Fingerprinting - a new technique to avoid anti-malware

Cyber-criminals are now using fingerprinting techniques in their malvertising campaigns, researchers from security firms Malwarebytes and GeoEdge have reported today.

Fingerprinting is an evasion technique in which crooks, through snippets of code, check if the targeted machine is a honeypot set up by malware researchers or an actual machine belonging to a potential victim.

"For many years, threat actors have leveraged the ad industry to deliver malicious payloads in very efficient ways. However, most malvertising attacks usually tend to be discovered early on and thwarted, therefore increasing the amount of work required to set up new ones constantly," said Jérôme Segura, senior security researcher at Malwarebytes.

So far, this technique was only spotted at the exploit kit level, mostly with Angler, but has now moved “up the chain”, as the researchers say, reaching the malvertising phase, thanks to online ads.

“This flaw allows attackers to enumerate the local file system and look for the presence of certain clues that might identify a machine belonging to a security researcher or acting as a honeypot,” researchers Jerome Segura from Malwarebytes, and Eugene Aseev from GeoEdge write in their report entitled Operation Fingerprint.

Now, bogus advertisers are analysing potential victims.

There are four types of possible campaigns, the report suggests, including the ‘Fake company’ campaign (attackers use stolen websites, slightly rebranded to appear legitimate), the Custom SSL campaign (leverages the CloudFare infrastructure to hide the malicious server’s IP), the Custom URL shortener campaign (hiding the fingerprint payload within a GIF image served over HTTPS), and the DoubleClick Open Referrer campaign (the code is still hidden within a GIF, but is now encoded with a special key, only provided once per IP address).

"Borrowing techniques from exploit kits makers, rogue advertisers are prescreening potential victims via an Internet Explorer information disclosure vulnerability that lets them check for the presence of certain files on disk that belong to security software, network traffic tools, and Virtual Machines. This is done simply by inserting a hidden piece of code in the last place one would expect, within an innocuous GIF pixel tracker typically used by the ad industry," Segura added.

The vulnerability seems to be targeting Internet Explorer 10 users, the researchers have said.

He also gave advice how to keep safe from potential threats:

"To defend against malvertising, users should keep their computers up to date and uninstall any piece of software they no longer or rarely usein order to reduce the surface of attack. For example, browser plugins such as Flash or Silverlight have been heavily exploitedin recent months and users are advised to consider disabling or removing themall together.

Since the best security posture is one that has layers, it is also good practice to run additional tools that fend off attacks at different levels. When it comes to drive-by download attacks such as malvertising, exploit mitigation software is particularly effective, as well as other programs that restrict JavaScript or ad banners with the ability for theuser toopt-in."