Researcher Uncloaks Zero-Day Worm That Can Spread Over All Your Social Networks

Imagine its possible to force a victims browser to effectively create malware on-the-fly that would hand over control of the PC, phone or tablet to a hacker. Now imagine this could be done by having the target click on a link for a domain as popular and trusted as Google GOOGL -2.44%.com, and then executing an ostensibly legitimate file. This is, according to Trustwave SpiderLabs security researcher Oren Hafif, a real possibility.

At the Black Hat Europe conference taking place next week hell detail his new attack technique called Reflected File Download (RFD). More savvy users will be wise enough not to actually click on the downloaded file, even if it does appear to have been delivered by a legitimate domain. But heres the most perturbing part: Hafif will show how he created code for a worm that could easily spread malicious links containing RFD attack code across the worlds biggest social networks. Anyone who clicked the links he created risked handing over their cookies, though real criminals could craft attacks that would do much worse. They could take over reams of machines. Hafif believes its the first cross-social-network worm ever created. One security expert, who wished to remain anonymous, noted that if the findings are correct, this method could be devastating.

Many sites are vulnerable to RFD. Hafif told me that hed come unstuck in the disclosure process, having already informed Google and Microsofts MSFT +2.08% Bing.com their sites were vulnerable to RFD attacks back in May – both have now addressed the issue. Thats because he had at least 20 major websites that could be exploited using his techniques and it was not feasible to go through the process of informing each. Many more websites that accept and reflect user input are likely affected. If they are using JSON, an easy-to-use format for storing and exchanging data, they are almost certainly vulnerable to an instance of reflected file downloaded, according to Hafif. If I were to name all sites that were vulnerable Id have to extend our talk – Ive found a lot of websites are vulnerable, Im talking about big vendors.

In his disclosure to Google, Hafif showed how an attacker could send a link from the trusted Google.com domain that would download an exploit file called ChromeSetup.bat. This file, if executed by the target, would open a Google Chrome connection to the attackers website, bypassing the Same Origin Policy protection that should stop bad code passing between sites. Hafif even figured out a way to prevent pop-ups and other warnings from appearing. Scripts from the hackers website could then grab information from that domain, such as emails from Gmail, and pass it on to the attackers own server.

Hafif, who has received numerous rewards from Google for uncovering bugs in the tech titans software, said he wanted to take his exploit further by giving it super powers that had the potential to create carnage across the web. After a users machine was taken over following an RFD attack, the hacker could force the browser to open up windows for social networks or email accounts and have the link automatically shared, Hafif added. As he noted in the disclosure document, there were no limitations to the propagation methods of such a worm and it can include any website that the user is logged into.

Few protections outside of closing off RFD vulnerabilities are effective. Anti-virus is highly unlikely to pick up on malware that appears to be a product of the browser. A well-informed user might note the unnecessary download and shut it down manually, however. Or they might know not to click on links that are in any way suspicious.

As far as anyone knows, no RFD attacks have been used by actual criminals. Though theres no reason they wouldnt have used the techniques under the radar, adds Hafif.

Its debatable as to whether RFD is really a zero-day attack technique, notes researcher Andreas Lindh. Its a pretty sneaky attack method but it seems to require both a successful and quite target-specific phishing attack along with some user interaction to work, he tells me over email. This isnt really a new attack per se, its basically just the domain where the file is downloaded from that is new. Anyone can create a modified Chrome.exe file and have people download it, just not from google.com.

His colleague Ben Hayak will be talking about a separate, previously unknown zero-day attack method at the same Amsterdam-based conference, which hes called Same Origin Method Execution (SOME). This takes advantage of JSON padding, which is legitimately used to get around those Same Origin Policy protections that stop websites pulling untrusted code from others. Often, web apps have been purposefully designed to access services from other sites, such as where geolocation services are contacted to determine where the user is from to tailor content. They often use JSON padding to do this, but this opens the site up to attacks that exploit the callback code on the site that handles what is coming from that external server.

An attacker hoping to use SOME would first have to build a setup on his own site where they would add placeholders, such as additional webpages running in the background, that waited to abuse the JSON padding. As soon as a target clicks on a link crafted by the hacker, they would be redirected to a legitimate yet vulnerable site, which would receive malicious code from those placeholders. They could then be forced into performing any action on that domain.

For example, if we have SOME vulnerability in Shopping.com domain, the attacker will choose any page in Shopping.com where theres a Buy this button, Hayak adds. The attacker will build a setup that includes enough placeholders to follow the flow of buying an item on behalf of the user. If a Are you sure confirmation is required we will just make another placeholder.

Hayak says he found the vulnerability in Google+ and the tech titan is addressing the issue. Google had not responded to a request for comment at the time of publication.

The possibilities are kind of limitless, Hayak says. Limitless – a rather pejorative term in this context, but one that will be spoken often at Black Hat next week.