Reflected File Download (RFD) attack method with malware

Reflected File Download (RFD)

Unbelievable as it might sound, a security researcher has created a attack technique that has the ability to hack your computer when you try and log in to popular and renowned website like Google. It is a known fact that it is possible to create a worm or malware that can automatically give the control of a machine to a hacker. But the malware injected via the Reflected File Download (RFD)  can be present on what appears to be a legitimate link and once downloaded by a user, will seize control of the victim and hand it over to the attacker.

This attack technique has been discovered by Oren Hafif, a Trustwave SpiderLabs security researcher.  Worse news is that he has also developed a worm to take advantage of RFD technique.

Let’s see how Reflected File Download (RFD) and this worm works:

  • A user accesses a popular website, say Google for example.
  • When u click on the link you think is legitimate, this worm will cause a download to begin automatically.
  • This file, if executed by the target, would open a Google Chrome connection to the attacker’s website, bypassing the Same Origin Policy (SOP) protection that should ideally stop bad code passing between tabs.
  • Scripts from the hacker’s website could then grab information from that domain, such as emails from Gmail, banking details from your bank website and pass it on to the attacker’s own server.

Anti virus proof

Hafif has even generated a way in the malware to prevent system warnings and other pop-ups from appearing, so the user won’t even know what hit him till after its too late. Current security measures like firewalls and anti-viruses are futile against this worm. The sad news is that Anti-virus engines won’t even detect the hack. And once the file has been executed, there is no security mechanism as of yet to stop it.

Chrome.exe

In his disclosure to Google, Hafif showed how an attacker could send a link from the trusted Google.com domain that would download an exploit file called “ChromeSetup.bat”. This file, if executed by the target, would open a Google Chrome connection to the attacker’s website, bypassing the Same Origin Policy protection that should stop bad code passing between sites and tabs. Once executed, the scripts from the hacker’s website could then grab information from that domain, such as emails from Gmail, banking credentials from a bank website etc. and pass it on to the attacker’s own server.

Demo at Black Hat Conference

Oren Hafif is a renowned researcher, earning plenty of rewards and bounties from Google for figuring out bugs and errors in their software. He has christened this technique Reflected File Download (RFD). He intends to demonstrate this new technique at the Black hat Europe conference taking place in the next week in Amsterdam, Netherlands.

Hafif will show how he created code for a worm that could easily spread malicious links containing RFD attack code across the world’s biggest social networks. Anyone who clicked the links he created risked handing over their cookies, though real criminals could craft attacks that would do much worse.

There are very few solutions to an RFD attack as of now. User prudence may be the only key defense against this worm. However this is just a proof of concept developed by Hafif, as yet, there has not been any known instance of RFD being used as an attack method so far.

Lets see how the demonstration presented by Hafif goes!

 

 

 

Credit: Delwyn Pinto, techworm

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s