Web hacks using 'evasive' techniques

Web hacks using 'evasive' techniques

Summary: Finjan has released a report warning of malicious websites that restrict user access to avoid detection

TOPICS: Security

Hackers whose malicious code is hosted on websites are using increasingly sophisticated techniques to avoid the code being detected.

Once hackers have subverted a website, it is in their interests to minimise the malicious code's window of exposure to help prevent detection and subsequent blocking by security software and browser filters, according to a research paper produced by Finjan, the web security vendor.

Finjan reports an increasing trend for "evasive" web attacks, which keep track of visitors' IP addresses. Attack toolkits restrict access to a single-page view from each unique IP address. The second time an IP address tries to access the malicious page, a benign page is displayed in its place.

Evasive attacks can also identify the IP addresses of crawlers used by URL filtering, reputation services and search engines, and reply to these engines with legitimate content such as news. The malicious code on the host website accesses a database of IP addresses to determine whether to serve up malware or legitimate content.

"URL filtering, reputation services and even search engines might mistakenly classify these sites as legitimate," said Finjan's report. "This minimises the exposure of the malicious code to forensic analysis or security research, as there is just one opportunity for a visitor to actually see the code."

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to start the discussion