Trend Micro threat analyst Roddell Santos said the company had detected several attacks using the evolved technique to avoid detection in a blog post about the malware spoofing threat.
"Spoofing – whether in the form of DNS, legitimate email notification, IP, address bar – is a common part of web threats. We've seen its several incarnations in the past, but we recently found a technique known as header spoofing, which puts a different spin on evading detection," he wrote.
"Header spoofing is when a URL appears to be downloaded from a certain domain, but in reality it is downloaded from a different and (very likely) malicious one. Unlike other types of spoofing techniques, this action is done without any system or file modification. Instead, header spoofing is performed by modifying the network packet, in particular adding the new domain to the request header once malware has connected to server and right before it sends the data."
Santos highlighted an attack using the TROJ_RODECAP.SM malware as an example of how dangerous the technique is. The Trend analyst said the TROJ_RODECAP.SM attack hid the malware's true domain and network activity from network administrators using a bogus 'GET' command link and downloaded file header.
"From the network traffic, it can be seen that the reply came from the domain {BLOCKED}.104.93, which is located in Russia and is not connected to Google at all," he wrote
"Thus, network administrators might skip or regard the traffic as harmless because the purported requested link is a legitimate domain and merely leads to an image file. This spoofing provides a good way to cover up the communication between the malware and the remote server that ultimately avoid arousing any suspicion, without revealing itself to end users."
Santos said the technique is similar to that seen on the StealRat botnet. The StealRat botnet was uncovered by Trend Micro researcher Jessa De La Torre last week. At its height the botnet is believed to have turned 85,000 unique IPs into malware-spreading tools.
Santos highlighted the influx of detection-dodging attacks as proof that criminals are expanding their cyber arsenals. "These incidents highlight how threat actors are coming up with new tools and techniques to evade detection by security vendors," he said.
No comments:
Post a Comment