Monday, March 22, 2010

Obfuscated URLs no match for eSoft SiteFilter

Researchers at Kaspersky labs have discovered a new banking malware campaign that uses an old trick to obfuscate malicious URLs. Rather than using a domain name or IP address for their malicious link the URL is converted to numerical bases such as octal or hexadecimal formats. These formats are supported by major browsers and serve the purpose of tricking users into following the link and infecting their machine.

The post goes on to speculate that URL filters would have difficulty detecting and blocking the obfuscated URLs, leaving users vulnerable to these attacks. While many web filtering vendors may be susceptible to this attack, eSoft customers are protected. eSoft SiteFilter provides full support for these obfuscated URLs, filtering sites in ALL categories.

Using the example of playboy.com, the URL can be expressed in many different ways including the few examples below.

http://216.163.137.68
http://3634596164
http://0xd8.0xa3.0x89.0x44
http://0xd8.0xa3.0x89.68
http://0330.0243.0211.0104
http://000000330.0xa3.137.0104
http://0xD8A38944
http://033050704504

As shown on the Test a Site portal, eSoft correctly interprets these encoded addresses and detects each of these URLs as Pornography/Sex, the same as the domain playboy.com.












 
With the example found by Kaspersky, vendors that do not accurately filter these URLs leave users vulnerable to dangerous banking Trojans and end-user evasions. Malicious campaigns using this technique have been seen in the past and due to their effectiveness will be used in the future.

eSoft’s web filtering technology and focus on security provides users with unsurpassed protection against the latest web threats, including these obfuscation techniques.

No comments: