how the new malware bypasses url-blocking by proxies and webfilters

As per “Malware Traffic Analysis” blog, similar infection chain is seen from www.techo-bloc.com too. In both the cases, the Javascript file in the compromised server is modified to serve the exploit kit. The initial redirection server 192.185.16.158 has been used widely in recent web infections. It appears to be a website hosting server and belongs to the company HOSTGATOR according to the recent DomainTools lookup. Various domains of innocent users from music industry and law firms are used as “redirection” link in the infection chain. The target exploit server (95.163.121.188) is hosted in Russia. This is a sinkhole that is connected to many such varying domain names. All of these names have some substring “cdn” in them. Once the bad actors get access to an account/server they just create a corresponding “cdn” domain entry under that domain and use it to point to the target exploit server. This way they can bypass a lot of the URL categorization and URL blacklisting technologies.
http://www.cyphort.com/blog/israeli-security-think-tank-website-compromised-serving-sweet-orange-exploit-kit/ 

never expect your enemy to be passive and not to be always on the lookout for a bypass and to use it massively as long as it works as a window of opportunity because it takes a long time before you have found a way to block these automatically and afterwards to distribute it to all of your installations

oh and what is more, only one URL blockers knows the command and control server of this tool

but it is already distributing malware since at least march 2014

source http://totalhash.com/analysis/60c5632656bef4f5e42a6f4805c84a23026bd910

as is proven in this other analysis

http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=85.114.135.%

so an URL can have various malicious downloads for some time that are detected but will not be stopped as a bad URL by most of them

big opportunity for their zerodays

I just block all traffic to Russia on my network - point final

The comments are closed.