Long Available PAC Utility in Browsers Used in CybercrimeAccording to Kaspersky researchers, Brazilian malware developers are employing a feature available for long in the most advanced browsers, with a purpose to launch attacks which redirect unwary victims onto malicious sites, even without their knowledge, as per the news published by infosecurity.com on April 14, 2010. This long available feature is known as PAC (proxy auto config). This feature is now showing up in banking Trojans. Fabio Assolini, a lab expert at Kaspersky, said that PAC is accepted by all latest Internet browsers. PAC has a utility to send browsers to a particular proxy server, as per the news published by infosecurity.com on April 14, 2010. A proxy server is actually a computer which accesses the Internet on behalf of a computer user and provides it with the results. Often, systems administrators use these proxy servers as a gateway between the Internet and the computers of an organization. The PAC files are set on the machines of the client so that the Internet is always accessed through a protected gateway. In addition, PAC are those files which contain the text of FindProxyForURL(), a single JavaScript utility. The JavaScript function is invoked by the Web browser every time a Web object or content is ready to be fetched. The browser is called on by two arguments: object's URL as well as the hostname deduced from that URL. Assolini said that it is unfortunate that Brazilian malware creators are extensively using this simple yet smart technique to forward infected victims to nasty hosts that serve phishing Web pages of financial institutions, as per the news published by infosecurity.com on April 14, 2010. Assolini further said that a Trojan banker-infected user will be redirected to a phishing website which is hosted at the malevolent proxy server, if he attempts to access any of the websites that are listed in the script. Not only this, even the securely designed browsers from bottom up, like Google's Chrome, are vulnerable to this particular attack as it alters the file prefs.js in order to add a spiteful proxy before inserting a malicious dynamic link library (DLL) to always write the proxy again, in case it is removed. Such an attack is an interesting edition on a more traditional redirection attack that includes the Windows Hosts file. Related article: Long URLs Cause Security Flaw in Opera Browser ยป SPAMfighter News - 4/27/2010 |
Dear Reader
We are happy to see you are reading our IT Security News.
We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!