How to Evade URL Filters With (Not-So) Fancy Math

In their constant quest to find new and interesting ways to abuse the Internet, attackers recently have begun using an old technique to obfuscate URLs and IP addresses to bypass URL filters and direct users to malicious sites.

In their constant quest to find new and interesting ways to abuse the Internet, attackers recently have begun using an old technique to obfuscate URLs and IP addresses to bypass URL filters and direct users to malicious sites.

The technique takes advantage of the fact that modern browsers will allow users to specify IP addresses in formats other than base 10. So a typical IP address that looks something like this– 192.10.10.1–can also be written in base 8, hexadecimal or a handful of other formats, and the browser will recognize it and take the user to the specified site. In a blog post describing the technique, Josh Phillips, a Kaspersky Lab malware analyst, explains how effective this could be against current URL-filtering technologies:

What is interesting though is that due to the relative obscurity of
using such methods to denote an IP or URL, it is quite feasible that
existing security products do not correctly identify the URLs as valid
or flag them as malicious when they point to existing known bad
websites.

In my testing, Firefox on Windows supports all
of the above addresses, under Linux however, Marco from our German
office says some are unsupported. Based on poor browser support for such
features, it’s possible to imagine URL filtering tools having the same
lack of support.

In addition to potential weak tool support
for such URLs, it is likely that unsuspecting users may be more easily
convinced that a particular URL is legitimate, which I think is the
obvious goal of using such URL obfuscation techniques.

That’s clearly the goal of these kind of attackers, and it’s not surprising to see them going back to a technique that’s worked in the past. Not every attack needs a zero-day exploit to be effective. Sometimes the old way is still the good way.

Suggested articles

Discussion

  • Anonymous on

    These URLs don't work in Camino on the Mac.

  • Anonymous on

    well stop being the douche that uses camino and a mac

  • zarmanto on

    They don't work in either Safari or Firefox on the Mac either... but that's really besides the point, since the Mac wouldn't run any viral code attached to malware pages which use this method anyway.

  • Josh Miller on

    Here is a similar post from 2002:

    http://www.pc-help.org/obscure.htm

  • izzix on

    It worked just fine, osx 10.5.8, safari 4.0.5

  • Anonymous on

    Works!

  • Anonymous on

    This Thunderbird bug report from 2007 mentions the problem and is older than the "Phishing with encode IP address" you mentioned in your post: https://bugzilla.mozilla.org/show_bug.cgi?id=393759.

    Regards.

  • Anonymous on

    All of the different formats work in Chrome on Windows.

  • Pravin on

    All of them also work on Linux + Chrome

  • Anonymous on

    Older than the internet, but, this is still useful for historical insight.  OK, now I gotta flame someone using a Mac from my equally ubiquitous OS...

  • Anonymous on

    still work firefox 3.6 in windows..huhuhuh

  • Richards on

    Nicely presented information in this post, I prefer to read this kind of stuff. The quality of content is fine and the conclusion is good. Very good techniques you listed.Thanks for the post.

  • Anonymous on

    Violent video games are readily blamed by the media and some experts as the reason why some youth become violent or commit extreme anti-social behavior.violent games may cause more intense feelings of aggression than nonviolent games. drug and alcohol test

  • Anonymous on

    I am happy to find this post very useful for me, as it contains lot of information. I always prefer

    to read the quality content and this thing I found in you post. Thanks for sharing

     blÃckpatroner

  • St bart villa on

    this gaming ideas are great.

  • Free VIN Check on

    Thanks for sharing  this information.

  • Burlap on

    amazing post.

    thank you!

  • pop display company on

    presentation is very very attractive and good.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.