Monday, September 11, 2006

De-Anonymize Web Surfers with JS Malware

RSnake's research continues with another choice discovery by connecting together various JavaScript Malware hacks. To get the full technical picture you'll have to read several posts, starting with DNS Pinning Just Got Worse and Using CSS to De-Anonymize. This stuff gets complicated really quickly, not sure if I understand it all yet.

The deal here is that JavaScript Malware has access to a browser's DOM and History. We knew that from my ealier JS/CSS History PoC. Once your browser is infected with JavaScript Malware, the attacker makes educated guesses at internal network hostnames common to organizations (http://intranet/) to see if you've been there. And if its not in your history, they'd use iframes and force a user to visit the URL, then re-check the history. Once they have an intranet target, use DNS pinning, and read the website across domains. They now know whom you work for. Rinse repeat and find out more about the victim.

Hack upon hack upon hack.

No comments: