Author Topic: How SofosFO exploit kit operators prevent tracing  (Read 16784 times)

0 Members and 1 Guest are viewing this topic.

November 23, 2012, 05:39:18 pm
Read 16784 times


  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Whenever I detect an infection, I try to trace the infection chain. Today I came across an interesting case.
I found an infection by a SofosFO exploit kit.
Operators of this kit take multiple precautions to prevent tracing by Infosec researchers.

Step by step.

Measurement 1 - Referrer

We start at compromised site This site contains a link to an external script at


Requesting the script directly returns 404 only. You have to specify a referrer in order to get the script.

Measurement 2 - Cookie and user agent check

Script sets a cookie 'phpsessid312'. If you request the script a second time, it would stop here if the cookie exists.
The script additionally checks if the visitor is running Internet Explorer on Windows.
Only using a IE user agent takes you to next step.

Script generates a dynamic iframe leading to


Measurement 3 and 4  - ip check and redirection to a unique url checks visitor's ip address. It returns 404 if you visit the site more than once.
Only the first visit redirects to the exploit kit.

A unique url is being generated that can be used only once.

Measurement 5 - short DNS TTL

DNS TTL has been set to 30 seconds.

All these measurements make it more difficult to trace this exploit kit.

Ruining the bad guy's day