Blogs & Stories

Trustwave Blog

The Trustwave Blog empowers information security professionals to achieve new heights through expert insight that addresses hot topics, trends and challenges and defines best practices.

SpiderLabs Researcher to Describe New Attack Method, Trustwave Protection in Place

Trustwave researcher Oren Hafif, a member of our SpiderLabs team, has created code for what would be the first cross-social network worm, capable of stealing victims' browser cookies - or worse. The worm utilizes a new technique, called Reflected File Download (RFD) and discovered by Hafif, to trick victims into downloading malicious content.

He is set to report on these findings this week at Black Hat Europe 2014 in Amsterdam.

Some of the world's largest websites are vulnerable to this new web-based attack method, Hafif told Forbes.com. The attack could, for example, deliver a malicious file - via a targeted phishing attack - that appears to come from a trusted domain, such as Google.com. If executed, the file opens a Google Chrome connection to the attacker's website. The attack also bypasses Same Origin Policy, a security feature that is designed to prevent scripts from unrelated websites from interacting.

Hafif told the Trustwave Blog that it's critical that research such as this gets into the hands of the defenders.

"The past cannot be changed," he said. "RFD might have been exploited by bad guys for years now or it might be a completely new vector that attackers were not aware of. Either way, research like this makes sure that when RFD is exploited in the future, it show up on our radars, and we can act on it."

The Forbes article notes that "few protections outside of closing off RFD vulnerabilities are effective" and that traditional anti-virus products will fail to detect malware that appears to be legitimately produced by the browser.

We can tell you that protection provided by Trustwave Secure Web Gateway (SWG) or Trustwave Managed Anti-Malware is designed to block malicious content during web browsing. In other words, if an RFD attack is used to distribute malware, our technology or service will block it.

In addition, Trustwave Web Application Firewall and its "Adaption Engine" also can detect the RFD attack through our built-in rules.

Trustwave is working on additional guidance that will help our customers classify and detect RFD.

Here is the description of Hafif's talk, from the Black Hat Europe site:

"Attackers would LOVE having the ability to upload executable files to domains like Google.com...and Bing.com. How cool would it be for them if their files are downloaded without ever being uploaded? Yes, download without upload! RFD is a new web-based attack that extends reflected attacks beyond the context of the web browser. Attackers can build malicious URLs, which once accessed, download files, and store them with any desired extension, giving a new malicious meaning to reflected input, even if it is properly encoded. Moreover, this attack allows running shell commands on the victim's computer."

Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.