Q&A - From The Labs

Malware Trivia: Episode 6

I want to know that how could malware authors be benefited by creating malware such as Stuxnet which targets industrial processes?


Malware is not related exclusively to making a quick buck on the behalf of the unwary; it is also actively used in order to actually prevent them from making money. Stuxnet is just one of the many cases when malware is used to impair processes (an approach which is also common in DDoS attacks). Judging by the way the piece of malware was conceived, the Stuxnet worm was simply designed to take a nuclear program out of business. What its creators had in mind is uncertain, but I’m sure that they had their reason and share of financial gain.

What is Search Engine Cache Poisoning? How does it affect a day to day user? – Question asked by Jeet

I think you’d like to know about Search Engine Poisoning and DNS Cache poisoning. Both of them are complex techniques used by cyber-thugs to mislead users and take them on the wrong web page, although these approaches are radically different.

  • Search engine poisoning is a technique that involves increasing the relevancy of a page through black-hat SEO in order to be listed among the first in the Search Engine Results Page (SERPs). Usually, the web page is planted on a hacked website and heavily optimized to rank best for search queries that are usually associated with international events (such as sports competitions, social events, disasters or holidays). In order for a page to rank first, these crooks employ a range of tactics such as setting up doorway / cloaked pages, by linking the page from a number of other websites they have hacked into or from free blogs that are part of link farms. Once the user lands on this page by clicking on a poisoned search result, they will be likely asked to download a piece of malware or will have an exploit run against the browser.
  • DNS cache poisoning is a little more complex and relies on compromising the cached DNS records for an organization’s network. In order to better understand how DNS cache poisoning works, I’ll briefly explain the fundamentals of DNS resolution first.  DNS servers are responsible for resolving human-readable domain names such as hotforsecurity.com to a computer-friendly identifier, known as the IP address (for instance, the DNS translates hotforsecurity.com into Some organizations, including the ISP you are subscribed with for Internet access have their own DNS servers that usually improve name resolution times by caching IP addresses associated with the most common routes used by the organization’s members. For instance, an ISP’s DNS servers will make sure to have all the addresses associated with social networks, e-mail services and other resources used by its subscribers already resolved and cached. When a user taps into the browser a URL which has not already been cached, the local DNS server tries to resolve the query through an authoritative name-server. If an attacker can spoof the response as coming from an authoritative NS, the local name-server will cache the query for a specific resource with a different IP (the one the attacker controls). All the subsequent queries coming from the clients connected to this specific network will resolve to the cached copy, which means that a DNS cache poisoning attack could have devastating effects for all the users of the network, including mass phishing, mass malware distribution, redirection to advertisements and so on. Since DNS cache poisoning affects all users regardless of browser and operating system, the impact is beyond imagination.

Please explain what actually “behavior-based analysis” is. – Question asked by Jeet

Behavior-based analysis refers to sample analysis that is performed not by tracing its code, but rather by observing its behavior and deciding on whether it may be dangerous or not. BitDefender currently includes two types of behavior-based technology, commonly known in the industry as B-HAVE and AVC. Think of B-HAVE as a sandbox in which applications are run, and then, the results of their execution are analyzed and labeled as malicious or not. B-HAVE performs this evaluation before the application is actually launched on the computer. If it finds the application as potentially malicious, access to it is blocked. And, since we’re discussing B-HAVE, you might want to know that BitDefender is the world’s first antivirus to include a sandbox.

The second technology implemented in BitDefender is AVC – Active Virus Control, an innovative solution that analyzes the applications in real-time and assign scores based on their interaction with the system. When these applications try to write to certain regions of the OS, such as the Registry or system folder, they get a larger score. When this score reaches a certain threshold, the application is automatically terminated before it is able to harm the computer.

What is the difference between a hardware firewall (like in routers) and software firewalls and which one is better? – Question asked by Jeet

Hardware firewalls are usually found in consumer routers as well as in business networking equipment. These appliances work at a low level of the TCP/IP protocol stack, namely at the Network level. Packets are filtered by inspection of the packet header (the segments storing information about the source, the destination and the port number). After this brief inspection, the hardware firewall drops or forwards the packet as per the set of rules defined by the firewall administrator.

Software firewalls are commonly deployed in home networks directly on the host computer. They are easy to install, work out-of-the-box and require minimal IT knowledge to set up. For instance, the BitDefender Firewall module that comes with Internet Security and Total Security can automatically detect whether the computer is connected to a public network or to a private one and take the appropriate measures, such as denying access to shared folders, hiding the computer on the network and preventing other computers from the network from running port scans on the protected machine. More than that, the firewall can automatically detect whether an application is legit or not and allow or deny it access to the Internet.

As for which one is better, my advice is to always complement a hardware appliance with a software firewall. While hardware firewalls are faster and do a great job at countering DDoS attacks, they do not filter traffic, nor do they protect against viruses, worms and Trojans, as some software firewalls do. Another aspect that is worth mentioning is that the software firewall protects the client (the workstation it is installed on), while the hardware firewall protects the entire network.

Can you please explain the MAC address spoofing & IP address spoofing?

The MAC (Media Access Control) address is a unique identifier that is used for network equipment to correctly deliver data packages in a network segment (please note that in the same network segment, computers are identified by MAC address rather than by IP).

By default, all network cards come with a hard-coded MAC address that is unique. Each network card vendor has its own manufacturer code (the first three pairs of letters and numbers), and the serial number (the other three pairs of letters and numbers). This way, no two vendors can issue the same MAC address for two different cards. However, MAC addresses are changeable through software, at the operating system level.

External (USB) network card with a spoofed MAC address.

There are multiple reasons why some users decide to change the factory-assigned MAC addresses, including hardware failures. For instance, some Internet Service Providers may allow connections only from authorized computers. When a network card fails and is replaced, the user may clone the old card’s MAC on the new one, thus ensuring the continuity of service. The same thing applies to SOHO routers. In this case, cloning the MAC address is not harmful at all, since identification by MAC is only available in the same segment of the LAN. However, there are many cases when routers and access points use MAC-based access control lists to allow clients to connect to wireless networks.

IP address spoofing is another type of attack that relies on tampering with data packets in order to modify the source IP address. IP spoofing is usually performed to impersonate another computer, so that it will receive the response from the destination. Imagine this scenario: I send a request to a server, but spoof my IP to look like it is my colleague’s computer. The server responds with a number of bytes, but it sends the data to my colleague’s computer, rather than to me (the initiator), since the packet header claims that the request comes from him. If I manage to pull this trick multiple times in a short period of time, my colleague will suffer a denial-of-service attack.

There are software applications out there which claim to let you send email from any;  how do they work, or better still, how do I save myself from getting spammed? – Question asked by Jeet

This kind of applications is comprised of mail sender agents that let the user define their own SMTP servers to send mail. As far as sending the e-mail message on behalf of different users is concerned, this is easily acquired by forging the e-mail headers. I’m not going too much into details due to the sensitive nature of the matter, but, provided that you have access to a SMTP server, you can specify the identity of the sender by hand in a Telnet session. Of course, you can automate the process, but this is a different issue. Bottom line, header manipulation is piece of cake. What you can’t forge that easy is the sender’s SMTP server and the sender’s IP address.

Spam is omni-present and it’s only a matter of time until you receive the first unsolicited messages. If you’d like to enhance your privacy, remember to never publish your e-mail address online, because spam bots will eventually harvest it and add it to a database. Make sure you’re not using your work e-mail for personal purposes and be careful to what mailing lists you’re subscribing to online. Use a spam filter if you’re reading your mail from a client application; this spam filter will automatically detect junk mail and treat it accordingly, thus preventing it from reaching your inbox and waste your time, or worse, get you infected.

Why do malware authors need to make malware applications or anything? – Question asked by Miami SEO Company

Initially, malware was written for fun or to make a statement about the skills of the writer. Nowadays, everything is all about making money or about punishment. While most of the malware strictly tries to make money on the unwary user by either emptying their bank accounts through fraud or by asking users to buy useless software (such as Rogue AV or sports betting prediction applications), there are some instances where malware is used as a blackmailing tool  (i.e. for launching DDoS attacks against “offending parties”).

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.