Neutrino exploit kit has a new feature for detecting security researchers from studying their attacks. The innovative feature was discovered after Trustwave’s SpiderLabs division found computers they were using for research couldn’t make a connection with servers which delivered Neutrino.
According to the senior security researcher Daniel Chechik, “The environment seems completely fine except for when accessing Neutrino.”
Exploit kits are among the most effective ways used by hackers to infect computers with malware. What they actually do is finding vulnerable websites and planting code which transparently connects with another server in order to exploit software vulnerabilities.
Once the server finds a weak place, the malware gets installed, and the PC user is none the wiser. In some cases, exploit kits are delivered by malicious online advertising, known as malvertising.
Malware creators have been using various methods to stop security engineers from studying their methods. For instance, some malware programs are designed to quit if they’re running in a virtual machine.
Trustwave tried changing IP addresses and Web browsers to avoid whatever was causing the Neutrino server to not respond, however it didn’t work. Though, by fiddling with some data traffic that Trustwave’s computers were sending to the Neutrino server, they figured out what was going on.
The developers of Neutrino have added the so called “passive OS fingerprinting”, which is capable of collecting and analyzing data packets without the entity that is sending the packets knowing their computers are being profiled. This means that the computer sending the packets is a security researcher’s system which is probing the hackers’ server.
Passive OS fingerprinting captures “traffic coming from a connecting host going to the local network.”
“The fingerprinting can then be conducted without the remote host being aware that its packets are being captured.”
A security researcher who works for Google, wrote a tool specifically created for passive OS fingerprinting. This tool offers hackers the advantage of stealth, as active OS fingerprinting, which involves sending direct traffic to another network, can trigger alerts from firewalls and intrusion detection equipment.
According to Daniel Chechik, Neutrino is using passive OS fingerprinting in order to shut down connections coming from Linux machines, which are likely to be used by security researchers.
“This approach generally reduces their exposure to anything from automated scans to unwanted security researchers.”
“It is very likely that this behavior would simply be written off as a dead server and Neutrino would achieve its goal of being left alone by anyone who isn’t a potential victim,” Chechik stated.
