Computer criminals have devised a new technique called Ghost Hosts which is used to bypass web URL filtering systems by using unknown domains.
Ghost Hosts Evades URL Web Filtering Measures
One of the many countermeasures to stop malicious campaigns from accessing networks and exploiting various resources has long been URL filtering. This is achieved by setting up blacklists that are updated regularly with the latest threats.
Malicious operators have devised a new way to avoid this security measure by employing unknown domains which replace known malicious ones. This has been dubbed as Ghost Hosts by the security researchers from Cyren who warned of the new tactic. It is designed to evade domain and host blacklists by inserting random non-malicious host in the HTTP host field. The actual connection being made is to an actual malicious command and control server. Ghost hosts uses unknown host names in the HTTP header however the actual connection is bounced to a different address. The malware operators can use HTTP clients and send out requests with customized headers. During the request creation (which is part of the HTTP protocol) unknown hosts can be added. This poses a very significant threat to the targets.
The hackers can use several open-source HTTP clients that feature header manipulation as part of their built-in functions. Botnet operators can also utilize the Ghost Hosts attack by leveraging it against the URL filtering systems. The systems will not block the ghost hostname as they only act against the originally resolved domain. The botnet operator can also manipulate the server to respond in a similar manner when their ghost name message is received. An example response might include the download of a specific type of malware or executable command on the botnet itself. In addition any IP address that is associated with the remote C&C servers URL will not be blocked as the server may contain both legitimate and malicious content. By blocking it altogether the automated security systems may prevent the use of legitimate online services.
The technique was discovered while the Cyren researchers were investigating the Necurs botnet activity which is notorious for spreading dangerous malware and ransomware. Fortunately no previous incidents have been reported so far.
According to Cyren the following statement about Ghost Hosts can be made:
Ghost hosts are yet another example of how sophisticated criminal
evasion techniques have become, and serve as an excellent
example of why security vendors are often best positioned to protect
organizations from the increasing craftiness of cybercriminals.