Whenever I detect an infection, I try to trace the infection chain. Today I came across an interesting case.
I found an infection by a
SofosFO exploit kit.
Operators of this kit take multiple precautions to prevent tracing by Infosec researchers.
Step by step.
Measurement 1 - ReferrerWe start at compromised site brainbox-and-co.com. This site contains a link to an external script at
hxxp://systemnetworkscripts.org/1/ad.php?id=8.
Requesting the script directly returns 404 only. You have to specify a referrer in order to get the script.
Measurement 2 - Cookie and user agent check
Script sets a cookie 'phpsessid312'. If you request the script a second time, it would stop here if the cookie exists.
The script additionally checks if the visitor is running Internet Explorer on Windows.
Only using a IE user agent takes you to next step.
Script generates a dynamic iframe leading to
hxxp://sexcliphunter.net
Measurement 3 and 4 - ip check and redirection to a unique urlsexcliphunter.net checks visitor's ip address. It returns 404 if you visit the site more than once.
Only the first visit redirects to the exploit kit.
A unique url is being generated that can be used only once.
Measurement 5 - short DNS TTL DNS TTL has been set to 30 seconds.
All these measurements make it more difficult to trace this exploit kit.
Topic: How SofosFO exploit kit operators prevent tracing (Read 16709 times)