starts.
Cybercrooks are aware that the number of victims is directly proportional to the time they succeed in keeping AV vendors away from their operations. "With this approach, the hacker minimizes the risk that a security researcher locating behind these IPs will access the crimeware toolkit and research it (and create a signature, blacklist the URL, etc.)," Yuval Ben-Itzhak, analyst at Finjan, explains.
Gunter Ollmann, vice president of research at Damballa and former chief security strategist at IBM Internet Security System, who has blogged before about "advancements to the X-morphic Attack Engines used by drive-by-download operators and how they often 'blacklist' IP addresses of known security research institutions," notes that, until the Finjan report, he didn't actually see such a list for himself.
"Until recently I'd never actually seen one of those blacklists of security researchers that the bad guys don't want to serve their crimeware to up close. […] I guess the question now is whether I can get my home DSL netblock added to the blacklist for safer browsing by the family? Probably not," Ollmann writes.
Mr. Ben-Itzhak claims that a way to render such blacklisting methods useless is to employ real-time code inspection techniques instead of signatures or malicious URL databases. "If not, we see that even traditional security vendors themselves are not safe," he concludes.
