In addition to these sophisticated evasion techniques, the malware also attempts to mask its behavior. The screenshot below illustrates a sample redirection from some_website to some_adress:
To make it difficult to determine the actual URL, Parasite HTTP redirects to a randomly generated domain, such as www.omegahat.com, which then redirects again to a randomly generated domain, such as www.omegahat67.com:
The most frustrating part of this is, you never know where the malware redirects to and who you are actually redirecting to. This is extremely hard to debug because it can appear to be a legitimate website.
Malicious websites are used for lure and capture. In Figure 14, we can see how Parasite HTTP checks a legitimate login URL, some_website, even though the actual URL is some_address: d2c66b5586