Finjan reveals hackers are abusing trusted domain names
November 2007 by Finjan
Finjan Inc. announced that hackers and cyber-criminals are exploiting a loophole in the domain name registration process to infect visitors to legitimate websites and increase the life cycle of cyber-attacks. Attacks using this method typically involve a “copycat” domain name that is strikingly similar in spelling to the domains of legitimate sites. Leveraging the similarity to legitimate and frequently used domain names enables these attacks to go unnoticed by webmasters and security solution providers.
The abuse of trusted domain names attack vector was spotted during October by Finjan’s Malicious Code Research Center (MCRC) when searching for popular services with a slight change of the top level domain. When Finjan’s MCRC investigated http://go*gle-stat******.org (where * has obscured some of the characters of the domain) it was found that it took advantage of a domain name similar to a legitimate popular service, which contains malicious code that is designed to download and execute a Trojan on the visitor’s machine. The malicious code itself is located on the abused domain name. For more details download the October 2007 Malicious Page of the Month Report from http://www.finjan.com/Content.aspx?...
When Finjan researched where the domain name hosting the malicious site was located, it came across another interesting finding. The code was located on a trusted controlled IP address. Shortly after contacting the security team of that domain, Finjan was notified that the necessary action had been taken. A subsequent check showed that, indeed, the malicious code is no longer available on the hosting servers. Since registering a domain name is not a process that is being adequately policed and scrutinized, cybercriminals can potentially create a malicious website using any domain name they like (provided it isn’t already taken). Finjan’s research indicates that criminals have taken advantage of this loophole to create “copycat” sites intended to host web-based attacks, using intentionally misleading domain names.
When using URL classification or reputation as a security solution, requests to URLs or domains known to be malicious can be blocked regardless of the content on the page; however the effectiveness of blocking requests to known malicious domains relies on maintaining an up-to date list of such sites. Due to the rapid growth and volume of malware hosted online, gathering sufficient data as quickly as malicious domains appear (and disappear) on the web is almost impossible.
As website content is becoming more volatile, and domain names can be set up for brief periods of time, the task of “keeping track” of malicious content on the Web is becoming ever more difficult. When attacks involve a domain name that is strikingly similar in spelling to the domains of legitimate sites and hosted on trusted IP addresses, the similarity to legitimate and frequently used domain names enables them to go unnoticed by most webmasters. Combined with code obfuscation and other evasive techniques, these scripts trigger attacks that result in malicious code – typically crimeware Trojans - being downloaded to the user’s machine. It is important for attacks to be detected in real-time without the reliance on the host IP address reputation or domain name.
“In today’s dynamic web environment, it is becoming increasingly difficult to keep track of the malicious content by maintaining lists of malicious domain names or URLs.” According to Finjan CTO Yuval Ben-Itzhak, “In order to safeguard users from these malicious web threats, businesses should adopt real-time inspection technologies that analyze each piece of web content regardless of its URL or IP address. Attempts to pattern malicious code and create signatures, or to categorize known malicious sites, are sometimes “too little, too late” when it comes to providing adequate protection to today’s dynamic and evasive web threats. The way to detect modern malicious code is to be able to understand in real-time what the code intends to do, before it does it.”
Finjan offers the following advice for corporate users:
1. Make sure that you have proactive protection in your web security solution that is able to understand in real-time what malicious code intends to do, before it does it.
2. Security solutions need to employ real-time content inspection technology that analyzes each and every piece of web content in real-time, regardless of its original source, domain name or the way it looks.
3. Anti-virus and URL Filtering are not enough. Looking for attack vectors after the event is “too little, too late”, particularly if you get hit by an attack that your security solution does not recognize.
4. Make sure that your security solution is updated for handling new technologies and trends. Security products should protect you from the vulnerabilities rather than just attacks and exploits.
5. Check your vendor’s research capabilities and their ability to provide up-to-date information which is immediately translated it into actionable security measures.