Author Topic: How SofosFO exploit kit operators prevent tracing  (Read 14322 times)

0 Members and 1 Guest are viewing this topic.

November 23, 2012, 05:39:18 pm
Read 14322 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Whenever I detect an infection, I try to trace the infection chain. Today I came across an interesting case.
I found an infection by a SofosFO exploit kit.
Operators of this kit take multiple precautions to prevent tracing by Infosec researchers.

Step by step.

Measurement 1 - Referrer

We start at compromised site brainbox-and-co.com. This site contains a link to an external script at

hxxp://systemnetworkscripts.org/1/ad.php?id=8.

Requesting the script directly returns 404 only. You have to specify a referrer in order to get the script.




Measurement 2 - Cookie and user agent check




Script sets a cookie 'phpsessid312'. If you request the script a second time, it would stop here if the cookie exists.
The script additionally checks if the visitor is running Internet Explorer on Windows.
Only using a IE user agent takes you to next step.

Script generates a dynamic iframe leading to

hxxp://sexcliphunter.net

Measurement 3 and 4  - ip check and redirection to a unique url

sexcliphunter.net checks visitor's ip address. It returns 404 if you visit the site more than once.
Only the first visit redirects to the exploit kit.

A unique url is being generated that can be used only once.



Measurement 5 - short DNS TTL

DNS TTL has been set to 30 seconds.



All these measurements make it more difficult to trace this exploit kit.




Ruining the bad guy's day