The "Bouncer" attack toolkit apparently generates a unique ID for each of its intended targets, with others receiving...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
an error message. What's the point of attackers using what appears to be whitelisting security methods? Isn't the point of creating such malicious sites to get the most clicks possible?
Ask the expert
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
One of the top challenges facing cybercriminals is how to monetize the compromised credentials or the access they gain from their attacks. By assigning a unique ID for each of their intended targets, they can better track how many of their targets have been successfully compromised, and thus better focus their efforts on the most profitable credentials they can sell on digital black markets. While getting more clicks will increase the pool of victims for a toolkit to exploit, unique IDs will not necessarily inhibit the number of victims exploited. For example, this unique ID could allow an attacker to track a single user from one computer to another, improving analysis of the data collected by the malware. If the attacker knows two different systems are used by the same person, the second system could be blocked from installing and running the malware, minimizing the chances of it being detected.
As RSA mentions in its blog post detailing Bouncer, one of the benefits of denying access for systems without the unique ID is that it makes it more difficult for analysts to connect to the system and investigate the malware. While monitoring the communications to and from malware, actually interacting with the malicious service helps better correlate cause and effect when investigating the inner workings of malware sample, a process which could now be more difficult if access to systems is denied without a password. This cat-and-mouse game between malware authors and the researchers that write signatures for antimalware vendors has been going on for ages, so it's no surprise when malware employs new capabilities such as whitelisting to make research more difficult.
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Can Structured Threat Information eXpression improve threat intelligence sharing? Nick Lewis breaks down the evolution of the STIX security framework.continue reading
A new type of WordPress malware, WP-Base-SEO, disguises itself as an SEO plug-in that opens backdoors. Nick Lewis explains how it works and how to ...continue reading
A new exploit of CLDAP servers can be used for a DDoS reflection attack that gives attackers a 70x boost. Nick Lewis explains how to defend against ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.