New "Ghost Host" Technique Boosts Botnet Resiliency

Malware Developers Trick Web Security Systems by Changing Domain Names and Inserting Non-malicious Hostnames into HTTP Host Field.
Malware authors have found a new method of ensuring their command and control (C&C) servers aren’t blocked by security systems, Cyren researchers warn.

Referred to as “ghost host,” the technique involves the inclusion of unknown host names in the HTTP host fields of a botnet’s communication. With these host names being both registered and unregistered, web security and URL filtering systems are fooled by the technique, Cyren explains in a recent report.
The security researchers say that one of the malware families using this technique was performing DNS resolution for the domain www.djapp(.)info, which resulted in the domain being blocked after several security firms flagged it as bad. Thus, the HTTP requests to the domain were blocked in networks protected by those vendors.
However, after DNS resolution of the IP address, while analyzing the C&C transaction sent by a newly infected bot, researchers discovered HTTP transactions informing the C&C of the successful infection of a new machine.
What’s more, the security researchers observed that the destination IP address is the known bad server, while the HTTP host fields used for requests belong to completely different domains. These are the domains that Cyren refers to as “ghost hosts.” In that specific case, the fake domains were “events.nzlvin.net” and “json.nzlvin.net.”
Using this technique, the malware author ensures that communication with the C&C server still happens, given that only the originally resolved domain is blocked, while the ghost hostnames aren’t. Furthermore, the botnet owner can manipulate the server to respond differently when “coded” messages (using different ghost host names) are received. One possible response would be to instruct the bot to download a specific type of malware.
The security researchers explain that the IP address associated with the C&C URL isn’t usually blocked, mainly because the server may contain both legitimate and malicious content. Should the entire server IP be blocked, users would no longer be able to access legitimate services.
数据库注入攻击是让人头痛的事,目前尚无成熟的第三方技术来有效防范,重点在程序员的安全意识和安全代码行为。
网络安全知识宣传活动防范来自竞争者的高级持续性威胁
After discovering the two fake domains, the security firm decided to keep an eye on the bad IP address, and soon discovered a long list of ghost hosts associated with it. Some of the domains were registered (they were created on the same day the malware emerged), but many weren’t.
However, the detection rate for the fake domain names is low, meaning that the botnet authors will continue using the “ghost host” technique, as it allows them to avoid detection.
“Ghost hosts are yet another example of how sophisticated criminal evasion techniques have become, and serve as an excellent example of why security vendors are often best positioned to protect organizations from the increasing craftiness of cybercriminals,” Cyren concludes.
Related: Mirai Switches to Tor Domains to Improve Resilience
Related: Botnet of 3 Million Twitter Accounts Remains Undetected for Years
公司应该建立有效可靠的安全信息获取渠道,获取与公司信息系统运营相关的外部安全预警信息,汇总、整理公司内部安全信息,及时提交公司信息安全专业工作机构,并按相关流程发布实施。

猜您喜欢

英国设培训课程挖掘网络安全人才
安全意识教育之节日互联网安全生存赛
网络安全知识科普——如何保护个人信息
个性测试:猪队友为何偏偏挑中你(图)
SORAMELO STOCKCERTS
一分钟的信息安全意识动画片,轻松演绎企业信息安全基础知识。