Malware Domain List

Malware Related => Malware Analysis => Topic started by: SysAdMini on November 23, 2012, 05:39:18 pm

Title: How SofosFO exploit kit operators prevent tracing
Post by: SysAdMini on November 23, 2012, 05:39:18 pm
Whenever I detect an infection, I try to trace the infection chain. Today I came across an interesting case.
I found an infection by a SofosFO (http://malware.dontneedcoffee.com/2012/10/neosploit-now-showing-bh-ek-20-like.html) exploit kit.
Operators of this kit take multiple precautions to prevent tracing by Infosec researchers.

Step by step.

Measurement 1 - Referrer

We start at compromised site brainbox-and-co.com. This site contains a link to an external script at

hxxp://systemnetworkscripts.org/1/ad.php?id=8.

Requesting the script directly returns 404 only. You have to specify a referrer in order to get the script.

(http://www.malwaredomainlist.com/pics/brainbox.png)


Measurement 2 - Cookie and user agent check

(http://www.malwaredomainlist.com/pics/systemnetworkscripts.png)


Script sets a cookie 'phpsessid312'. If you request the script a second time, it would stop here if the cookie exists.
The script additionally checks if the visitor is running Internet Explorer on Windows.
Only using a IE user agent takes you to next step.

Script generates a dynamic iframe leading to

hxxp://sexcliphunter.net

Measurement 3 and 4  - ip check and redirection to a unique url

sexcliphunter.net checks visitor's ip address. It returns 404 if you visit the site more than once.
Only the first visit redirects to the exploit kit.

A unique url is being generated that can be used only once.

(http://www.malwaredomainlist.com/pics/sexcliphunter.net.png)

Measurement 5 - short DNS TTL

DNS TTL has been set to 30 seconds.

(http://www.malwaredomainlist.com/pics/dnsttl.png)

All these measurements make it more difficult to trace this exploit kit.