Attackers use PAC feature to redirect browsers  

Posted by afk@penk

14 April 2010

Brazilian malware writers are making use of a long-available feature within most modern browsers to launch attacks that redirect victims to malicious websites without their knowledge. The feature, known as proxy auto config, is turning up in banking trojans, according to researchers from Kaspersky.

Proxy auto config (PAC) is a feature accepted by all modern browsers, according to Fabio Assolini, a lab expert at Kaspersky. It contains a function to redirect browsers to a specific proxy server. A proxy server is a computer that accesses the Internet on a computer user's behalf, and feeds it the results. Proxy servers are often used by systems administrators as a gateway between an organization's computers and the Internet, and PAC files are set on client machines so that they always access the Internet through a protected gateway.

"Unfortunately this simple and smart proxy technique is being largely used by Brazilian malware writers to redirect infected users to malicious hosts serving phishing pages of financial institutions," Assolini said. "After being infected by a Trojan banker, if a user tries to access some of the websites listed in the script, they will be redirected to a phishing domain hosted at the malicious proxy server."

Even browsers designed securely from the bottom up, such as Google's Chrome, are susceptible to this attack, which changes the file prefs.js to insert a malicious proxy before adding a malicious dynamic link library to always rewrite the proxy, if it is removed.

This attack is an interesting variation on a more conventional redirection attack involving the Windows Hosts file. This is a plain text file containing a list of Domain Name System lookups, which a Windows computer will refer to first, before trying to resolve a domain name using an external server. Malware that alters DNS entries in a Hosts file instructs a Windows computer to visit any malicious IP address that the attacker wants when the user types in a legitimate web address, such as one for an online bank, for example.

resources from : http://www.infosecurity-us.com

This entry was posted on Thursday, April 15, 2010 at 5:20 PM . You can follow any responses to this entry through the comments feed .

0 comments

Post a Comment