New Malware Attack: Spoofed Headers

Tuesday, July 30, 2013 @ 06:07 PM gHale

In an effort to hide their tracks, attackers are now using advanced header spoofing techniques, researchers said.

The method is seeing use right now, said Trend Micro threat analyst Roddell Santos who detected several attacks using the method to avoid detection.

Rise of TOR-based Botnets
Most of Citadel Botnet Down
Spam Botnet Dodges Detection
Customized Mobile Number Harvesting

“Spoofing – whether in the form of DNS, legitimate email notification, IP, address bar – is a common part of web threats. We’ve seen its several incarnations in the past, but we recently found a technique known as header spoofing, which puts a different spin on evading detection,” he said in a blog post.

“Header spoofing is when a URL appears to be downloaded from a certain domain, but in reality it is downloaded from a different and (very likely) malicious one,” he said. “Unlike other types of spoofing techniques, this action is done without any system or file modification. Instead, header spoofing is performed by modifying the network packet, in particular adding the new domain to the request header once malware has connected to server and right before it sends the data.”

Santos highlighted an attack using the TROJ_RODECAP.SM malware as an example of how dangerous the technique is. He said the TROJ_RODECAP.SM attack hid the malware’s true domain and network activity from network administrators using a bogus ‘GET’ command link and downloaded file header.

“From the network traffic, it can be seen that the reply came from the domain {BLOCKED}.104.93, which is located in Russia and is not connected to Google at all,” he said.

“Thus, network administrators might skip or regard the traffic as harmless because the purported requested link is a legitimate domain and merely leads to an image file. This spoofing provides a good way to cover up the communication between the malware and the remote server that ultimately avoid arousing any suspicion, without revealing itself to end users.”

Santos said the technique is similar to that seen on the StealRat botnet. The StealRat botnet ended up uncovered by Trend Micro researcher Jessa De La Torre last week. At its height the botnet turned 85,000 unique IPs into malware-spreading tools.

Santos said these detection-dodging attacks are a good case in point that hackers are expanding their attack capabilities.

“These incidents highlight how threat actors are coming up with new tools and techniques to evade detection by security vendors,” he said.

Leave a Reply

You must be logged in to post a comment.