Related Links

Related Stories

  • Kaspersky patents code-tracing technology
    Kaspersky has successfully patented technology that enables analysts to trace the activity of software code without infringing upon intellectual property.
  • Twitter not adequately checking URLs, says Kaspersky
    Twitter is failing to block malicious websites that are being posted to it via URL shortening services, according to researchers from Kaspersky, who have applied their own back-end service to help solve the problem.
  • Kaspersky researcher criticizes Facebook developer policy
    Malware attacks are becoming more targeted and more focused on social networks, according to a researcher at Kaspersky, who slammed Facebook for problems with its application certification process.
  • More details emerge on Kaspersky hack
    As more details of the Kaspersky web site hack came to light yesterday, the same hacking forum posted details of a similar SQL injection attack, this time on a Portugese reseller for anti-malware firm BitDefender.
  • Kaspersky site hacked over weekend
    Anti-malware vendor Kaspersky's site was hacked over the weekend, using an SQL injection attack. While admitting that the site was vulnerable, Kaspersky is denying that the vulnerabiity was critical. The hacker nevertheless listed what he said was the full set of tables from the firm's MySQL database.

Top 5 Stories


Attackers use PAC feature to redirect browsers

14 April 2010

Brazilian malware writers are making use of a long-available feature within most modern browsers to launch attacks that redirect victims to malicious websites without their knowledge. The feature, known as proxy auto config, is turning up in banking trojans, according to researchers from Kaspersky.

Proxy auto config (PAC) is a feature accepted by all modern browsers, according to Fabio Assolini, a lab expert at Kaspersky. It contains a function to redirect browsers to a specific proxy server. A proxy server is a computer that accesses the Internet on a computer user's behalf, and feeds it the results. Proxy servers are often used by systems administrators as a gateway between an organization's computers and the Internet, and PAC files are set on client machines so that they always access the Internet through a protected gateway.

"Unfortunately this simple and smart proxy technique is being largely used by Brazilian malware writers to redirect infected users to malicious hosts serving phishing pages of financial institutions," Assolini said. "After being infected by a Trojan banker, if a user tries to access some of the websites listed in the script, they will be redirected to a phishing domain hosted at the malicious proxy server."

Even browsers designed securely from the bottom up, such as Google's Chrome, are susceptible to this attack, which changes the file prefs.js to insert a malicious proxy before adding a malicious dynamic link library to always rewrite the proxy, if it is removed.

This attack is an interesting variation on a more conventional redirection attack involving the Windows Hosts file. This is a plain text file containing a list of Domain Name System lookups, which a Windows computer will refer to first, before trying to resolve a domain name using an external server. Malware that alters DNS entries in a Hosts file instructs a Windows computer to visit any malicious IP address that the attacker wants when the user types in a legitimate web address, such as one for an online bank, for example.

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×