How Exploit Kits Dodge Security Vendors and Researchers

Websites with exploit kits are one thing that security vendors and researchers frequently try to look into, so it shouldn’t be a surprise that attackers have gone to some length to specifically dodge the good guys. How do they do it?

The most basic method used by attackers is an IP blacklist. Just like security vendors have extensive blacklists of IP addresses used to send spam, host malicious sites, and receive stolen information, attackers have lists of the IP addresses that they believe are used by security vendors and block all access from these addresses.

A more sophisticated method is to infect a given IP address only once. How would this work?

Suppose that a vendor would have a list of websites that is associated with a certain attack. They would access one site (either manually or with automated tools), but the attacker would note that this particular IP address had already accessed a site associated with this attack in a backend database of their own; if the vendor would access other sites that checked with that database they would not be able to successfully access the malicious content.

Figure 1. Crawling avoidance

Backend databases like this can also be used together with dynamic DNS services. The attackers would dynamically create so many random URLs with these services so that they can afford to deactivate a URL within minutes of somebody visiting it.

All of these techniques are supported by exploits kits to different degrees. One of the most common ones is the “infect once” technique, which is used by both versions (1.x and 2.x) of the Blackhole Exploit Kit, as well as Styx and CoolKit.

While individual countermeasures are available, these do place an additional burden on vendors and researchers. While we are able to work around these limitations, it also highlights how important it is not to rely on any one particular method to secure users.

There is no silver bullet to security. A “defense in depth” strategy that uses both cloud and endpoint methods is still the most effective way to ward off threats in today’s security environment. Most importantly, correlation between these multiple methods in order to find all aspects of the infection chain is vital to finding and analyzing new threats.

Securing users via the cloud is still an efficient way of protecting users with broad coverage, powerful correlation and protection while using few resources. Like a cat and mouse game, we will continuously make improvements to crawlers and honey pots to stay ahead of cybercriminals.

However, endpoint protection is a still an essential complement to cloud protection – the threat is running on the end point in real time, with a real user, and in a real environment. On the endpoint, files and sites the user can be inspected in right away, while potentially malicious content (like Javascript and Java) can be executed and analyzed for malicious behavior. Users can be protected before any malicious files are saved onto the user’s system.

In the meantime, information about any newly detected threats is fed back into the cloud and the Smart Protection Network. This allows us both to protect all users “out of the box” and to gather information about these threats, which we can use to learn more about them and devise more effective methods of protecting users.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

How Exploit Kits Dodge Security Vendors and Researchers