Evasive Attacks Cover Their Tracks to Avoid Detection

Recent findings by Finjan reveal that hackers have created a new class of highly evasive attacks. These attacks represent a quantum leap in terms of their technological sophistication, going far beyond drive-by downloads and code obfuscation. In order to minimize the malicious code’s window of exposure, evasive attacks keep track of the actual IP addresses of visitors to a particular website or web page.

Using this information, the attackers restrict exposure to the malicious code to a single view from each unique IP address. This means that the second time a given IP address tries to access the malicious page, a benign page will be automatically displayed in its place. All traces of the initial malicious page completely disappear. The report provides examples of evasive attacks, along with the actual code used by the hacker to run them.

“Evasive attack techniques where malicious code is controlled per IP address, country of origin or number of visits provide hackers with the ability to minimize the malicious code’s exposure, thereby reducing the likelihood of detection.

Moreover, evasive attacks can identify the IP addresses of crawlers used by URL filtering, reputation services and search engines, replying to these engines with legitimate content and increasing the chances of mistakenly being classified by them as a legitimate category,” said Yuval Ben-Itzhak, CTO, Finjan. “The combination of these evasive attacks with code obfuscation techniques significantly enhances the capability of sophisticated hackers to go undetected.”