Hackers and malware are out there, and a major part of cyber defenders’ jobs is detecting and cleaning up attacks. Some of the easiest methods for detecting that a computer is infected (looking at IP addresses and domain names) only work some of the time. In this piece, we’ll talk about some of the methods that hackers use to bypass detection based on these methods by hackers.
Malware and IoCs
Identifying malware on an infected computer can be hard work. In most cases (ransomware being an exception), hackers don’t want their targets to know that their computer is infected. As a result, they do everything they can to hide the malware on the computer.
Searching for this hidden malware on a computer is a pain, and network defenders don’t want to have to do it for every computer on the network. Once they identify a new type of malware, they develop Indicators of Compromise (IoCs) for it. Like checking a human for a fever to see if they’re sick, analysts check the rest of the network for signs of these IoCs to see if they’ve caught the same malware.
IoCs can be many things: hashes of files, words or phrases within files, etc. One of the most commonly used is the IP address or domain names of computers that the malware communicates with.
These IoCs are easy to detect, but they don’t always work. Using an IoC based upon the IP address or domain of the computers that a piece of malware communicates with is an easy way to detect a certain variant. However, this information is very easy to change in the malware and can vary from sample to sample.
Some ways that malware bypasses this type of IoC include IP spoofing, domain overlap, man-in-the-middle, domain generation algorithms, and pharming. These methods are simple yet effective, but they can be defeated using anti-spoofing technology.
IP address spoofing is a method commonly used in Denial of Service (DoS) attacks. In an IP spoofing attack, an attacker modifies the source address of their traffic (like the return address on an envelope) to point to someone else. As a result, the recipient believes that the traffic is coming from someone other than the attacker, and if their firewalls block the attacker’s IP address, they won’t block this traffic.
The main limitation of IP spoofing is that it’s only good for one-way traffic. Since the return address on the traffic points to another computer, any responses from the target will go to that computer instead. This is why this method is mainly effective only for DoS attacks.
A domain name is a human-readable address (like google.com) that maps to an IP address (like 22.214.171.124). In many cases, this mapping is not one-to-one. For example, a company may use multiple web servers for load-balancing that all use the same domain name. On the flip side, it’s possible to have multiple domains that resolve to the same IP address (like website hosting providers).
Hackers can take advantage of this to bypass domain-based IoCs. By registering another domain name (which is fairly cheap) and pairing it to an IP address that they already own, their malware can use the new domain name (bypassing the domain-based IoC) without any changes to their server infrastructure.
Man-in-the-Middle (MitM) attacks make IP spoofing attacks usable for purposes other than DoS attacks. In a MitM attack, the attacker is on the path between the target and the server whose IP address the attacker puts on the packet. Since the attacker is between the target and the spoofed IP, they can intercept and respond to packets before they reach the other address.
Man-in-the-Middle attacks don’t work for pretending to be an HTTPS-enabled website to a user since they don’t have the appropriate certificates to set up the connection. They also can be difficult to perform since the attacker has to control the route, but several methods exist for doing so, including compromising routers, BGP hijacking, and ARP spoofing.
Domain Generation Algorithms
Malware needs to know which computers to talk to in order to download new malware, send out stolen data, and receive new commands. In many cases, the domains or IP addresses of these computers are hardcoded into the malware. However, this makes it easy for an analyst to find these IP addresses within the malware and add them to the block list.
Malware using Domain Generation Algorithms (DGAs) do not hardcode addresses. Instead, they include an algorithm that generates a domain name each time that the malware needs to communicate.
The server that the malware is trying to communicate with runs the same algorithm and ensures that all of this traffic goes to the right place (using domain overlap). As a result, the malware uses a different domain name every time, making domain-based IoCs useless and unscalable.
Pharming attacks take advantage of how the Internet converts domain names to IP addresses. This conversion is performed by Domain Name Service (DNS) servers that have lookup tables of domain name/IP address pairs. Your computer is configured to use a certain DNS server whenever it needs to visit a domain that it doesn’t know, and it trusts the DNS server to send it to the right place.
In pharming attacks, hackers use malicious DNS servers to send traffic to the wrong place. These can be either DNS servers run solely by the hackers or benign ones that were hacked and had malicious records inserted.
Like MitM attacks, pharming doesn’t let an attacker pretend to be an HTTPS-enabled website to a legitimate user. However, it can be used to hide malicious traffic from domain-focused IoCs since all DNS requests are for legitimate webpages (that then map to malicious IP addresses).
Making the Web More Secure
IP and domain-based IoCs are an easy starting point for detecting malware since they easily catch the low-hanging fruit. However, there are multiple methods by which a hacker can bypass them, including IP spoofing, domain overlap, man-in-the-middle attacks, domain generation algorithms, and pharming.
There are ways to protect yourself against all of these attacks. Detection software not based on IP addresses or domain names will not be fooled by many of these attacks. Only visiting HTTPS websites means that you’ll know if someone tricks you into visiting the wrong website via a pharming attack.
Protections like DNSSEC (which helps secure the DNS protocol) are also a good idea to implement within your organization. Anti-spoofing defenses can identify and protect against attackers using these tactics. Taking the steps to deploy these technologies can help protect your organization against evasive malware.