We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Web attackers start borrowing domain generation tricks from botnet-type malware

Hackers have started using domain-name generation techniques to prolong the life of Web-based attacks, Symantec researchers say

Hackers have started to adopt domain-generation techniques normally used by botnet-type malware in order to prolong the life of Web-based attacks, according to security researchers from antivirus firm Symantec.

Such domain-generation techniques were recently observed in a series of drive-by download attacks that used the Black Hole exploit toolkit to infect Web users with malware when visiting compromised websites, Symantec security researcher Nick Johnston said in a blog post on Tuesday.

Drive-by download attacks rely on rogue code injected into compromised websites to silently redirect their visitors to external domains that host exploit toolkits such as Black Hole. This is usually done through hidden iframe HTML tags.

Those toolkits then check if the visitors' browsers contain vulnerable plug-ins and if any are found, they load the corresponding exploits to install malware.

Web attacks usually have a short life span because security researchers work with hosting providers and domain registrars to shut down attack websites and suspend abusive domain names.

Because of similar takedown efforts targeting botnet command-and-control (C&C) servers, some malware creators have implemented backup methods that allow them to regain control of infected computers.

One of those methods involves the malware contacting new domain names generated daily according to a special algorithm in case the primary C&C servers become inaccessible.

This allows the attackers to know which domain names their botnets will attempt to contact on a certain date, so they can register them in advance and use them to issue updates.

A similar technique was used in the recent Black Hole attacks. The domain names in the URLs loaded by the hidden iframes changed on a daily basis and were generated by a date-dependent algorithm.

The attackers registered all domains that this algorithm will generate until Aug. 7 in order to ensure that their attacks will work until that date without requiring any changes to the code inserted in compromised websites.

"So far we have seen a small but steady stream of compromised domains using this technique," the Symantec researchers said. "This suggests that this is perhaps some kind of trial or test that could be expanded in future."


IDG UK Sites

Black Friday 2014 tech deals UK Live: Best Black Friday deals from Apple, Amazon, Argos, eBay,...

IDG UK Sites

Black Friday feeding frenzy infects the UK

IDG UK Sites

VAT MOSS: Will I be affected by the EU VAT changes? Here are the facts for designers and artists

IDG UK Sites

Black Friday 2014 UK: Apple deals, Amazon deals & Black Friday tech offers