Security

How web-browser automation helps purveyors of malware

Once again, convenience is at odds with security. Learn how web browsers making life easy for users also helps the bad guys.

Web browsers have matured into capable software tools. Getting to this point required significant effort by dedicated developers, who continue to enhance their code in order to provide an ever more gratifying user experience.

Prefetch1.png

These enhancements come at a price—increased complexity. Like today's automobiles, web browsers are extremely complicated, so complex that like cars, it’s almost a waste of time to look under the hood when something’s not operating correctly.

Sadly, there’s additional fallout from the inherent complexity; it’s easier for nefarious types to find cracks in the code or manipulate existing code to further their own agenda.

Fortunately, there are developers willing to think like bad guys, figure out possible attack scenarios, and tell us about them. One such developer is Kyle Adams of Juniper Networks. In his blog post, What is Your Browser Doing Behind Your Back, Kyle takes a look at several automated "behind the scenes" browser processes that attackers could leverage to steal sensitive user information such as bank account numbers. Let’s start by looking at DNS Prefetching.

DNS prefetching

Take a second, and count the number of links on this article’s web page. Click one. It loads fast doesn’t it? That's because web browsers use DNS prefetching to resolve DNS information for every link on the rendered TechRepublic web page, just in case the user clicks on one of the links.

Kyle explains how an attacker could leverage DNS prefetching: "If an attacker puts a hidden link on a page that points to their domain, and sets up his DNS server, he can be notified when you view the page and get your IP address—even if you never click the link. This is bad in the case of emails and forums."

The key piece of information is “even if you never click the link.” What if a nefarious type managed to get a link placed on a high-traffic website? And that link pointed to a malicious website devised to download malware automatically? If the computer is vulnerable, it’s a done deal. Unfortunately, this happens all the time, particularly when websites use third-party advertising. Next on Kyle’s list was page prefetching.

Page prefetching

I became aware of page prefetching when I wrote this article about Google Instant. Google Instant guesses what you are typing into Search. Then, Instant displays (along with prefetching the associated DNS information) what it thinks you are looking for, usually before you finish typing. Great idea. The bad guys think so as well, now that they have figured out how to game the system.

In my article, I used the search entry of Antivir Solution Pro as an example. At that time, Antivir Solution Pro was the name given to some nasty malware. Notice in the slide below what Google Instant guessed after I typed in just "anti," Sure enough, Antivir Solution Pro was Instant’s first choice.

Prefetch2.png

Many people thought they were going to a website offering an official antivirus product like Antivir or Antivirus Solution, but ended up getting a computer full of malware. Kyle then moved on to session cookies.

Session cookies

Web browsing without session cookies would be a major pain. Session cookies allow a web browser to remember the user’s information when moving from one web page to another on the same website. There is a problem though. Kyle explains, “Some browsers, most notably Chrome, do not delete session cookies when you clear the cookies. This means even if you clear your cookies, sites can keep tracking you until you close your browser.”

I’m trying to determine which web browsers retain session cookies, and which do not. It seems there are varying opinions. Retaining session cookies is not normally an issue, but it is important to understand if session cookies are persistent, another user could resume an earlier session and access potentially sensitive web pages—something you may not want to happen. And, finally Kyle looks at plug-ins.

Plug-ins

Plug-ins are software that allow users to customize an application, adding significant versatility to web browsers. I’d be lost without my ad blocking plug-in. Kyle states his concern: “Each plug-in operates with an immense amount of privileges. They can look at everything the user does, mess with content on their system, and make requests without the user knowing.”

Kyle offered this example:

Plug-ins commonly shipped with antivirus applications are designed to warn you when you visit a malicious page. However, in order for the AV vendor to know you’re visiting a malicious page, they need to know every page you do visit. This means that as you browse the Internet, the entire sum of your Internet activity is being silently shipped to a third party.

Kyle went on to mention that he would consider most AV vendors trustworthy, but Kyle also noted that some plug-ins do not encrypt the data, so the data is fair game in transit to the AV vendor’s servers.

Final thoughts

I’m afraid the “cat is out of the bag” on the four web browser processes Kyle talked about. I intend to keep using them. But knowing what Kyle has uncovered allows us to be careful in how we use them.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

9 comments
eaglewolf
eaglewolf

I run CCleaner and use it multiple times a day.   One of the options of things to remove is 'old prefetch data.'   Check that directory in your system .. usually, there is a huge amount of data in it .. that you really don't need to run your system.

CCleaner also gets rid of 'temp' files .. as opposed to 'temporary internet files' (another useless appendage).  You'll find bits and pieces of malware stored in both.  Why?  Users don't know they exist or that it's ok to delete them all.  It's a 'safe' place for hackers/scammers to store things that will never be deleted or disturbed.  In the 'advanced options' for IE, there is a line for 'Empty Temporary Internet Files folder when browser is closed.'  You don't need those - and the default is to pile up gigabytes of them.

Excellent program .. along with Ghostery that happily blocks up to 18+ trackers per website.  Amazing what's watching where you go.

shiny_topadm
shiny_topadm

Ok, so apart from a general understanding of what is really happening, what should we do in the business world to protect our systems and users? Can we rely on the commercial a/v vendors to keep up? Should we be modifying our installations and giving the users one more reason why they cannot use their browser of choice?

Since the browser producers created these features for 'our' convenience, can we look forward to being able to switch them off? Or are there third-party vendors ready to help us modify these environments?

lehnerus2000
lehnerus2000

I've noticed that browsers "Pre-Download" installers.

When I try to get installers for program updates, the files are often over 50% finished, as soon as I click on the download link!

My Internet connection isn't fast enough to instantly download 20 MB.

Michael Kassner
Michael Kassner

@eaglewolf  

Someone told me that CCleaner was able to remove that information, but I was not able to affirm it. Thank you for doing so. 

Michael Kassner
Michael Kassner

@shiny_topadm 

Excellent questions. I will try to help. The DNS prefetch is specific to the web browser. I am learning that group policies seem to work with Internet Explorer. Where as other companies have a white or black list setup so that malicious websites will not open. 

Session keys I suspect will be user education. Asking them to close the web browser after visiting a sensitive web site. 

Group policies will also control plug-ins for Internet Explorer, other web browsers I am unsure of any solutions as of yet. I hope other members more knowledgeable than myself will have solutions. 

KKloepfer
KKloepfer

What I have noticed is as soon as I click on a download link in chrome it starts downloading, even while I am selecting a download location. If I have a 2MB/s connection and it takes me 10 seconds to select a download location, that would provide the appearance of having already downloaded 20mb when the file shows up in the download manager.

lehnerus2000
lehnerus2000

@KKloepfer  

That is a plausible explanation.

My connection speed is ~600 kB/s maximum.

I usually prepare a folder in my Downloads partition, before I attempt to get updates.

I doubt that it takes 30 seconds for me to locate the folder though (even with my directory structure). :) 

I'm using Pale Moon (a Firefox variant), but I also noticed it with Firefox.

It doesn't seem to occur on all sites.

Michael Kassner
Michael Kassner

@KKloepfer 

Interesting, thank you for sharing. Did you notice how fast links on this page loaded compared to the original page? 

Editor's Picks