Malware Domain List

Malware Related => Malware Analysis => Topic started by: SysAdMini on November 23, 2012, 05:39:18 pm

Title: How SofosFO exploit kit operators prevent tracing
Post by: SysAdMini on November 23, 2012, 05:39:18 pm
Whenever I detect an infection, I try to trace the infection chain. Today I came across an interesting case.
I found an infection by a SofosFO ( exploit kit.
Operators of this kit take multiple precautions to prevent tracing by Infosec researchers.

Step by step.

Measurement 1 - Referrer

We start at compromised site This site contains a link to an external script at


Requesting the script directly returns 404 only. You have to specify a referrer in order to get the script.


Measurement 2 - Cookie and user agent check


Script sets a cookie 'phpsessid312'. If you request the script a second time, it would stop here if the cookie exists.
The script additionally checks if the visitor is running Internet Explorer on Windows.
Only using a IE user agent takes you to next step.

Script generates a dynamic iframe leading to


Measurement 3 and 4  - ip check and redirection to a unique url checks visitor's ip address. It returns 404 if you visit the site more than once.
Only the first visit redirects to the exploit kit.

A unique url is being generated that can be used only once.


Measurement 5 - short DNS TTL

DNS TTL has been set to 30 seconds.


All these measurements make it more difficult to trace this exploit kit.