As the name implies, this evolving technology is a method to get “Real
Simple Syndication.” Web pages can update their contents, and their RSS subscribers will get
them as soon as they are published by means of an RSS-feed client, which frequently looks for
new content. The easy way of taking advantage of the popularity of this rising technology is to
hijack the existing configured feed clients to automatically download new copies of worms and
other threats to the infected computers. This is accomplished by pointing the already-configured
client to different and malicious Web content. The way this would work is checking if the system
has any automatic feed download configured. If it does, it would just add or change an existing
one to point to the malicious Web site. This kind of attack would have two direct outcomes:
1. It would serve as a passive download point, starting connections from a legitimate point.
Since the source of the connection is already “allowed,” it would bypass personal
firewalls and other barriers.
2. The download would still be working even if the worm is detected/deleted. To get rid of
this properly, there should be a cleaning tool that deletes the configuration in the feed
client.
As a mitigating factor, there is no standard in the current use of these programs, so the attack
would have to choose specific software. This form of attack is not highly dangerous right now.
However, all this may change when the new Internet Explorer 7 is finally released. Microsoft is
already announcing that the new version of the popular browser will have built-in support for RSS
feeds. This will open some interesting possibilities to worm creators.
To fight this, companies should deploy, if they haven’t already, a method to scan HTTP traffic, as
this will likely be a very popular method of spreading near-future malware.
No comments:
Post a Comment