Malware Kits Use Pseudo-Random Domain Generation to Thwart Security Fixes - Security - News & Reviews - eWeek.com | eWeek

Malware Kits Use Pseudo-Random Domain Generation to Thwart Security Fixes

Verfasst von
Brian Prince
Brian Prince
Jun 28, 2012
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

Exploit kits are adopting a tactic more commonly found in botnet malware to make their attack campaigns more resilient€“€œpseudo-random domain generation.€

Among the kits being associated with this activity is Blackhole, which has emerged as one of the most prevalent exploit kits in the wild. In a recent report, anti-malware technology company M86 Security said the Blackhole kit was responsible for 95 percent of all the malicious URLs it detected in the second half of 2011. In February, the kit was used to infect whistle-blower site Cryptome.

According to Symantec, Blackhole has now been observed utilizing pseudo-random domain generation to make attacks more persistent. The technique is commonly used by botnets to thwart efforts to disrupt their command and control (C&C) operations by generating new domain names for the malware to contact in case the C&C server is taken offline.

According to Symantec, Blackhole has now taken a page from botnet operators.

“When an innocent user browses to a Blackhole-infected site, their browser runs the JavaScript code, which typically creates a hidden iframe, which silently exploits vulnerable browser plug-ins and drops any malware and exploits onto a users system,” explained Symantec researcher Nick Johnston. “It typically targets vulnerable Java, Adobe Flash Player, Adobe Reader, Windows Help Center, and other applications. These attacks are often called drive-by downloads.”

“Although this approach has generally been very successful for malware authors, it has had one weakness,” he added. “If the location or URL for the iframe, which actually contains the malicious code, changes or is taken down, all of the compromised sites will have to be updated to point to this new location. This process is difficult and impractical.”

To address this issue, the Blackhole JavaScript on compromised sites is now dynamically generating domains based on the date and other information and creating an iframe to point to the new domain.

“Once the domain has been generated and the iframe has been created, the exploit kit page runs many exploits as normal, going to great lengths to determine, for example, which compromised PDF file to show, depending on the version of Adobe Reader installed,” Johnston blogged.

But Blackhole is not the only kit to be utilizing these techniques. A researcher at Stopmalvertising.com found the pseudo-random domain generator in an .ASP file and AC_RunActiveContent.js on an infected Website. At first, however, the malicious code redirected the researcher to the RedKit exploit kit. Later, it redirected to Blackhole. The domain generator comes up with a new one every 12 hours, Stopmalvertising.com found.

“So far we have seen a small but steady stream of compromised domains using this technique,” blogged Johnston. “This suggests that this is perhaps some kind of trial or test that could be expanded in the future.”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.