Long Available PAC Utility in Browsers Used in Cybercrime
According to Kaspersky researchers, Brazilian malware developers are employing a feature available for long in the most advanced browsers, with a purpose to launch attacks which redirect unwary victims onto malicious sites, even without their knowledge, as per the news published by infosecurity.com on April 14, 2010.
This long available feature is known as PAC (proxy auto config). This feature is now showing up in banking Trojans.
Fabio Assolini, a lab expert at Kaspersky, said that PAC is accepted by all latest Internet browsers. PAC has a utility to send browsers to a particular proxy server, as per the news published by infosecurity.com on April 14, 2010.
A proxy server is actually a computer which accesses the Internet on behalf of a computer user and provides it with the results. Often, systems administrators use these proxy servers as a gateway between the Internet and the computers of an organization. The PAC files are set on the machines of the client so that the Internet is always accessed through a protected gateway.
Assolini said that it is unfortunate that Brazilian malware creators are extensively using this simple yet smart technique to forward infected victims to nasty hosts that serve phishing Web pages of financial institutions, as per the news published by infosecurity.com on April 14, 2010.
Assolini further said that a Trojan banker-infected user will be redirected to a phishing website which is hosted at the malevolent proxy server, if he attempts to access any of the websites that are listed in the script.
Not only this, even the securely designed browsers from bottom up, like Google's Chrome, are vulnerable to this particular attack as it alters the file prefs.js in order to add a spiteful proxy before inserting a malicious dynamic link library (DLL) to always write the proxy again, in case it is removed.
Such an attack is an interesting edition on a more traditional redirection attack that includes the Windows Hosts file.
Related article: Long URLs Cause Security Flaw in Opera Browser
» SPAMfighter News - 27-04-2010