Long Available PAC Utility in Browsers Used in Cybercrime

According to Kaspersky researchers, Brazilian malware developers are employing a feature available for long in the most advanced browsers, with a purpose to launch attacks which redirect unwary victims onto malicious sites, even without their knowledge, as per the news published by infosecurity.com on April 14, 2010.

This long available feature is known as PAC (proxy auto config). This feature is now showing up in banking Trojans.

Fabio Assolini, a lab expert at Kaspersky, said that PAC is accepted by all latest Internet browsers. PAC has a utility to send browsers to a particular proxy server, as per the news published by infosecurity.com on April 14, 2010.

A proxy server is actually a computer which accesses the Internet on behalf of a computer user and provides it with the results. Often, systems administrators use these proxy servers as a gateway between the Internet and the computers of an organization. The PAC files are set on the machines of the client so that the Internet is always accessed through a protected gateway.

In addition, PAC are those files which contain the text of FindProxyForURL(), a single JavaScript utility. The JavaScript function is invoked by the Web browser every time a Web object or content is ready to be fetched. The browser is called on by two arguments: object’s URL as well as the hostname deduced from that URL.

Assolini said that it is unfortunate that Brazilian malware creators are extensively using this simple yet smart technique to forward infected victims to nasty hosts that serve phishing Web pages of financial institutions, as per the news published by infosecurity.com on April 14, 2010.

Assolini further said that a Trojan banker-infected user will be redirected to a phishing website which is hosted at the malevolent proxy server, if he attempts to access any of the websites that are listed in the script.

Not only this, even the securely designed browsers from bottom up, like Google’s Chrome, are vulnerable to this particular attack as it alters the file prefs.js in order to add a spiteful proxy before inserting a malicious dynamic link library (DLL) to always write the proxy again, in case it is removed.

Such an attack is an interesting edition on a more traditional redirection attack that includes the Windows Hosts file.

» SPAMfighter News – 27-04-2010


Deixe um comentário

Ainda sem comentários.

Comments RSS TrackBack Identifier URI

Deixe uma Resposta

Preencha os seus detalhes abaixo ou clique num ícone para iniciar sessão:

Logótipo da WordPress.com

Está a comentar usando a sua conta WordPress.com Terminar Sessão /  Alterar )

Google+ photo

Está a comentar usando a sua conta Google+ Terminar Sessão /  Alterar )

Imagem do Twitter

Está a comentar usando a sua conta Twitter Terminar Sessão /  Alterar )

Facebook photo

Está a comentar usando a sua conta Facebook Terminar Sessão /  Alterar )


Connecting to %s