Reflected File Download attack to spread 0-Day Worm Over Any Social Networks

Pierluigi Paganini October 14, 2014

A security expert defined a new attack technique dubbed Reflected File Download that allows to serve a ‘Zero-Day’ Worm without possibility of defense.

The security expert Oren Hafif has invented a new attack technique dubbed Reflected File Download (RFD)  that could be adopted to hack victim’s computer when he tries and logs in to popular and trusted website like Google and Bing.

The Reflected File Download (RFD) technique defined by Hafif, which is a Trustwave SpiderLabs security researcher, allows attackers to serve at a malware by presenting it as a legitimate link and once downloaded by the victim it is able to gain complete control of the infected machine.

Hafif has also developed a worm that is able to take advantage of his Reflected File Download (RFD) attack technique.

Let’s analyzed in detail the Reflected File Download (RFD) technique:

  • The user accesses a popular website like Google.
  • He clicks on a link that appears as legitimate, but at this point the worm will cause a download to begin automatically.
  • This file, if executed by the targeted system, would open a Google Chrome connection to the attacker’s website, bypassing the Same Origin Policy (SOP) protection that should ideally stop bad code passing between tabs.
  • Scripts hosted on the website managed by attackers could then grab sensitive information from domain visited by the victim (e.g. emails from Gmail, banking details from victim’s bank website) and send them back to the attacker’s own server.

The technique defined by Hafif is able to evade detection, the malware doesn’t trigger any system warnings, so the victim will have no perception of an ongoing attack. The researcher explained that current security measures like antivirus software and firewalls cannot avoid the infection.

Hafif provided a proof of concept to Google showing how a bad actor could send a link from the trusted domain that would download an exploit file called “ChromeSetup.bat”. As explained before, if victim executes the file, it would open a Google Chrome connection to the attacker’s website, bypassing the Same Origin Policy protection used to prevent malicious code passing between websites and tabs. Once executed the file, the scripts from the attacker’s website could then steal sensitive information from that domain and send it to the attacker’s website.

Oren Hafif will demonstrate the Reflected File Download (RFD) technique at the next  Black hat Europe conference in Amsterdam, Netherlands. Hafif will demonstrate how he created a worm that could exploit the Reflected File Download (RFD) attack across the most important social networks.

“Hafif will show how he created code for a worm that could easily spread malicious links containing RFD attack code across the world’s biggest social networks. Anyone who clicked the links he created risked handing over their cookies, though real criminals could craft attacks that would do much worse. They could take over reams of machines. Hafif believes it’s the first cross-social-network worm ever created.” states a blog post on Forbes.

Fortunately in time I’m writing there are no news about the exploitation of the Reflected File Download technique being used in attacks worldwide, anyway a similar method adopted in the wild would have devastating effects.

Pierluigi Paganini

(Security Affairs –  Reflected File Download (RFD) technique , hacking)

you might also like

leave a comment