RSS: The next malware target?

1. Internet enthusiasts develop a cool new technology
2. Big business gets on the bandwagon and makes it accessible to the masses
3. Hackers realize that everyone's using it and that it's the perfect vector for malicious activity
4. Everyone scrambles to "bolt on" security to a previously insecure technology

If you're not familiar with RSS, it's a technology that's been around since 1999, but is only now gaining mainstream popularity. RSS allows Web content publishers to distribute content updates to end users and allows those readers to use a single content aggregator to access all of their sites of interest simultaneously. At this point, RSS is in stage 1 of the process above. It's out there and big business is beginning to get on the bandwagon, leading us toward stage 2. We already see large content sites making RSS feeds available, such as the CNN RSS link shown below:

The only factor preventing a full-fledged adoption of RSS technology is that it isn't integrated into popular communication tools. However, Microsoft is about to change all of that with the release of Internet Explorer 7. This new browser incorporates support for adding and maintaining RSS feeds. It's likely that this will remove the final barrier to widespread use of RSS and we'll inevitably see hackers take advantage of flaws in the technology to bring us into stage 3 quickly.

In fact, David Sancho, Senior AV Research Engineer for Trend Micro, recently released a white paper entitled "The Future of Bot Worms," which highlights RSS hijacking as one of the emerging threats facing Internet users. The basic idea is that malware will leverage current RSS subscriptions in the user's browser to gain a legitimate jumping-off point for receiving updates from bot headquarters. The RSS feed is already trusted by the user's desktop firewall, so it provides the ideal environment for "phoning home."

So, now that you're sufficiently worried about the security risks RSS may pose to your organization, what can you do about it? Fortunately, there are some straightforward measures you can take while awaiting the release of RSS security tools:

More information Will RSS really be secure with IE 7.0? Find out how to reduce risks with URL filtering.   Learn five steps for defeating bots.

• Educate users. As with most security threats, user awareness is one of the most potent weapons in our arsenal. Make sure users are aware that, while RSS is a useful technology, it's not free from security risks.
  
• Scan HTTP traffic. Fortunately, RSS generally rides on top of the HTTP protocol. This gives us the ability to use standard HTTP content filters to monitor RSS traffic. If you're not already filtering HTTP traffic at your organization's border, now's a good time to start!
  
• Keep antivirus software current. The malicious code spread by RSS hijacking will need operating system hooks to deliver its payload. This leads us to the use of standard antivirus software to detect the effects of malicious code downloaded through an RSS feed and eradicate them from systems. Ensure that all systems in your organization have antivirus software installed and configured for daily signature updates.
  
• Check RSS configurations. It's important to keep in mind that antivirus software isn't a panacea in this case. It will help you detect and remove malicious code downloaded through an RSS feed, but current AV software can't detect and remove the feeds that downloaded the malware in the first place. Hopefully, we'll have tools in the near future that are capable of scanning your RSS subscriptions for known malicious feeds and/or unauthorized changes. While we're waiting for those tools, check your subscriptions on a regular basis and remove any that appear suspicious. You'll want to include this advice in your user education efforts as well.

About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Web Security Advisor,   Malware, Viruses, Trojans and Spyware,   Information Security Threats,   Application and Platform Security,   Web Application Security,   Web Security Tools and Best Practices,   Web Browser Security,   Web Server Threats and Countermeasures,   Web Application and Web 2.0 Threats,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Web Security Advisor DNS rebinding defenses still necessary, thanks to Web 2.0 New defenses for automated SQL injection attacks PCI compliance and Web applications: Code review or firewalls? Worst practices: Bad security incidents to avoid Web scanning and reporting best practices Social networking Web site threats manageable with good enterprise policy Enterprise security in 2008: Building trust into the application development process PCI DSS Section 6: A plan for tackling application security Making the case for Web application vulnerability scanners Preparing for uniform resource identifier (URI) exploits Malware, Viruses, Trojans and Spyware New Zeus spam poses as Social Security statements Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Web Application Security Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.