As a defender, take the time to put yourself in the place of a bad guy for a few minutes. Youre writing some malicious code and you need to download payloads from the Internet or hide your code on a website. Once your malicious code spread in the wild, it will be quickly captured by honeypots, IDS, ... (name your best tool) and analysed automatically of manually by the good guys. Their goal of this is to extract abehavioural analysis of the code and generate indicators (IOCs) which will help to detect it. Once IOCs extracted, its just a question of time, they are shared very quickly.
In more and more environments, IOCs are used as a blacklist system and security tools can block access to resources based on the IP addresses, domains, file hashes, etc). But all security control implements also whitelist systems to prevent (as much as possible) false positives. Indeed, if asystem drops connections to a popular website for the users of an organizationor other computers, the damages could be important (sometimes up to aloss of revenue).As a real life example, one of my customers implemented automatic blacklisting based on IOCs but whitelists are in place. To reduce the false positives, two whitelists are implemented for URL filtering:
- The top-1000 of the Alexa[1] ranking list is automatically whitelisted
- Top URLs are extracted from the previous week proxy logs and added to the list
To remain below the radar or to bypass controls, the Holy Grail of bad guys is to abuse those whitelists. The Cerber ransomware is a good example. It uses URLs ending with /search.php width:600px" />
Once the malware analysed, the URI /search.php became quickly width:800px" />
By choosing a generic URL like this one, malware writershope that it will be hidden in the traffic. But when it becomes blacklisted, there are side impacts. I had thecase with a customer this week. They had to remove /search.php from the list of IOC padding:5px 10px"> /log.php /asset.php /content.php /list.php /profile.php /report.php /register.php /login.php /rss.php
Another approach is to compromise a website categorised as clean width:800px" />
If typosquatting is still used (ex: use ro0tshell.be instead of rootshell.be), its more efficient if you can host your malicious content behind a real domain with a nice score in lists such as Alexa. And often, the site itself dont need to be compromised. The victim DNS can be hacked / poisoned and new records added to those nice domains. The victim session can be hijacked using MitMtechniques. The whitelist will do the rest...
[1]http://www.alexa.com/topsites
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key