Tuesday, November 12, 2013

How web-browser automation helps purveyors of malware

12:30 AM    No comments

Once again, convenience is at odds with security. Learn how web browsers making life easy for users also helps the bad guys. 


Web browsers have matured into capable software tools. Getting to this point required significant effort by dedicated developers, who continue to enhance their code in order to provide an ever more gratifying user experience.
Prefetch1.png
These enhancements come at a price—increased complexity. Like today's automobiles, web browsers are extremely complicated, so complex that like cars, it’s almost a waste of time to look under the hood when something’s not operating correctly.
Sadly, there’s additional fallout from the inherent complexity; it’s easier for nefarious types to find cracks in the code or manipulate existing code to further their own agenda. 

Fortunately, there are developers willing to think like bad guys, figure out possible attack scenarios, and tell us about them. One such developer is Kyle Adams of Juniper Networks. In his blog post, What is Your Browser Doing Behind Your Back, Kyle takes a look at several automated "behind the scenes" browser processes that attackers could leverage to steal sensitive user information such as bank account numbers. Let’s start by looking at DNS Prefetching.

DNS prefetching

Take a second, and count the number of links on this article’s web page. Click one. It loads fast doesn’t it? That's because web browsers use DNS prefetching to resolve DNS information for every link on the rendered web page, just in case the user clicks on one of the links. 

Kyle explains how an attacker could leverage DNS prefetching: "If an attacker puts a hidden link on a page that points to their domain, and sets up his DNS server, he can be notified when you view the page and get your IP address—even if you never click the link. This is bad in the case of emails and forums."

The key piece of information is “even if you never click the link.” What if a nefarious type managed to get a link placed on a high-traffic website? And that link pointed to a malicious website devised to download malware automatically? If the computer is vulnerable, it’s a done deal. Unfortunately, this happens all the time, particularly when websites use third-party advertising. Next on Kyle’s list was page prefetching.

Page prefetching

I became aware of page prefetching when I wrote this article about Google Instant. Google Instant guesses what you are typing into Search. Then, Instant displays (along with prefetching the associated DNS information) what it thinks you are looking for, usually before you finish typing. Great idea. The bad guys think so as well, now that they have figured out how to game the system.

In my article, I used the search entry of Antivir Solution Pro as an example. At that time, Antivir Solution Pro was the name given to some nasty malware. Notice in the slide below what Google Instant guessed after I typed in just "anti," Sure enough, Antivir Solution Pro was Instant’s first choice.
Prefetch2.png
Many people thought they were going to a website offering an official antivirus product like Antivir or Antivirus Solution, but ended up getting a computer full of malware. Kyle then moved on to session cookies.

Session cookies

Web browsing without session cookies would be a major pain. Session cookies allow a web browser to remember the user’s information when moving from one web page to another on the same website. There is a problem though. Kyle explains, “Some browsers, most notably Chrome, do not delete session cookies when you clear the cookies. This means even if you clear your cookies, sites can keep tracking you until you close your browser.”
I’m trying to determine which web browsers retain session cookies, and which do not. It seems there are varying opinions. Retaining session cookies is not normally an issue, but it is important to understand if session cookies are persistent, another user could resume an earlier session and access potentially sensitive web pages—something you may not want to happen. And, finally Kyle looks at plug-ins.

Plug-ins

Plug-ins are software that allow users to customize an application, adding significant versatility to web browsers. I’d be lost without my ad blocking plug-in. Kyle states his concern: “Each plug-in operates with an immense amount of privileges. They can look at everything the user does, mess with content on their system, and make requests without the user knowing.”
Kyle offered this example:
Plug-ins commonly shipped with antivirus applications are designed to warn you when you visit a malicious page. However, in order for the AV vendor to know you’re visiting a malicious page, they need to know every page you do visit. This means that as you browse the Internet, the entire sum of your Internet activity is being silently shipped to a third party.
Kyle went on to mention that he would consider most AV vendors trustworthy, but Kyle also noted that some plug-ins do not encrypt the data, so the data is fair game in transit to the AV vendor’s servers.

Final thoughts

I’m afraid the “cat is out of the bag” on the four web browser processes Kyle talked about. I intend to keep using them. But knowing what Kyle has uncovered allows us to be careful in how we use them.

0 comments:

Post a Comment

Appreciate your concern ...

Subscribe to: Post Comments (Atom)