How attackers exploit whitelists
If there is a technology or security measure that can help organizations protect their assets from attackers or malware, you can be sure that attackers will try to find a way to bypass it.
And, with the increase of number of security solutions implemented by organizations, it is to be expected that there will be some that can be made to play one against the other.
As noted by freelance security consultant and ISC handler Xavier Mertens, attackers have been known to take advantage of organizations’ whitelist system to prevent the blacklist system from keeping their malware and exploits away from the organizations’ networks.
One way to do it is to make the ULR of the page from which the malicious executable is downloaded end with a generic /search.php (or /login.php, or /rss.php, or /register.php, and so on).
“By choosing a generic URL like this one, malware writers hope that it will be hidden in the traffic. But when it becomes blacklisted, there are side impacts,” he says. “I had the case with a customer this week. They had to remove /search.php from the list of IOC’s because their IDS was generating way too many alerts.”
Another way is to exploit whitelist systems is to host malware on a compromised site that is likely to be included in organizations’ whitelist.
Examples of these include relatively popular websites (e.g. Alexa top 1000 sites), or one that is likely to be visited often by the employees of targeted companies, or one that falls into a category that would otherwise not raise any suspicion.