Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us

    Spoofing – whether in the form of DNS, legitimate email notification, IP, address bar – is a common part of Web threats. We’ve seen its several incarnations in the past, but we recently found a technique known as header spoofing, which puts a different spin on evading detection.

    Header spoofing is when a URL appears to be downloaded from a certain domain, but in reality it is downloaded from a different and (very likely) malicious one. Unlike other types of spoofing techniques, this action is done without any system or file modification. Instead, header spoofing is performed by modifying the network packet, in particular adding the new domain to the request header once malware has connected to server and right before it sends the data. My colleague Jessa dela Torre mentioned this behavior in her research on the StealRat botnet.

    One interesting malware that performs this is the malware TROJ_RODECAP.SM. Figure 1 shows the GET command to the link http://www.google.com/d/conh11.jpg, as well as the header of the downloaded file.

    GET_command_screenshot

    From the network traffic, it can be seen that the reply came from the domain {BLOCKED}.104.93, which is located in Russia and is not connected to Google at all. Thus, network administrators might skip or regard the traffic as harmless because the purported requested link is a legitimate domain and merely leads to an image file. This spoofing provides a good way to cover up the communication between the malware and the remote server that ultimately avoid rousing any suspicion, without revealing itself to end users.

    As we mentioned earlier, this technique was used by the StealRat botnet which brought its own novel ways of sending spam. These incidents highlight how threat actors are coming up with new tools and techniques to evade detection by security vendors.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice