For years, the security community has been developing efficient ways to evaluate the maliciousness of as many web sites as possible, by crawling them for malicious content in an automated fashion. Thanks to the rise of botnets as an exploitation platform, today's cybercriminals are largely relying on compromised legitimate infrastructure as a delivery vehicle for their malicious content, compared to using purely malicious sites as an infection/propagation vector.
Naturally, cybercriminals keep track of the latest anti-malware security research, and constantly adapt to the latest innovations by introducing new features within the most widely used web malware exploitation kits.
According to security researchers from ESET, while profiling yet another malware and exploits serving malicious campaign, they have stumbled upon a new feature introduced in the Nuclear Pack web malware exploitation kit.
The new feature is just the tip of the iceberg. Here are some of the most common evasive techniques used by cybercriminals to prevent vendors and security researchers from analyzing their campaigns:
- The use of session-based cookies
- The use of HTTP referrers to ensure the exploitation chain is complete
- The use of banned IPs of known security vendor netblocks
- The use of OS fingerprinting/browser fingerprinting techniques
- The serving of malicious content only once for a given IP address
For the time being, the most widely used web malware exploitation kit remains the Black Hole exploit kit. Only time will tell whether its author will introduce the anti-crawling feature in the exploit kit, but given the fact that they introduce newly released exploits in a timely manner, it may already be on the of the "to-do" list of the cybercriminal behind the kit.