Latest threat: Wikipedia attack
November 16, 2006
A recent attack on the German Wikipedia site is evidence of a growing trend that targets Web 2.0 applications, sites and services, which allow content to flow both to and from a community of users. Web 2.0 applications include blogs, podcasts, and folksonomies (information retrieval methodologies that develop in Internet-mediated social environments, such as Flickr and Del.icio.us).
The attack on the German version of Wikipedia ironically used an encyclopedia entry for the Blaster worm, which was modified to include download links for a fake patch. When the user followed the links and installed the patch, he or she was hit with a trojan instead.
"Web 2.0 is a popular term for applications, sites and services that are collaborative or even bi-directional, and includes sites such as Wikipedia, MySpace, EBay, YouTube, and others," explained David Perry, global director of education at Trend Micro. "Unlike the World Wide Web, which is more or less a hypertext linked set of documents, and is a very one way or top down architecture, Web 2.0 allows the content to flow both to and from a community of users. If it makes everyone a producer of information in open trade, then it's a Web 2.0 sort of thing. This has worked in a very big way, but there's a dark side."
While the official Wikipedia pages and archives were cleaned immediately after the attack, a hacker subsequently distributed an email claiming to be from the official Wikipedia email addresses and including links that, if clicked, would take the user to a Wikipedia look-alike page at "wikipedia-download.org" which is actually running on a server named "h4serv.webhostingoutsourcing.com". While the rogue domain "wikipedia-download.org" has nothing to do with the real Wikipedia, it has been registered with the same registration information as the real wikipedia.org domain, except that the real Wikipedia domain is registered to St. Petersburg, Florida, and the IP address of the fake site is located in St. Petersburg, Russia.
The rogue site page has several download links for patches, all of which download the same file. The download (identified as Trojan-Dropper.Win32.Small.atq) actually installs the original patch from Microsoft - and then drops a trojan.
"Web 2.0 empowers ordinary users to add content to web based applications, content like text, url links, videos, audios, and even executable code," said Perry. "We have spent the last decade learning that, given the right circumstances, all of these things can be corrupted to distribute, install, and interact with malware. With services guaranteeing users a private download environment and shared content, and the limitless potential for illicit profit, Web 2.0 hacks can only increase from here on."
No comments:
Post a Comment