Hackers turn to new genre of evasive attacks

Cyber-criminals are developing a new genre of highly sophisticated and evasive attacks designed to bypass signature-based and database-reliant security technology, new research claims.

The latest Web Security Trends Report (Q2 2007) from security firm Finjan warns of a proliferation of "affiliation networks" based on a "hosted model" for malicious code.

The networks use off-the-shelf malicious code packages to compromise highly popular websites and even government domains.

Finjan's study points to the growing presence of malicious code in online advertising on legitimate websites.

"Recent findings reveal that hackers have created a new class of highly evasive attacks which represent a quantum leap in terms of technological sophistication, going far beyond drive-by downloads and code obfuscation," the report states.

"In order to minimise the malicious code's window of exposure, evasive attacks keep track of the actual IP addresses of visitors to a particular website or web page."

Using this information, the attackers restrict exposure to the malicious code to a single view from each unique IP address.

This means that the second time a given IP address tries to access the malicious page, a benign page will be automatically displayed in its place. All traces of the initial malicious page completely disappear.

"Evasive attack techniques, where malicious code is controlled per IP address, country of origin or number of visits, provide hackers with the ability to minimise the malicious code's exposure, thereby reducing the likelihood of detection," said Yuval Ben-Itzhak, chief technology officer at Finjan.

"Moreover, evasive attacks can identify the IP addresses of crawlers used by URL filtering, reputation services and search engines, replying to these engines with legitimate content and increasing the chances of mistakenly being classified as a legitimate category.

"The combination of these evasive attacks with code obfuscation techniques significantly enhances the capability of sophisticated hackers to go undetected. "

A follow-up study conducted by Finjan's Malicious Code Research Centre warns of the growing presence of malicious code in online advertising.

As websites depend more on ad revenues, they often display ads from third-party advertising networks over which they may have little or no control.

While legitimate website owners trust advertisers to display non-malicious content, advertisers sometimes "sublet" space to others.

This hierarchy can often comprise several layers, seriously compromising the level of control the website owner has over advertising content.

The report includes an analysis of an innocent blog site that deploys keyword-based advertisements placed automatically from an ad server.

Finjan found that the ad content also included obfuscated references to malicious code on a third site that uses multiple infection techniques to download a Trojan key-logger to the user's machine.

Another recent example was a banner ad hiding code with the ANI exploit that was being hosted unknowingly on one of the most popular techie websites.

Copyright ©v3.co.uk

attackshackersnewofsecuritytoturn