In their constant quest to find new and interesting ways to abuse the Internet, attackers recently have begun using an old technique to obfuscate URLs and IP addresses to bypass URL filters and direct users to malicious sites.
The technique takes advantage of the fact that modern browsers will allow users to specify IP addresses in formats other than base 10. So a typical IP address that looks something like this– 220.127.116.11–can also be written in base 8, hexadecimal or a handful of other formats, and the browser will recognize it and take the user to the specified site. In a blog post describing the technique, Josh Phillips, a Kaspersky Lab malware analyst, explains how effective this could be against current URL-filtering technologies:
What is interesting though is that due to the relative obscurity of
using such methods to denote an IP or URL, it is quite feasible that
existing security products do not correctly identify the URLs as valid
or flag them as malicious when they point to existing known bad
In my testing, Firefox on Windows supports all
of the above addresses, under Linux however, Marco from our German
office says some are unsupported. Based on poor browser support for such
features, it’s possible to imagine URL filtering tools having the same
lack of support.
In addition to potential weak tool support
for such URLs, it is likely that unsuspecting users may be more easily
convinced that a particular URL is legitimate, which I think is the
obvious goal of using such URL obfuscation techniques.
That’s clearly the goal of these kind of attackers, and it’s not surprising to see them going back to a technique that’s worked in the past. Not every attack needs a zero-day exploit to be effective. Sometimes the old way is still the good way.