Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Trusted domain names exploited by hacking community.

Finjan Software : 15 November, 2007  (Technical Article)
Hackers exploiting mis-spelling of domain names to set up copy-cat sites of trusted domains with minor spelling changes to deploy Trojans and viruses.
Finjan has announced that hackers and cyber-criminals are exploiting a loophole in the domain name registration process to infect visitors to legitimate websites and increase the life cycle of cyber-attacks. Attacks using this method typically involve a "copycat" domain name that is strikingly similar in spelling to the domains of legitimate sites. Making use of the similarity to legitimate and frequently used domain names enables these attacks to go unnoticed by webmasters and security solution providers.

The abuse of trusted domain names attack vector was spotted during October by Finjan's Malicious Code Research Centre (MCRC) when searching for popular services with a slight change of the top level domain. When Finjan's MCRC investigated http://go*gle-stat******.org (where * has obscured some of the characters of the domain) it was found that it took advantage of a domain name similar to a legitimate popular service, which contains malicious code that is designed to download and execute a Trojan on the visitor's machine. The malicious code itself is located on the abused domain name.

When Finjan researched where the domain name hosting the malicious site was located, it came across another interesting finding. The code was located on a trusted controlled IP address. Shortly after contacting the security team of that domain, Finjan was notified that the necessary action had been taken. A subsequent check showed that, indeed, the malicious code is no longer available on the hosting servers. Since registering a domain name is not a process that is being adequately policed and scrutinised, cybercriminals can potentially create a malicious website using any domain name they like (provided it isn't already taken). Finjan's research indicates that criminals have taken advantage of this loophole to create "copycat" sites intended to host web-based attacks, using intentionally misleading domain names.

When using URL classification or reputation as a security solution, requests to URLs or domains known to be malicious can be blocked regardless of the content on the page; however the effectiveness of blocking requests to known malicious domains relies on maintaining an up-to date list of such sites. Due to the rapid growth and volume of malware hosted online, gathering sufficient data as quickly as malicious domains appear (and disappear) on the web is almost impossible.

As website content is becoming more volatile, and domain names can be set up for brief periods of time, the task of "keeping track" of malicious content on the Web is becoming ever more difficult. When attacks involve a domain name that is strikingly similar in spelling to the domains of legitimate sites and hosted on trusted IP addresses, the similarity to legitimate and frequently used domain names enables them to go unnoticed by most webmasters. Combined with code obfuscation and other evasive techniques, these scripts trigger attacks that result in malicious code - typically crimeware Trojans - being downloaded to the user's machine. It is important for attacks to be detected in real-time without the reliance on the host IP address reputation or domain name.

"In today's dynamic web environment, it is becoming increasingly difficult to keep track of the malicious content by maintaining lists of malicious domain names or URLs." According to Finjan CTO Yuval Ben-Itzhak, "In order to safeguard users from these malicious web threats, businesses should adopt real-time inspection technologies that analyze each piece of web content regardless of its URL or IP address. Attempts to pattern malicious code and create signatures, or to categorize known malicious sites, are sometimes "too little, too late" when it comes to providing adequate protection to today's dynamic and evasive web threats. The way to detect modern malicious code is to be able to understand in real-time what the code intends to do, before it does it."

Finjan offers the following advice for corporate users:.

1 Make sure that you have proactive protection in your web security solution that is able to understand in real-time what malicious code intends to do, before it does it.

2 Security solutions need to employ real-time content inspection technology that analyzes each and every piece of web content in real-time, regardless of its original source, domain name or the way it looks.

3 Anti-virus and URL Filtering are not enough. Looking for attack vectors after the event is "too little, too late", particularly if you get hit by an attack that your security solution does not recognize.

4 Make sure that your security solution is updated for handling new technologies and trends. Security products should protect you from the vulnerabilities rather than just attacks and exploits.

5 Check your vendor's research capabilities and their ability to provide up-to-date information which is immediately translated it into actionable security measures.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo