The Neutrino exploit kit has a new way to detect security researchers

Neutrino is using passive OS fingerprinting to detect visiting Linux machines, according to Trustwave

The developers of the Neutrino exploit kit have added a new feature intended to thwart security researchers from studying their attacks.

The feature was discovered after Trustwave's SpiderLabs division found computers they were using for research couldn't make a connection with servers that delivered Neutrino.

"The environment seems completely fine except for when accessing Neutrino," wrote Daniel Chechik, senior security researcher.

Exploit kits are one of the most effective ways that cybercriminals can infect computers with malware. They find vulnerable websites and plant code that transparently connects with another server that tries to exploit software vulnerabilities.

If the server finds a hole, the malware is delivered, and the victim is none the wiser. Exploit kits are also sometimes delivered by malicious online ads in attacks known as malvertising.

Malware writers and cyberattackers have long used methods to try to stop security engineers from studying their methods. For example, some malware programs are designed to quit if they're running in a virtual machine.

Chechik wrote that Trustwave tried changing IP addresses and Web browsers to avoid whatever was causing the Neutrino server to not respond, but it didn't work.

But by fiddling with some data traffic that Trustwave's computers were sending to the Neutrino server, they figured out what was going on.

Neutrino has been engineered to use passive OS fingerprinting, which is a method to collect and analyze data packets without the entity that is sending the packets knowing their computers are being profiled. In this case, the computer sending the packets is a security researcher's system that's probing the hackers' server.

Passive OS fingerprinting captures "traffic coming from a connecting host going to the local network," according to a post on the SANS blog. "The fingerprinting can then be conducted without the remote host being aware that its packets are being captured."

Michal Zalewski, a security researcher who works for Google, wrote a tool specifically for passive OS fingerprinting.

It offers attackers the advantage of stealth, since active OS fingerprinting -- which involves sending direct traffic to another network -- can trigger alerts from firewalls and intrusion detection equipment.

Chechik wrote that Neutrino appears to be using passive OS fingerprinting in order to shut down connections coming from Linux machines, which are likely to be used by security researchers.

"This approach generally reduces their exposure to anything from automated scans to unwanted security researchers," he wrote.

It's a smart move by Neutrino's developers, because if a server doesn't respond, it's generally considered down.

"It is very likely that this behavior would simply be written off as a dead server and Neutrino would achieve its goal of being left alone by anyone who isn't a potential victim," Chechik wrote.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?