Imagine you are sitting in front of your computer and all of a sudden you hear weird sounds coming from your hard drive. You think, “what happened?” At first glance nothing -- but your browser is open and you don't remember any backup applications being active. Why is your hard drive working so hard? You ponder it and then wave it off, thinking it's probably just some index process running in the background.
A couple of minutes later, when it doesn't stop, you really get paranoid and recall that you don't have a backup plan. Besides, what sort of index process runs in the middle of the day anyway? Quickly you launch your task manager. After going over the processes one by one, you come to the conclusion that nothing unusual seems to be happening. The only message you get from your anti-virus is an old warning about a copy of netcat you stored on your hard disk from way back when. By now you're pretty much convinced it's nothing and the sounds have disappeared, so it couldn't be anything serious, right?
The root of all evil
Browsers are competing with operating systems as the next application development platform. The rapid development of Web 2.0 keeps pushing browser developers toward implementing advanced features that would enable the creation of a new user experience with features such as personalization and customization using interactive multimedia applications. This sets the grounds for a fertile environment in which a new breed of malware can come to life.
Myth or truth?
Is there more to it?
What is worth implementing in such malware? The answer is the LAN-to-WAN bridging attack.
Tab browsing, which is supported by both Microsoft IE 7.0 and Mozilla Firefox Internet browsers, opens the way for LAN-to-WAN bridging. It's common for company employees to open one tab connecting to, say, the enterprise ERP application while the other tab shows an external web page. This can be exploited by malware that acts as a "proxy" between the organization's intranet and the outside internet. This means that information and resources can be browsed, manipulated and exported thanks to cached passwords, saved session identifiers and cookies.
The strength of malware based on Web 2.0 technology is its obliviousness to the underlying operating system and architecture on which it is running. It can be implemented through a series of standard API calls and, like a real Web 2.0 application, uses the HTTP protocol as its main channel of communication and information leakage, inheriting the browser's footprint to minimize anomalies transmitted over the network. The potential of such malware is tremendous.
Who's filtering Google?
The Achilles' heel of every piece of malware that "phones home" is its static "drop points" and communication servers upon which it relies. Over time, these IPs typically will be revealed and eventually be blocked, leaving the malware isolated from receiving further commands or transferring new information.
Itzik Kotler will present “Jinx – Malware 2.0” at Black Hat USA." The presentation discusses how the rapid development of Web 2.0 keeps pushing browser developers into implementing advanced features that allow the creation of interactive multimedia applications, enabling a new breed of malware to come to life.