Web attackers start borrowing domain generation tricks from botnet-type malware

Hackers have started using domain-name generation techniques to prolong the life of Web-based attacks, Symantec researchers say

Hackers have started to adopt domain-generation techniques normally used by botnet-type malware in order to prolong the life of Web-based attacks, according to security researchers from antivirus firm Symantec.

Such domain-generation techniques were recently observed in a series of drive-by download attacks that used the Black Hole exploit toolkit to infect Web users with malware when visiting compromised websites, Symantec security researcher Nick Johnston said in a blog post on Tuesday.

Drive-by download attacks rely on rogue code injected into compromised websites to silently redirect their visitors to external domains that host exploit toolkits such as Black Hole. This is usually done through hidden iframe HTML tags.

Those toolkits then check if the visitors' browsers contain vulnerable plug-ins and if any are found, they load the corresponding exploits to install malware.

Web attacks usually have a short life span because security researchers work with hosting providers and domain registrars to shut down attack websites and suspend abusive domain names.

Because of similar takedown efforts targeting botnet command-and-control (C&C) servers, some malware creators have implemented backup methods that allow them to regain control of infected computers.

One of those methods involves the malware contacting new domain names generated daily according to a special algorithm in case the primary C&C servers become inaccessible.

This allows the attackers to know which domain names their botnets will attempt to contact on a certain date, so they can register them in advance and use them to issue updates.

A similar technique was used in the recent Black Hole attacks. The domain names in the URLs loaded by the hidden iframes changed on a daily basis and were generated by a date-dependent algorithm.

The attackers registered all domains that this algorithm will generate until Aug. 7 in order to ensure that their attacks will work until that date without requiring any changes to the code inserted in compromised websites.

"So far we have seen a small but steady stream of compromised domains using this technique," the Symantec researchers said. "This suggests that this is perhaps some kind of trial or test that could be expanded in future."

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts