Blue Coat Labs

Labs Blog

Malware is Like a Box of Chocolates

Malware is Like a Box of Chocolates

Chris Larsen

There was a nice post yesterday from our friends at Symantec, detailing a new feature in the Blackhole exploit kit. Basically, it can now generate pseudo-random domain names to use in the iFrames that are injected into hacked sites to drive traffic to the exkit server. (Since it's such a hassle for the Bad Guys to inject a bunch of sites with iFrames pointing to a static domain, that the pesky Good Guys will quickly block, and have to go back and inject new iFrames...)

One of the more interesting bits of data in the Symantec article is a static path name used with all of the random names generated by that version of the domain-name algorithm: "runforestrun".

Not to nitpick or anything, but the Bad Guys misspelled Forrest's name there...

image of Forrest Gump running

Anyway, I went through the WebPulse logs to see what we saw, when we saw it, and what we did about it.

The "runforestrun" attack variant began showing up clear back on Sunday, June 10th, and quickly hit its stride (pun intended), reaching 1400+ requests on the 14th. Its traffic peaked at over 4000 requests on the 18th, and is still going strong: nearly 5000 requests in the last two days.

The good news, at least for BCWF customers using WebPulse, is that nearly all of the traffic (25,000+ URLs) was blocked, in real-time, by a trio of WebPulse modules:

  • The "Where's Weirdo" junk domain name detector rated almost 72% as either Botnet or Suspicious.
  • The "Shady Relay" detector rated almost 21% as either Malware or Hacking.
  • One of the "Lie Detector" modules rated over 7% as Suspicious.

(The grand total of blocking ratings returned was a hair over 99.735%. Which is pretty good coverage of a brand new attack tactic.)

Still, the WebPulse team is never satisfied with anything less than 100%, right? So I dug into the logs to see what happened on the 68 out of 25,674 requests where we had returned a rating of None (Unrated).

As it turned out, back on 6/13, there was one of the generated attack domains that had apparently not been registered by the Bad Guys, because it failed to resolve in DNS (not just in WebPulse, but anywhere, as far as I can tell). So I think we hit the 100% mark on the attack -- hot dang!


In looking at our system's overall performance, I was particularly impressed (again) by the "Where's Weirdo" module (which we highlighted back during the Mac "Flashback" attack). The value of a multi-layer approach to malware detection is also clear: If malware is like a box a chocolates, and you never know what you're going to get, then your malware defense should also contain a variety of flavors.

image of Forrest Gump and a box of chocolates