Hackers prevent research on malicious code

Cybercriminals are randomizing content served from malicious web pages so that they can prevent security researchers from doing proper analysis. According to Websense Security Labs, malware tracking is becoming more difficult because IP addresses and user-agents are being tracked rigorously and often, when pages are served, the content is randomized.

Following analysis of malicious Flash files, the company investigated a situation where upon receiving a (Shockwave Flash File) SWF-linked URL in an email and clicking it, a user was automatically redirected to a spam web site. However, when GNU's Wget utility was used to fetch the page, a 403 forbidden response was received.

Websense researchers initially thought that either the attackers had blacklisted the location or that they had checked all the HTTP header attributes. After a cookie was set, it seemed as though the transaction was being conducted. That is, as though a user clicked on the SWF file as opposed to visiting the page with a simulated browser (Wget).