Google: Cyber criminals use IP cloaking to circumvent security

By Stuart Sumner
19 Aug 2011 View Comments
Concept image representing virus malware

Malware authors are increasingly using a technique known as IP cloaking to trick security programmes into allowing users to be infected by their malicious software.

This is one of the findings of a new report, Trends in Circumventing Web-Malware Detection, from search engine giant Google.

Further reading

Google defines IP cloaking as being able to "...serve benign content to detection systems, but serve malicious content to normal web page visitors".

Like many security companies, Google monitors compromised web sites. In 2008 it discovered that those sites had stopped returning malicious results to its monitoring systems, but still served malware to other site visitors. 

The malware authors had learned the IP addresses hosting the monitoring software, and so excluded them from their malware dissemination practice, thereby making their sites appear clean.

The report's authors explained:

"In our operational practice, we continuously monitor compromised web sites and the malicious resources they include.

"In 2008, we discovered that some malware domains no longer returned malicious payloads to our system but still did so to users.

"As a result, we developed detection for cloaking. At the time of writing, IP cloaking contributes significantly to the overall number of malicious web sites found by our system."

The research also found that cyber criminals generally spend little time on any individual exploit, quickly switching focus to new vulnerabilities in order to stay ahead of detection by law enforcement and security specialists.

"Our analysis of which vulnerabilities are actively being exploited over time shows that adversaries quickly switch to new and more reliable exploits to help avoid detection," wrote Lucas Ballard and Niels Provos, of Google's Security Team in a blog.

The report was written by Google security experts Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos and Ludwig Schmidt.

Reader comments
blog comments powered by Disqus
Newsletters
Windows 10 - will you upgrade?

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop. Will your business be upgrading?

0 %
100 %
0 %
0 %