Share

Related Links

Top 5 Stories

News

Attackers use PAC feature to redirect browsers

14 April 2010

Brazilian malware writers are making use of a long-available feature within most modern browsers to launch attacks that redirect victims to malicious websites without their knowledge. The feature, known as proxy auto config, is turning up in banking trojans, according to researchers from Kaspersky.

Proxy auto config (PAC) is a feature accepted by all modern browsers, according to Fabio Assolini, a lab expert at Kaspersky. It contains a function to redirect browsers to a specific proxy server. A proxy server is a computer that accesses the Internet on a computer user's behalf, and feeds it the results. Proxy servers are often used by systems administrators as a gateway between an organization's computers and the Internet, and PAC files are set on client machines so that they always access the Internet through a protected gateway.

"Unfortunately this simple and smart proxy technique is being largely used by Brazilian malware writers to redirect infected users to malicious hosts serving phishing pages of financial institutions," Assolini said. "After being infected by a Trojan banker, if a user tries to access some of the websites listed in the script, they will be redirected to a phishing domain hosted at the malicious proxy server."

Even browsers designed securely from the bottom up, such as Google's Chrome, are susceptible to this attack, which changes the file prefs.js to insert a malicious proxy before adding a malicious dynamic link library to always rewrite the proxy, if it is removed.

This attack is an interesting variation on a more conventional redirection attack involving the Windows Hosts file. This is a plain text file containing a list of Domain Name System lookups, which a Windows computer will refer to first, before trying to resolve a domain name using an external server. Malware that alters DNS entries in a Hosts file instructs a Windows computer to visit any malicious IP address that the attacker wants when the user types in a legitimate web address, such as one for an online bank, for example.

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×