Feeds

Attackers hone Twitterific exploit-site concealer

Conquer hacktile dysfunction

Top 5 reasons to deploy VMware with Tegile

Malware writers have revamped code that uses a popular Twitter command to generate hard-to-predict domain names, a technique that brings stealth to their drive-by exploits.

Four weeks ago, when The Register reported Twitter application programming interfaces were being used to generate pseudorandom domain names, none of the addresses checked had actually been registered. Denis Sinegubko, the Russian researcher who discovered the technique, speculates the creators abandoned it because it was buggy and required too much effort.

Now, Sinegubko has identified a new version of the algorithm that refines the process. What's more, at least some of the names are now being registered and the sites are being used to push malware.

"The new incarnation of this attack uses new algorithm and it is active right now," he told El Reg on Wednesday.

The technique gives the exploit writers a limitless list of of fly-by-night domain names to cycle through in an attempt to complicate the job of white hat hackers trying to thwart the attack. Rather than there being a single address to block or disconnect, the site hosting the malware changes every 12 hours.

The domain names are generated by an algorithm that looks at the top topics being discussed on Twitter at particular times. Because the trending topics, as they're known, can't be predicted in advance, the method prevents white hats from being able to snap up the addresses weeks or months in advance, as researchers combating the Conficker worm have done.

The technique was discovered by analyzing thousands of legitimate websites that had been compromised so they redirected visitors to malicious servers. Sinegubko identified the algorithm by reverse engineering highly obfuscated javascript that was injected into the compromised websites. As the addresses of the sites hosting the malware change, so too do the iframes on the compromised sites.

Sinegubko has created a tool to predict what the next domain will be. There's about a 24-hour lag between the time his script generates the domain name and the time it will be used (assuming the prediction is correct) to host the malware. That gives admins plenty of leeway to block the sites before they become active. It also presents fleet-footed white hats with the opportunity to register domain names ahead of the bad guys.

"I've been testing this tool for about three days now," he said. "So far it is correct."

You can watch the pseudorandom generator in action here (although you'll need to allow javascript to run). Sinegubko's writeup of the new generator is here. ®

Remote control for virtualized desktops

More from The Register

next story
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Mozilla, EFF, Cisco back free-as-in-FREE-BEER SSL cert authority
Let’s Encrypt to give HTTPS-everywhere a boost in 2015
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
Got an iPhone or iPad? LOOK OUT for MASQUE-D INTRUDERS
UNjailbroken iOS 7, 8 open to evil, says secbiz FireEye
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.