Please note that the fake links don't work because IP addresses of my host have changed, but the point is still clear
A common thread that persists in almost all hoax computer virus alert e-mails is the impression of references from an authorative site. We've all seen them. "Microsoft and McAfee" announced the alert, and it's "THE MOST DESTRUCTIVE OF ALL TIMES!!!!", and "THEY STILL HAVE NOT DEVELOPED A VACCINE!!!!" Naturally, it urges you to "PLEASE, DISTRIBUTE TO THE LARGEST NUMBER OF PEOPLE!!!!". You know the kind. Check out how to spot these messages. Many of these messages lately will have links to CNN.com and others, but not to a specific article. Giving the impression of validity, even if there is nothing on the other side of the link to do with it.
Now think about what would happen if one of those e-mails went around with thier usual ferocity and speed, but contained a link to an authoritative site (like say, Symantec), confirming everything in the e-mail. What if that link was faked? What if the link pointed to an actual virus, disguised as a fix for the same virus?
While cruising around the security sites I popped into CounterpaneSchneier.com Blog to check out this month's
Crypto-Gram
newsletterSchneier.com Blog. Going down the articles and opinion pieces, I came across
a brief article about a very clever attack to fool someone into beliving
that the URL they were clicking on was actually another (usually trusted)
site. I began to think of possible applications for this and I got some
very interesting and very scary possibilities.
Basically the attack involves a person clicking on a link they thought was a known site (Microsoft.com, ABCNEWS.com, or some other well-known site), but instead the victim is actually being directed to a completly different site, the URL however looks real. For example goto http://www.microsoft.com&+stuff+it=cgi-bin=AND%46stuff@64.29.16.121/~renderman/urlstuff.html to see Microsoft's mirror of my site. Not the lack of a trailing '/' after the .com. This is how it works.
A little known and used feature of the HTTP specification is that it can carry a username and password in the URL to pass to the server in the form 'http://Username:Password@www.somesite.com'. The attack works if the site to be faked allows anonymous access (like about 98% of the web), everything before the '@' symbol is considered a username and is ignored ignored (since a username is irrelavent). When determining the server, only the stuff after the '@' is looked at, but is still carried over in the clients browser. As a result, the URL looks almost legit, but if you look at the section after the '@', you can see the IP of the server. Most people would look at that URL and belive it to be a real microsoft.com address. Because of all the active scripting and CGI stuff that most sites do nowadays to move around, you can't pick through a 1000 character URL to see if it's legitimate. In addition, a few other tricks can make the IP disappear and completly hide the fact that it's going elsewhere. Converting the IP to longhand integer notation yeilds 1075646585 for the IP of Ultraaccess.net (the folks who very courtiously host AntiAV) so I could make a link such as http://www.microsoft.com+default+asp@1075646585/~renderman/urlstuff.html and it looks (except for the renderman near the end) very legitmate, enough at least to trick a user into following it. If I was not a virtual domain, the ~renderman would'nt be there.
If an attacker was to copy any one of a number of the very common Virus warning e-mails such as Good times, change it a little, and include a link faked in the above manner, that instead of pointing to the real CNN.com, refered to a predetermined forged site made to look like a regular CNN article, you could confirm the hoax and make it even more valid in the eyes of the user. I'd hate to be the admin that has to talk a user out of beliving that it's not CNN, and thier computer is not going to eat them. Another scary part is that all links within the same trojan domain, carry the faked domain along for the ride so you could make a whole section of a site to fake. Try it by using the above link and checking around me site.
The real scary extension of this is if an attacker sent out a 'chicken little' mail about a new killer virus and even helpfully provide a link to a forged Symantec.com address for the 'fix' for the bug. In truth, the users are really downloading a virus instead and helping to propigate the virus themselves. How would you know who to trust?
To the best of my knowledge I cannot think of any way of preventing these faked addresses, other than education (if anyone can think of any, please mail me). The ILOVEYOU worm and other virii showed that people could be tricked into launching things on their system. Is this the next 'soft hack'? Time to start hinking about the possibilities and defenses
For a very good essay on semantic attacks and thier possible popularity, check out the October 2000 Crypto-gram
RenderMan
02/27/01