Google researchers have recently released a rather interesting paper on Trends in Circumventing Web-Malware Detection, and several people have been asking me about it (or rather, the blog that announced it).
Read the full paper, folks! There's a lot more in there than the "cloaking" stuff, though if you're not a specialist, you may find some of the geekier content a bit daunting. I may be back to some of that other content next week, but for now, just to give you a flavour, here are the answers to a couple of those questions.
1) What is IP cloaking?
It’s a technique that tries to distinguish between hits on a malicious URL from detection systems and hits from real victims. By detection systems I mean not only automated defences such as IDS (intrusion detection systems) or automated detection systems as used by AV labs to catch current variants, by AV testers to get super-fresh samples to test with, and other security professionals, but also manual investigation by researchers. It uses its own heuristics to detect, for example, multiple hits from the same or adjacent IP addresses might suggest a company gathering samples. It’s kind of analogous to the way that a sample executing in a virtual environment might assume that it’s being investigated in some lab’s virtual network and behave in a different (innocuous) way rather than deliver a malicious payload.
Actually, cloaking is a bit of a misnomer. This isn't invisible malware: it’s more like an attempt at reverse-blacklisting combined with anti-detection heuristics. And it’s misleading to talk as if social engineering and drive-by downloads are totally unconnected. Some form of social engineering (malicious email, BlackHat Search Engine Optimization – BHSEO – and so on) is more than likely to be used to lure the unsuspecting victim into accessing a malicious site.
2) Is it a true threat – how long has it been around?
Well, it’s not exactly a threat in the sense that a botnet or a keylogger is: it’s a defensive mechanism used by a malicious web site to lessen the risk of its being taken down, or of malware that it carries being identified before it snares any victims. It’s a stealth mechanism, and those have been around since the earliest malware. We’ve been aware of it for several years. It’s almost as old as server-side polymorphism, though, inevitably, it's been increasing in sophistication.
3) What can people do to mitigate future threats?
What we always recommend that they do.
But this stuff isn’t much more of a threat to potential victims than malware that doesn’t do cloaking. It’s aimed at security labs and security software, not the end user. There are counter-responses that we can and do use, introducing randomization into the investigative process: varying the IP ranges we use, varying time intervals to reduce "spikes" and so on.
Other overview articles: http://www.darkreading.com/security/application-security/231500264/google-report-how-web-attackers-evade-malware-detection.html (a good summary), http://www.computing.co.uk/ctg/news/2103101/google-cyber-criminals-ip-cloaking-circumvent-security.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow