The "Bouncer" attack toolkit apparently generates a unique ID for each of its intended targets, with others receiving...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
an error message. What's the point of attackers using what appears to be whitelisting security methods? Isn't the point of creating such malicious sites to get the most clicks possible?
Ask the expert
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
One of the top challenges facing cybercriminals is how to monetize the compromised credentials or the access they gain from their attacks. By assigning a unique ID for each of their intended targets, they can better track how many of their targets have been successfully compromised, and thus better focus their efforts on the most profitable credentials they can sell on digital black markets. While getting more clicks will increase the pool of victims for a toolkit to exploit, unique IDs will not necessarily inhibit the number of victims exploited. For example, this unique ID could allow an attacker to track a single user from one computer to another, improving analysis of the data collected by the malware. If the attacker knows two different systems are used by the same person, the second system could be blocked from installing and running the malware, minimizing the chances of it being detected.
As RSA mentions in its blog post detailing Bouncer, one of the benefits of denying access for systems without the unique ID is that it makes it more difficult for analysts to connect to the system and investigate the malware. While monitoring the communications to and from malware, actually interacting with the malicious service helps better correlate cause and effect when investigating the inner workings of malware sample, a process which could now be more difficult if access to systems is denied without a password. This cat-and-mouse game between malware authors and the researchers that write signatures for antimalware vendors has been going on for ages, so it's no surprise when malware employs new capabilities such as whitelisting to make research more difficult.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
Latentbot malware has layers of obfuscation that makes it hard to detect. Expert Nick Lewis explains how its process works, beginning with a phishing...continue reading
A hard to detect type of Linux malware, Rekoobe, can download files to user systems. Expert Nick Lewis explains the malware's key functionality and ...continue reading
Pro POS, a new type of POS malware, has simple operations and is easy to obtain. How was it so successful against businesses? Expert Nick Lewis ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.