Hiding an infection in an unused SSL site

For more details visit: http://blog.stopbadware.org/2009/07/31/hiding-an-infection-in-an-unused-ssl-site

Sneaky, I guess they are trying to combat AVs with web scanners, by putting it in an encrypted stream https and not normal http to try and evade detection.

then how do normal users know which sites r safe?

You don’t and the term safe site is one which in these times is can’t be guaranteed.

Every 3.6 seconds a website is infected http://forum.avast.com/index.php?topic=47096.msg396648#msg396648. So one of those could be a so called safe site.

To get back to this topic, avast is generally very good at protecting you from these hacked sites, but this being on a secure encrypted wouldn’t be scanned by the web shield, so it could get past one measure of protection.

However, when the web page with its iframe gets saved to the browser cache so that it may be displayed it is no longer encrypted and the Standard Shield should scan it and it too should be able to detect it in the same way as the web shield does.

so it does not really affect us?

You have to get out of the mind set of, “so it does not really effect us” in much the same way as there truly isn’t a safe site (mentioned in an earlier topic) as even they can get hacked.

So the mind set should be, it could effect you but avast should limit that risk, but nothing will eliminate it totally. There isn’t a single program out there that will give 100% protection. So you have to exercise caution in what you do and where you visit on the internet.

So you need to have a back-up and recovery strategy in place before anything happens (and that isn’t just malware infection). If you don’t want to lose it then back it up.

At least, it ignores one of the layered defenses of Avast! 4.8 and the resident protection can be late at times, which is the raison d’etre of Web Shield. So, in any case, the users should be warned.

Hi malware fighters,

SSL has holes bigger than Swiss cheese…
Every SSL-implementation ever is vulnerable now’
“This vulnerability can attack any SSL-implementation that was ever implemented”, according to researcher Moxie Marlinspike. “Everybody made a similar mistake.” In SSL-connections through https a secure connection from server to user is being set up.

The misleading trick comes by getting a SSL-certificate through Certificate Authorities (CA’s), like there are VeriSign, GeoTrust and Thawte. When the owner of a particular site like illegal.com asks for a certificate with a CA, they are asked through mail to affirm they own that site. One could also get a certificate for a subdomain like for instance, let’s sayl paypal.com\0.illegal.com. A CA will make out a certificate for this, because they will only check the owner of the main domain and not the one of the subdomain is verified (here that is paypal.com).

Browsers stop whenever they read ‘\0’
The root of the problem is SSL-implementation inside browsers for the first part of the domain. Firefox and Internet Explorer treat paypal.com\0.illegal.com as an official Paypal site (and also the certificate that goes with it) because they stop reading an url whenever they stumble upon a ‘\0’ in the url-code. A hacker now can easily circumvent SSL validation with whatever domain that he could dream up. The only browser that is secure in this respect is FireFox 3.5,

polonus

cf. Vulnerabilities Allow Attacker to Impersonate Any Website Thanks, polonus, to be honest, I didn’t know the part of FF3.5.

Luckily I use FF3.5 ;D

Judging from the fact that you describe it as “lucky”, I take it that you didn’t know it, either. I guess that we tend to expect fixes/patches first rather than improvements when it comes to version updates. :stuck_out_tongue:

Thanks polonus

I also was not aware Firefox 3.5