Problem solve Get help with specific problems with your technologies, process and projects.

RSS: The next malware target?

A recent report from Trend Micro names RSS as the next likely target for bot worm attacks and predicts feed hijackings will be prevalent with the release of IE 7. In this tip, security expert Mike Chapple explains how RSS could be exploited, and offers steps for preventing these malware attacks.

Those of us who have been around the information security profession for a while have come to recognize a familiar pattern in the spread of malware. It goes something like this:

  1. Internet enthusiasts develop a cool new technology
  2. Big business gets on the bandwagon and makes it accessible to the masses
  3. Hackers realize that everyone's using it and that it's the perfect vector for malicious activity
  4. Everyone scrambles to "bolt on" security to a previously insecure technology
We've seen this happen with removable media, downloadable files, the Web, instant messaging and more. We've also seen dire public warnings, the enhancement of antivirus technology to combat these new threats and the eventual return to normalcy as the community compensates for the threat. We're now facing this cycle yet again with a relatively new technology: Really Simple Syndication (RSS).

If you're not familiar with RSS, it's a technology that's been around since 1999, but is only now gaining mainstream popularity. RSS allows Web content publishers to distribute content updates to end users and allows those readers to use a single content aggregator to access all of their sites of interest simultaneously. At this point, RSS is in stage 1 of the process above. It's out there and big business is beginning to get on the bandwagon, leading us toward stage 2. We already see large content sites making RSS feeds available, such as the CNN RSS link shown below:

The only factor preventing a full-fledged adoption of RSS technology is that it isn't integrated into popular communication tools. However, Microsoft is about to change all of that with the release of Internet Explorer 7. This new browser incorporates support for adding and maintaining RSS feeds. It's likely that this will remove the final barrier to widespread use of RSS and we'll inevitably see hackers take advantage of flaws in the technology to bring us into stage 3 quickly.

In fact, David Sancho, Senior AV Research Engineer for Trend Micro, recently released a white paper entitled "The Future of Bot Worms," which highlights RSS hijacking as one of the emerging threats facing Internet users. The basic idea is that malware will leverage current RSS subscriptions in the user's browser to gain a legitimate jumping-off point for receiving updates from bot headquarters. The RSS feed is already trusted by the user's desktop firewall, so it provides the ideal environment for "phoning home."

So, now that you're sufficiently worried about the security risks RSS may pose to your organization, what can you do about it? Fortunately, there are some straightforward measures you can take while awaiting the release of RSS security tools:

  • Educate users. As with most security threats, user awareness is one of the most potent weapons in our arsenal. Make sure users are aware that, while RSS is a useful technology, it's not free from security risks.
  • Scan HTTP traffic. Fortunately, RSS generally rides on top of the HTTP protocol. This gives us the ability to use standard HTTP content filters to monitor RSS traffic. If you're not already filtering HTTP traffic at your organization's border, now's a good time to start!
  • Keep antivirus software current. The malicious code spread by RSS hijacking will need operating system hooks to deliver its payload. This leads us to the use of standard antivirus software to detect the effects of malicious code downloaded through an RSS feed and eradicate them from systems. Ensure that all systems in your organization have antivirus software installed and configured for daily signature updates.
  • Check RSS configurations. It's important to keep in mind that antivirus software isn't a panacea in this case. It will help you detect and remove malicious code downloaded through an RSS feed, but current AV software can't detect and remove the feeds that downloaded the malware in the first place. Hopefully, we'll have tools in the near future that are capable of scanning your RSS subscriptions for known malicious feeds and/or unauthorized changes. While we're waiting for those tools, check your subscriptions on a regular basis and remove any that appear suspicious. You'll want to include this advice in your user education efforts as well.
RSS is certainly an exciting new technology that holds great promise for the enhanced distribution of information over the Internet. Be sure that you keep these security tips in mind to ensure a safe RSS experience for your organization.

About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

This was last published in January 2006

Dig Deeper on Malware, virus, Trojan and spyware protection and removal