Malware that evades blocking systems and getting into BSD for the first time.

Plus a fresh round up, your questions & much, much more!

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:


Show Notes:

Malware authors have found a way to evade URL-blocking systems by swapping bad domain names with unknown ones

  • Malware is often hosted on pop-up domains (bought specifically for the purpose, and with very odd names). Othertimes, it is resident on compromised hosts (PYS!). As such hosting locations/domains are discovered, they are added to blacklists.
  • The criminals have yet anotherfound a way to avoid the blacklists – spoofing
  • Spoofing is not knew: think of it as pretending to be someone else.
  • What seems to be new is deception in the TCP packets, or more specifcally, the TCP headers.
  • For some time now URL filtering techniques have provided a fairly reliable way for organizations to block traffic into their network from domains that are known to be malicious. But as with almost every defense mechanism, threat actors appear to have found a way around that as well.
  • Security researchers from Cyren are warning about a new tactic for fooling Web security and URL–filtering systems. The technique, which Cyren has dubbed “Ghost Host,” is designed to evade host and domain blacklists by swapping bad domain names and inserting random, non-malicious host names in the HTTP host field instead.
  • The objective is to evade host and domain blacklists by resetting the host name with a benign one, even when the actual connection is to a malicious command and control IP, according to a Cyren blog post today.
  • “Ghost hosts are unknown or known-benign host names used by malware for evading host and URL blacklists,” says Geffen Tzur, a security researcher at Cyren.
  • Tzur says there have been no previously reported incidents he knows of where malware actors have attempted to fool detection systems by inserting benign names in the HTTP host field.


Round Up:

Question? Comments? Contact us here!