New “Ghost Host” Technique Boosts Botnet Resiliency

Malware Developers Trick Web Security Systems by Changing Domain Names and Inserting Non-malicious Hostnames into HTTP Host Field.

Malware authors have found a new method of ensuring their command and control (C&C) servers aren’t blocked by security systems, Cyren researchers warn.

Referred to as “ghost host,” the technique involves the inclusion of unknown host names in the HTTP host fields of a botnet’s communication. With these host names being both registered and unregistered, web security and URL filtering systems are fooled by the technique, Cyren explains in a recent report.

The security researchers say that one of the malware families using this technique was performing DNS resolution for the domain www.djapp(.)info, which resulted in the domain being blocked after several security firms flagged it as bad. Thus, the HTTP requests to the domain were blocked in networks protected by those vendors.

However, after DNS resolution of the IP address, while analyzing the C&C transaction sent by a newly infected bot, researchers discovered HTTP transactions informing the C&C of the successful infection of a new machine.

What’s more, the security researchers observed that the destination IP address is the known bad server, while the HTTP host fields used for requests belong to completely different domains. These are the domains that Cyren refers to as “ghost hosts.” In that specific case, the fake domains were “events.nzlvin.net” and “json.nzlvin.net.”

Using this technique, the malware author ensures that communication with the C&C server still happens, given that only the originally resolved domain is blocked, while the ghost hostnames aren’t. Furthermore, the botnet owner can manipulate the server to respond differently when “coded” messages (using different ghost host names) are received. One possible response would be to instruct the bot to download a specific type of malware.

The security researchers explain that the IP address associated with the C&C URL isn’t usually blocked, mainly because the server may contain both legitimate and malicious content. Should the entire server IP be blocked, users would no longer be able to access legitimate services.

After discovering the two fake domains, the security firm decided to keep an eye on the bad IP address, and soon discovered a long list of ghost hosts associated with it. Some of the domains were registered (they were created on the same day the malware emerged), but many weren’t.

However, the detection rate for the fake domain names is low, meaning that the botnet authors will continue using the “ghost host” technique, as it allows them to avoid detection.

“Ghost hosts are yet another example of how sophisticated criminal evasion techniques have become, and serve as an excellent example of why security vendors are often best positioned to protect organizations from the increasing craftiness of cybercriminals,” Cyren concludes.

Related: Mirai Switches to Tor Domains to Improve Resilience

Related: Botnet of 3 Million Twitter Accounts Remains Undetected for Years