Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

New “Ghost Host” Technique Boosts Botnet Resiliency

Malware Developers Trick Web Security Systems by Changing Domain Names and Inserting Non-malicious Hostnames into HTTP Host Field.

Malware Developers Trick Web Security Systems by Changing Domain Names and Inserting Non-malicious Hostnames into HTTP Host Field.

Malware authors have found a new method of ensuring their command and control (C&C) servers aren’t blocked by security systems, Cyren researchers warn.

Referred to as “ghost host,” the technique involves the inclusion of unknown host names in the HTTP host fields of a botnet’s communication. With these host names being both registered and unregistered, web security and URL filtering systems are fooled by the technique, Cyren explains in a recent report.

The security researchers say that one of the malware families using this technique was performing DNS resolution for the domain www.djapp(.)info, which resulted in the domain being blocked after several security firms flagged it as bad. Thus, the HTTP requests to the domain were blocked in networks protected by those vendors.

However, after DNS resolution of the IP address, while analyzing the C&C transaction sent by a newly infected bot, researchers discovered HTTP transactions informing the C&C of the successful infection of a new machine.

What’s more, the security researchers observed that the destination IP address is the known bad server, while the HTTP host fields used for requests belong to completely different domains. These are the domains that Cyren refers to as “ghost hosts.” In that specific case, the fake domains were “events.nzlvin.net” and “json.nzlvin.net.”

Using this technique, the malware author ensures that communication with the C&C server still happens, given that only the originally resolved domain is blocked, while the ghost hostnames aren’t. Furthermore, the botnet owner can manipulate the server to respond differently when “coded” messages (using different ghost host names) are received. One possible response would be to instruct the bot to download a specific type of malware.

The security researchers explain that the IP address associated with the C&C URL isn’t usually blocked, mainly because the server may contain both legitimate and malicious content. Should the entire server IP be blocked, users would no longer be able to access legitimate services.

Advertisement. Scroll to continue reading.

After discovering the two fake domains, the security firm decided to keep an eye on the bad IP address, and soon discovered a long list of ghost hosts associated with it. Some of the domains were registered (they were created on the same day the malware emerged), but many weren’t.

However, the detection rate for the fake domain names is low, meaning that the botnet authors will continue using the “ghost host” technique, as it allows them to avoid detection.

“Ghost hosts are yet another example of how sophisticated criminal evasion techniques have become, and serve as an excellent example of why security vendors are often best positioned to protect organizations from the increasing craftiness of cybercriminals,” Cyren concludes.

Related: Mirai Switches to Tor Domains to Improve Resilience

Related: Botnet of 3 Million Twitter Accounts Remains Undetected for Years

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.